name: Build and Push Flutter SDK Image

on:
  release:
    types: [published, prereleased]

permissions:
  contents: write

env:
  IMAGE_NAME: flutter-sdk

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        include:
          - dockerfile: Dockerfile
            variant: web
            description: Minimal Flutter SDK for Web/WASM CI builds
          - dockerfile: Dockerfile.android
            variant: android
            description: Flutter SDK for Android CI builds
          - dockerfile: Dockerfile.linux
            variant: linux
            description: Flutter SDK for Linux desktop CI builds
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Determine version and tag type
        id: version
        run: |
          if [[ "${{ github.event.release.prerelease }}" == "true" ]]; then
            # Pre-release: fetch latest stable version, tag as dev
            FLUTTER_VERSION=$(curl -fsSL https://storage.googleapis.com/flutter_infra_release/releases/releases_linux.json \
              | jq -r '.current_release.stable as $hash | .releases[] | select(.hash == $hash and .channel == "stable") | .version')
            echo "flutter_version=${FLUTTER_VERSION}" >> $GITHUB_OUTPUT
            echo "tag=${{ matrix.variant }}-dev" >> $GITHUB_OUTPUT
            echo "Using latest Flutter stable ${FLUTTER_VERSION} for pre-release test"
          else
            # Full release: use the release tag as the Flutter version
            echo "flutter_version=${{ github.event.release.tag_name }}" >> $GITHUB_OUTPUT
            echo "tag=${{ matrix.variant }}-latest" >> $GITHUB_OUTPUT
          fi

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Registry
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}

      - name: Build image for Scout analysis
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ${{ matrix.dockerfile }}
          platforms: linux/amd64
          push: false
          load: true
          build-args: |
            FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }}
          tags: ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}

      - name: Install Docker Scout
        run: |
          curl -fsSL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh -o install-scout.sh
          sh install-scout.sh

      - name: Docker Scout CVE Scan
        run: |
          docker scout cves ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }} --only-severity critical,high

      - name: Build and push with attestations
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ${{ matrix.dockerfile }}
          platforms: linux/amd64,linux/arm64
          push: true
          sbom: true
          provenance: mode=max
          build-args: |
            FLUTTER_VERSION=${{ steps.version.outputs.flutter_version }}
          tags: |
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
            ${{ secrets.REGISTRY_URL }}/${{ env.IMAGE_NAME }}:${{ steps.version.outputs.tag }}
          labels: |
            org.opencontainers.image.title=${{ env.IMAGE_NAME }}
            org.opencontainers.image.description=${{ matrix.description }}
            org.opencontainers.image.version=${{ matrix.variant }}-${{ steps.version.outputs.flutter_version }}
            org.opencontainers.image.revision=${{ github.sha }}

  sync-readme:
    needs: build-and-push
    if: github.event.release.prerelease == false && !contains(github.event.release.tag_name, 'test')
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Update README badges
        run: |
          FLUTTER="${{ github.event.release.tag_name }}"
          ANDROID_SDK=$(grep -oP 'ANDROID_BUILD_TOOLS=\K[0-9.]+' Dockerfile.android || echo "")

          if [ -n "$ANDROID_SDK" ]; then
            sed -i "s|Android%20SDK-[0-9.]*-green|Android%20SDK-${ANDROID_SDK}-green|g" README.md
          fi

          if [ -n "$FLUTTER" ]; then
            sed -i "s|web--[0-9.]*-blue|web--${FLUTTER}-blue|g" README.md
            sed -i "s|android--[0-9.]*-blue|android--${FLUTTER}-blue|g" README.md
            sed -i "s|linux--[0-9.]*-blue|linux--${FLUTTER}-blue|g" README.md
            sed -i "s|/web-[0-9.]*?|/web-${FLUTTER}?|g" README.md
            sed -i "s|/android-[0-9.]*?|/android-${FLUTTER}?|g" README.md
            sed -i "s|/linux-[0-9.]*?|/linux-${FLUTTER}?|g" README.md
          fi

      - name: Commit and push
        run: |
          git diff --quiet README.md && exit 0
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add README.md
          git commit -m "Update README badges to Flutter ${{ github.event.release.tag_name }}"
          git push