ecr-image-build-alpine.yml

---
name: AWS ECR Build Alpine Image
permissions:
  contents: read

on: # yamllint disable-line rule:truthy
  workflow_dispatch:
    inputs:
      version:
        description: 'Version tag to build (e.g., v1.0.0 or branch name)'
        required: true
        type: string

jobs:
  build-alpine:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        platform:
          - linux/amd64
          - linux/arm64
    steps:
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV

      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          ref: ${{ github.event.inputs.version }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-central-1

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2

      - name: Setup SSH Agent and add Github to known hosts
        env:
          SSH_AUTH_SOCK: /tmp/ssh-agent.sock
        run: |
          ssh-agent -a $SSH_AUTH_SOCK >> /dev/null
          ssh-add - <<< "${{ secrets.SSH_PRIVATE_KEY }}"
          mkdir -p ~/.ssh
          ssh-keyscan github.com > ~/.ssh/known_hosts

      - name: Build and push Alpine image
        id: docker-build-alpine
        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
        with:
          context: .
          file: ./docker/onadata-uwsgi/Dockerfile.alpine
          platforms: ${{ matrix.platform }}
          cache-from: type=registry,ref=${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.version }}-alpine
          cache-to: type=inline
          ssh: |
            default=/tmp/ssh-agent.sock
          build-args: |
            optional_packages=PyYAML django-redis ${{ secrets.ECR_OPTIONAL_PACKAGES }}
          push: true
          tags: |
            ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.version }}-alpine-${{ env.PLATFORM_PAIR }}
          labels: |
            org.opencontainers.image.title=Onadata Alpine
            org.opencontainers.image.version=${{ github.event.inputs.version }}

      - name: Image digest
        run: echo ${{ steps.docker-build-alpine.outputs.digest }}

  create-manifest:
    runs-on: ubuntu-latest
    needs: build-alpine
    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: eu-central-1

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@c962da2960ed15f492addc26fffa274485265950 # v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

      - name: Create multi-arch manifest
        run: |
          docker buildx imagetools create -t \
            ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.version }}-alpine \
            ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.version }}-alpine-linux-amd64 \
            ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.version }}-alpine-linux-arm64

      - name: Inspect manifest
        run: |
          docker buildx imagetools inspect \
            ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.version }}-alpine