name: Build and publish Docker images

on:
  push:
    tags:
      - "*.*.*"

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
      - uses: actions/checkout@v4

      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ vars.RIOTBYTE_BOT_APP_ID }}
          private-key: ${{ secrets.RIOTBYTE_BOT_PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          # Empty repositories list = installation-wide access. Without
          # this, the token is scoped to the current repo only and 403s
          # when fetching packages from sibling repos (project-q,
          # nest-service-locator, ...).
          repositories: ""

      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3

      - name: Build and push images
        env:
          VERSION: ${{ github.ref_name }}
          # Default GITHUB_TOKEN cannot read cross-repo packages from
          # GHCR npm registry; the App token can (granted org-wide).
          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        run: ./ci/build-images.sh