---
when:
  - event: [pull_request, tag]
  - event: [push, manual]
    branch:
      - ${CI_REPO_DEFAULT_BRANCH}

steps:
  - name: build
    image: docker.io/library/python:3.12
    commands:
      - pip install poetry poetry-dynamic-versioning -qq
      - poetry build

  - name: security-build
    image: quay.io/thegeeklab/wp-docker-buildx:5
    depends_on: [build]
    settings:
      containerfile: Containerfile.multiarch
      output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
      repo: ${CI_REPO}

  - name: security-scan
    image: docker.io/aquasec/trivy
    depends_on: [security-build]
    commands:
      - trivy -v
      - trivy image --input oci/${CI_REPO_NAME}
    environment:
      TRIVY_EXIT_CODE: "1"
      TRIVY_IGNORE_UNFIXED: "true"
      TRIVY_NO_PROGRESS: "true"
      TRIVY_SEVERITY: HIGH,CRITICAL
      TRIVY_TIMEOUT: 1m
      TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2

  - name: publish-dockerhub
    image: quay.io/thegeeklab/wp-docker-buildx:5
    depends_on: [security-scan]
    settings:
      auto_tag: true
      containerfile: Containerfile.multiarch
      password:
        from_secret: docker_password
      platforms:
        - linux/amd64
        - linux/arm64
      provenance: false
      repo: ${CI_REPO}
      username:
        from_secret: docker_username
    when:
      - event: [tag]
      - event: [push, manual]
        branch:
          - ${CI_REPO_DEFAULT_BRANCH}

  - name: publish-quay
    image: quay.io/thegeeklab/wp-docker-buildx:5
    depends_on: security-scan
    settings:
      auto_tag: true
      containerfile: Containerfile.multiarch
      password:
        from_secret: quay_password
      platforms:
        - linux/amd64
        - linux/arm64
      provenance: false
      registry: quay.io
      repo: quay.io/${CI_REPO}
      username:
        from_secret: quay_username
    when:
      - event: [tag]
      - event: [push, manual]
        branch:
          - ${CI_REPO_DEFAULT_BRANCH}

depends_on:
  - lint
  - test