name: Docker Image CI
on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v4
      - name: Log in to DockerHub
        if: github.event_name == 'push'
        uses: docker/login-action@v4
        with:
          username: ${{ vars.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Build the Docker image
        id: build-image
        run: |
          IMAGE_TAG=my-image-name:${{ github.sha }}
          docker build . --file Dockerfile --tag $IMAGE_TAG
          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
# Uncomment below to push the image to Docker Hub (or another registry)
      - name: Scan image for vulnerabilities
        uses: aquasecurity/trivy-action@0.30.0
        with:
          image-ref: ${{ env.IMAGE_TAG }}
          format: table
          exit-code: '1'
          severity: CRITICAL,HIGH
      - name: Push the Docker image
        if: github.event_name == 'push'
        run: |
          docker tag $IMAGE_TAG snachodog/kiosk-guestbook:latest
          docker push snachodog/kiosk-guestbook:latest
      - name: Notify via ntfy
        if: github.event_name == 'push'
        env:
          NTFY_URL: ${{ secrets.NTFY_URL }}
          NTFY_TOKEN: ${{ secrets.NTFY_TOKEN }}
        run: |
          curl -s -o /dev/null \
            -H "Title: kiosk-guestbook image pushed to Docker Hub" \
            -H "Tags: white_check_mark" \
            -H "Authorization: Bearer $NTFY_TOKEN" \
            -d "The kiosk-guestbook container has been pushed to Docker Hub and is ready to pull. Commit: ${{ github.sha }} — ${{ github.event.head_commit.message }}" \
            "$NTFY_URL"