name: Build base images (Generally from basin repo)

on:
  workflow_call:
    inputs:
      image_tag:
        required: true
        type: string
      fail_on_scan:
        default: true
        type: boolean

jobs:
  docker-build-and-push:

    runs-on: ubuntu-22.04 #ubuntu-latest

    steps:
    - id: get-id
      name: Get a unique tag for this build
      run: |
        echo "DOCKER_IMAGE=${{ vars.docker_repo2_registry }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";

    - name: Print image name
      run: |
        echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}";

    - uses: actions/checkout@v4

    - name: Login to Docker Container Registry
      # if: ${{ github.event_name == 'push' }}
      uses: docker/login-action@v3
      with:
        registry: ${{ vars.docker_repo2_registry }}
        username: ${{ secrets.docker_repo2_username }}
        password: ${{ secrets.docker_repo2_password }}

    - name: Build and push the Docker image
      run: |
        docker build \
          --file context/Dockerfile \
          --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
          ./context;

    - name: Container details
      run: |
        IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
        echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";

    - name: Scan Docker Image for vulnerabilities with Grype
      uses: anchore/scan-action@v6
      with:
        image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
        cache-db: true #Cache Grype DB in Github Actions
        output-format: table
        only-fixed: true
        severity-cutoff: critical
        fail-build: ${{ inputs.fail_on_scan }}

    - name: Push the container image
      run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}