.github/workflows/build-ubi-dependency.yml

name: Build UBI ppc64le Dependency

on:
  push:
    branches:
      - main
    paths:
      - build/dependencies/Dockerfile.ubi-ppc64le
  workflow_dispatch:
    inputs:
      nginx_version:
        type: string
        description: "NGINX Version to build for"
        required: false
      force:
        type: boolean
        description: "Force rebuild"
        required: false
        default: false

env:
  IMAGE_NAME: ghcr.io/nginxinc/dependencies/nginx-ubi-ppc64le

concurrency:
  group: ${{ github.ref_name }}-ubi-ppc64le-build
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  checks:
    name: Check versions
    runs-on: ubuntu-22.04
    permissions:
      packages: read
      contents: read
    strategy:
      fail-fast: false
    outputs:
      nginx_version: ${{ steps.var.outputs.nginx_version }}
      njs_version: ${{ steps.var.outputs.njs_version }}
      target_exists: ${{ steps.var.outputs.target_image_exists }}
    steps:
      - name: Checkout Repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Output Variables
        id: var
        run: |
          if [ -n "${{ inputs.nginx_version }}" ]; then
            nginx_v=${{ inputs.nginx_version }}
          else
            nginx_v=$(grep -m1 'FROM nginx:' <build/dependencies/Dockerfile.ubi-ppc64le | cut -d '@' -f1 | awk -F'[: ]' '{print $3}')
          fi
          target_image=${{ env.IMAGE_NAME }}:nginx-${nginx_v}
          if docker manifest inspect ${target_image}; then
            target_image_exists=true
          else
            target_image_exists=false
          fi
          docker pull nginx:$nginx_v || exit 1
          njs=$(docker run nginx:$nginx_v env | grep NJS_VERSION | cut -d= -f2)
          echo "> Outputs -------------------------------"
          echo "NJS_VERSION=$njs"
          echo "nginx_version=${nginx_v}"
          echo "njs_version=${njs}"
          echo "target_image_exists=${target_image_exists}"
          echo "nginx_version=${nginx_v}" >> $GITHUB_OUTPUT
          echo "njs_version=${njs}" >> $GITHUB_OUTPUT
          echo "target_image_exists=${target_image_exists}" >> $GITHUB_OUTPUT

  build-binaries:
    name: Build Binary Container Image
    if: ${{ needs.checks.outputs.target_exists != 'true' || inputs.force }}
    needs: checks
    runs-on: ubuntu-22.04
    permissions:
      packages: write
      contents: read
    strategy:
      fail-fast: false
    steps:
      - name: Checkout Repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

      - name: Setup QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
        with:
          platforms: arm64,ppc64le,s390x

      - name: Docker Buildx
        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
        with:
          images: |
            name=${{ env.IMAGE_NAME }},enable=true
          tags: |
            type=raw,value=nginx-${{ needs.checks.outputs.nginx_version }},enable=true
        env:
          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index

      - name: Build and push
        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
        with:
          file: ./build/dependencies/Dockerfile.ubi-ppc64le
          context: "."
          pull: true
          push: true
          # build multi-arch so that it can be mounted from any image
          # even though only ppc64le will contain binaries
          platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          annotations: ${{ steps.meta.outputs.annotations }}
          cache-from: type=gha,scope=nginx-ubi-ppc64le
          cache-to: type=gha,scope=nginx-ubi-ppc64le,mode=max
          target: final
          sbom: false
          provenance: mode=max
          build-args: |
            NGINX=${{ needs.checks.outputs.nginx_version }}
            NJS=${{ needs.checks.outputs.njs_version }}