name: Build CI Container

permissions:
  contents: read

on:
  push:
    branches:
      - main
    paths:
      - .github/workflows/build-ci-container.yml
      - '.github/workflows/containers/github-action-ci/**'
  pull_request:
    branches:
      - main
    paths:
      - .github/workflows/build-ci-container.yml
      - '.github/workflows/containers/github-action-ci/**'

jobs:
  build-ci-container:
    if: github.repository_owner == 'llvm'
    runs-on: depot-ubuntu-22.04-16
    outputs:
      container-name: ${{ steps.vars.outputs.container-name }}
      container-name-tag: ${{ steps.vars.outputs.container-name-tag }}
      container-filename: ${{ steps.vars.outputs.container-filename }}
    steps:
      - name: Checkout LLVM
        uses: actions/checkout@v4
        with:
          sparse-checkout: .github/workflows/containers/github-action-ci/
      - name: Write Variables
        id: vars
        run: |
          tag=`date +%s`
          container_name="ghcr.io/$GITHUB_REPOSITORY_OWNER/ci-ubuntu-22.04"
          echo "container-name=$container_name" >> $GITHUB_OUTPUT
          echo "container-name-tag=$container_name:$tag" >> $GITHUB_OUTPUT
          echo "container-filename=$(echo $container_name:$tag  | sed -e 's/\//-/g' -e 's/:/-/g').tar" >> $GITHUB_OUTPUT
      - name: Build container
        working-directory: ./.github/workflows/containers/github-action-ci/
        run: |
          podman build -t ${{ steps.vars.outputs.container-name-tag }} .

      # Save the container so we have it in case the push fails.  This also
      # allows us to separate the push step into a different job so we can
      # maintain minimal permissions while building the container.
      - name: Save container image
        run: |
          podman save  ${{ steps.vars.outputs.container-name-tag }} >  ${{ steps.vars.outputs.container-filename }}

      - name: Upload container image
        uses: actions/upload-artifact@v4
        with:
          name: container
          path: ${{ steps.vars.outputs.container-filename }}
          retention-days: 14

      - name: Test Container
        run: |
          for image in ${{ steps.vars.outputs.container-name-tag }} ${{  steps.vars.outputs.container-name }}; do
            podman run --rm -it $image /usr/bin/bash -x -c 'printf '\''#include <iostream>\nint main(int argc, char **argv) { std::cout << "Hello\\n"; }'\'' | clang++ -x c++ - && ./a.out | grep Hello'
          done

  push-ci-container:
    if: github.event_name == 'push'
    needs:
      - build-ci-container
    permissions:
      packages: write
    runs-on: ubuntu-24.04
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Download container
        uses: actions/download-artifact@v4
        with:
          name: container

      - name: Push Container
        run: |
          podman load -i ${{ needs.build-ci-container.outptus.container-filename }}
          podman tag ${{ steps.vars.outputs.container-name-tag }} ${{ steps.vars.outputs.container-name }}:latest
          podman login -u ${{ github.actor }} -p $GITHUB_TOKEN ghcr.io
          podman push ${{ needs.build-ci-container.outputs.container-name-tag }}
          podman push ${{ needs.build-ci-container.outputs.container-name }}:latest