name: build

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

on:
  push:
    # needs push event on default branch otherwise cache is evicted when pull request is merged
    branches:
      - main
  pull_request:

env:
  # Use edge release of buildx (latest RC, fallback to latest stable)
  SETUP_BUILDX_VERSION: edge
  SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest"

permissions:
  contents: read # to fetch code (actions/checkout)

jobs:
  releaser:
    runs-on: ubuntu-24.04
    steps:
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
        with:
          version: ${{ env.SETUP_BUILDX_VERSION }}
          driver-opts: image=${{ env.SETUP_BUILDKIT_IMAGE }}
      -
        name: Build
        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
        with:
          files: |
            docker-bake.hcl
          targets: releaser-build

  build:
    runs-on: ubuntu-24.04
    needs:
      - releaser
    steps:
      -
        name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      -
        name: Build
        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
        with:
          source: .
          files: |
            docker-bake.hcl
          targets: release
      -
        name: Check Cloudfront config
        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
        with:
          source: .
          targets: aws-cloudfront-update
        env:
          DRY_RUN: true
          AWS_REGION: us-east-1
          AWS_CLOUDFRONT_ID: 0123456789ABCD
          AWS_LAMBDA_FUNCTION: DockerDocsRedirectFunction-dummy

  validate:
    runs-on: ubuntu-24.04
    strategy:
      fail-fast: false
      matrix:
        target:
          - lint
          - vale
          - test
          - unused-media
          - test-go-redirects
          - dockerfile-lint
          - path-warnings
          - validate-vendor
    steps:
      -
        name: Checkout
        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
      -
        name: Validate
        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
        with:
          source: .
          files: |
            docker-bake.hcl
          targets: ${{ matrix.target }}
      -
        name: Install reviewdog
        if: ${{ matrix.target == 'vale' && github.event_name == 'pull_request' }}
        uses: reviewdog/action-setup@d8a7baabd7f3e8544ee4dbde3ee41d0011c3a93f # v1.5.0
      -
        name: Run reviewdog for vale
        if: ${{ matrix.target == 'vale' && github.event_name == 'pull_request' }}
        run: |
          cat ./tmp/vale.out | reviewdog -f=rdjsonl -name=vale -reporter=github-pr-annotations -fail-on-error=false -filter-mode=added -level=info -fail-level=warning
        env:
          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}