name: OCI distribution
on:
  workflow_dispatch:
  schedule:
  - cron: "0 10 * * *"
permissions:
  contents: read
  packages: write
  id-token: write
jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        component:
        - kratactl
        - kratad
        - kratanet
    name: OCI build ${{ matrix.component }} on ${{ matrix.platform }}
    steps:
    - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
        egress-policy: audit
    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
      with:
        submodules: recursive
    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
    - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
    - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
    - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
      id: push-step
      with:
        file: ./images/Dockerfile.${{ matrix.component }}
        platforms: linux/amd64,linux/aarch64
        tags: ghcr.io/edera-dev/${{ matrix.component }}:nightly
        push: true
    - name: Sign the image
      env:
        DIGEST: ${{ steps.push-step.outputs.digest }}
        TAGS: ghcr.io/edera-dev/${{ matrix.component }}:nightly
        COSIGN_EXPERIMENTAL: "true"
      run: cosign sign --yes "${TAGS}@${DIGEST}"