image-builder/.gitea/workflows/build.yaml

name: 🏗️ Build Container Image

on:
  workflow_call:
    inputs:
      # --- Required ---
      image_name:
        description: 'Image name without registry/org (e.g. ansible-act-runner)'
        required: true
        type: string
      dockerfile_path:
        description: 'Path to Dockerfile relative to repo root (e.g. docker/Dockerfile)'
        required: true
        type: string
      context_path:
        description: 'Build context directory relative to repo root (e.g. docker/)'
        required: true
        type: string

      # --- Optional overrides ---
      registry:
        description: 'Registry to push to (default: gitea.mod.home)'
        required: false
        type: string
        default: 'gitea.mod.home'
      image_org:
        description: 'Registry org/namespace (default: calling repo owner)'
        required: false
        type: string
        default: ''
      extra_tag:
        description: 'Additional tag besides latest and SHA (e.g. stable)'
        required: false
        type: string
        default: ''
      no_cache:
        description: 'Disable build cache'
        required: false
        type: boolean
        default: false

    secrets:
      TOKEN:
        required: true
      TELEGRAM_BOT_TOKEN:
        required: false
      TELEGRAM_CHAT_ID:
        required: false
      # Optional — override default REGISTRY_USER/REGISTRY_PASSWORD
      REGISTRY_USER_OVERRIDE:
        required: false
      REGISTRY_PASSWORD_OVERRIDE:
        required: false

jobs:
  build:
    # Runs directly on runner host (docker:host)
    # Kaniko executor available via tools volume (initContainer in deployment)
    runs-on: docker

    steps:
      - name: 🔎 Checkout
        run: |
          rm -rf /workspace
          git clone \
            --depth 1 \
            --branch "${{ gitea.ref_name }}" \
            "http://${{ secrets.TOKEN }}@gitea.mod.home/${{ gitea.repository_owner }}/${{ gitea.event.repository.name }}.git" \
            /workspace

      - name: 🏷️ Resolve Image Destination
        id: meta
        run: |
          # Registry
          REGISTRY="${{ inputs.registry }}"

          # Org: use override if provided, otherwise calling repo owner
          ORG="${{ inputs.image_org }}"
          if [ -z "${ORG}" ]; then
            ORG="${{ gitea.repository_owner }}"
          fi

          # Credentials: use override if provided, otherwise defaults
          USER="${{ secrets.REGISTRY_USER_OVERRIDE }}"
          if [ -z "${USER}" ]; then
            USER="${{ secrets.REGISTRY_USER }}"
          fi
          PASS="${{ secrets.REGISTRY_PASSWORD_OVERRIDE }}"
          if [ -z "${PASS}" ]; then
            PASS="${{ secrets.REGISTRY_PASSWORD }}"
          fi

          IMAGE="${REGISTRY}/${ORG}/${{ inputs.image_name }}"
          SHORT_SHA="${{ gitea.sha }}"
          SHORT_SHA="${SHORT_SHA:0:8}"

          echo "image=${IMAGE}" >> $GITHUB_OUTPUT
          echo "tag_latest=${IMAGE}:latest" >> $GITHUB_OUTPUT
          echo "tag_sha=${IMAGE}:${SHORT_SHA}" >> $GITHUB_OUTPUT
          echo "short_sha=${SHORT_SHA}" >> $GITHUB_OUTPUT
          echo "registry=${REGISTRY}" >> $GITHUB_OUTPUT
          echo "user=${USER}" >> $GITHUB_OUTPUT
          echo "pass=${PASS}" >> $GITHUB_OUTPUT

      - name: 🔑 Create Kaniko Registry Config
        run: |
          mkdir -p /kaniko/.docker
          AUTH=$(echo -n "${{ steps.meta.outputs.user }}:${{ steps.meta.outputs.pass }}" | base64 | tr -d "\n\r")
          cat > /kaniko/.docker/config.json << DOCKEREOF
          {"auths":{"${{ steps.meta.outputs.registry }}":{"auth":"${AUTH}"}}}
          DOCKEREOF
          echo "config.json written:"
          cat /kaniko/.docker/config.json

      - name: 🔨 Build + Push Image
        env:
          DOCKER_CONFIG: /kaniko/.docker
        run: |
          DESTINATIONS="--destination ${{ steps.meta.outputs.tag_latest }} \
                        --destination ${{ steps.meta.outputs.tag_sha }}"

          if [ -n "${{ inputs.extra_tag }}" ]; then
            DESTINATIONS="${DESTINATIONS} --destination ${{ steps.meta.outputs.image }}:${{ inputs.extra_tag }}"
          fi

          NO_CACHE=""
          if [ "${{ inputs.no_cache }}" = "true" ]; then
            NO_CACHE="--no-push-cache --cache=false"
          fi

          # Kaniko executor is in /tools (copied by initContainer)
          /tools/executor \
            --context=dir:///workspace/${{ inputs.context_path }} \
            --dockerfile=/workspace/${{ inputs.dockerfile_path }} \
            ${DESTINATIONS} \
            ${NO_CACHE} \
            --insecure \
            --skip-tls-verify \
            --compressed-caching=false \
            --kaniko-dir=/kaniko

      - name: 📨 Telegram Notification
        if: always()
        run: |
          STATUS="${{ job.status }}"
          IMAGE="${{ steps.meta.outputs.tag_latest }}"
          SHA="${{ steps.meta.outputs.short_sha }}"
          # Use wget — available in gitea/act_runner base image (busybox)
          wget -q -O- \
            --post-data="chat_id=${{ secrets.TELEGRAM_CHAT_ID }}&text=🏗️ Build: ${IMAGE} SHA:${SHA} Status:${STATUS}" \
            "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" || true