name: CLI Build
on:
  push:
    branches: [main]
    paths:
      - 'packages/cli/**'
      - '.github/workflows/cli.yml'
  pull_request:
    paths:
      - 'packages/cli/**'
      - '.github/workflows/cli.yml'
  release:
    types: [published]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions: {}

jobs:
  publish:
    name: CLI Publish
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
      packages: write
    defaults:
      run:
        working-directory: ./packages/cli
    steps:
      - id: token
        uses: immich-app/devtools/actions/create-workflow-token@9db058b2e6eec20e07760b0e17a0505c78ec3191 # create-workflow-token-action-v2.0.1
        with:
          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
        uses: immich-app/devtools/actions/use-mise@7b8610a904d57da241e4ddba17fa62b62b15aed4 # use-mise-action-v2.0.2
        with:
          github_token: ${{ steps.token.outputs.token }}

      - name: Publish
        if: ${{ github.event_name == 'release' }}
        env:
          NPM_TAG: ${{ github.event.release.prerelease && 'rc' || 'latest' }}
        run: mise run ci-publish -- --tag "$NPM_TAG"

  docker:
    name: Docker
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    needs: publish

    steps:
      - id: token
        uses: immich-app/devtools/actions/create-workflow-token@9db058b2e6eec20e07760b0e17a0505c78ec3191 # create-workflow-token-action-v2.0.1
        with:
          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

      - name: Login to GitHub Container Registry
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Get package version
        id: package-version
        run: |
          version=$(jq -r '.version' packages/cli/package.json)
          echo "version=$version" >> "$GITHUB_OUTPUT"

      - name: Generate docker image tags
        id: metadata
        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
        with:
          flavor: |
            latest=false
          images: |
            name=ghcr.io/${{ github.repository_owner }}/immich-cli
          tags: |
            type=raw,value=${{ steps.package-version.outputs.version }},enable=${{ github.event_name == 'release' }}
            type=raw,value=latest,enable=${{ github.event_name == 'release' && !github.event.release.prerelease }}

      - name: Build and push image
        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          file: packages/cli/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name == 'release' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}