name: Docker Images

on:
  push:
    branches: [main]
    paths:
      - 'src/food-market.api/**'
      - 'src/food-market.web/**'
      - 'src/food-market.application/**'
      - 'src/food-market.domain/**'
      - 'src/food-market.infrastructure/**'
      - 'src/food-market.shared/**'
      - 'deploy/**'
      - '.github/workflows/docker.yml'
  workflow_dispatch:

permissions:
  contents: read
  packages: write

env:
  LOCAL_REGISTRY: 127.0.0.1:5001

jobs:
  api:
    name: API image
    runs-on: [self-hosted, linux]
    steps:
      - uses: actions/checkout@v4

      - name: Login to ghcr
        env:
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ACTOR: ${{ github.actor }}
        run: |
          for i in 1 2 3 4 5; do
            if echo "$TOKEN" | docker login ghcr.io -u "$ACTOR" --password-stdin; then
              exit 0
            fi
            echo "login attempt $i failed, retrying in 15s"
            sleep 15
          done
          exit 1

      - name: Build + push api
        env:
          OWNER: ${{ github.repository_owner }}
          SHA: ${{ github.sha }}
        run: |
          docker build -f deploy/Dockerfile.api \
            -t $LOCAL_REGISTRY/food-market-api:$SHA \
            -t $LOCAL_REGISTRY/food-market-api:latest \
            -t ghcr.io/$OWNER/food-market-api:$SHA \
            -t ghcr.io/$OWNER/food-market-api:latest .

          # Push to LOCAL registry first (deploy depends on it) — it's on localhost, reliable.
          for tag in $SHA latest; do
            docker push $LOCAL_REGISTRY/food-market-api:$tag || { echo "local push $tag failed"; exit 1; }
          done

          # Push to ghcr.io as off-site backup. Flaky on KZ network — retry, but don't fail the job.
          for tag in $SHA latest; do
            for i in 1 2 3 4 5; do
              if docker push ghcr.io/$OWNER/food-market-api:$tag; then break; fi
              echo "ghcr push $tag attempt $i failed, retrying in 15s"
              sleep 15
              [ $i -eq 5 ] && echo "::warning::ghcr push $tag failed after 5 attempts — local registry still has the image"
            done
          done

  web:
    name: Web image
    runs-on: [self-hosted, linux]
    steps:
      - uses: actions/checkout@v4

      - name: Login to ghcr
        env:
          TOKEN: ${{ secrets.GITHUB_TOKEN }}
          ACTOR: ${{ github.actor }}
        run: |
          for i in 1 2 3 4 5; do
            if echo "$TOKEN" | docker login ghcr.io -u "$ACTOR" --password-stdin; then
              exit 0
            fi
            echo "login attempt $i failed, retrying in 15s"
            sleep 15
          done
          exit 1

      - name: Build + push web
        env:
          OWNER: ${{ github.repository_owner }}
          SHA: ${{ github.sha }}
        run: |
          docker build -f deploy/Dockerfile.web \
            -t $LOCAL_REGISTRY/food-market-web:$SHA \
            -t $LOCAL_REGISTRY/food-market-web:latest \
            -t ghcr.io/$OWNER/food-market-web:$SHA \
            -t ghcr.io/$OWNER/food-market-web:latest .

          for tag in $SHA latest; do
            docker push $LOCAL_REGISTRY/food-market-web:$tag || { echo "local push $tag failed"; exit 1; }
          done

          for tag in $SHA latest; do
            for i in 1 2 3 4 5; do
              if docker push ghcr.io/$OWNER/food-market-web:$tag; then break; fi
              echo "ghcr push $tag attempt $i failed, retrying in 15s"
              sleep 15
              [ $i -eq 5 ] && echo "::warning::ghcr push $tag failed after 5 attempts — local registry still has the image"
            done
          done