kind: pipeline
type: docker
name: build-and-push

steps:
  - name: build-amd64
    image: docker:26
    privileged: true
    environment:
      REGISTRY_URL:
        from_secret: REGISTRY_URL
      DOCKER_USER:
        from_secret: DOCKER_USER
      DOCKER_PASS:
        from_secret: DOCKER_PASS
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock
    commands:
      - |
        echo "=== Building amd64 image ==="
        docker login "$REGISTRY_URL" -u "$DOCKER_USER" -p "$DOCKER_PASS"
        docker build -t $REGISTRY_URL/public/portainer-agent-tailscale:amd64 .
        docker push $REGISTRY_URL/public/portainer-agent-tailscale:amd64

  - name: build-arm64
    image: docker:26
    privileged: true
    environment:
      REGISTRY_URL:
        from_secret: REGISTRY_URL
      DOCKER_USER:
        from_secret: DOCKER_USER
      DOCKER_PASS:
        from_secret: DOCKER_PASS
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock
    commands:
      - |
        echo "=== Building arm64 image ==="
        docker login "$REGISTRY_URL" -u "$DOCKER_USER" -p "$DOCKER_PASS"
        docker build -t $REGISTRY_URL/public/portainer-agent-tailscale:arm64 .
        docker push $REGISTRY_URL/public/portainer-agent-tailscale:arm64

  - name: create-manifest
    image: docker:26
    privileged: true
    environment:
      REGISTRY_URL:
        from_secret: REGISTRY_URL
      DOCKER_USER:
        from_secret: DOCKER_USER
      DOCKER_PASS:
        from_secret: DOCKER_PASS
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock
    commands:
      - |
        echo "=== Creating multi-arch manifest ==="
        docker login "$REGISTRY_URL" -u "$DOCKER_USER" -p "$DOCKER_PASS"
        docker manifest create $REGISTRY_URL/public/portainer-agent-tailscale:latest \
          --amend $REGISTRY_URL/public/portainer-agent-tailscale:amd64 \
          --amend $REGISTRY_URL/public/portainer-agent-tailscale:arm64
        docker manifest push $REGISTRY_URL/public/portainer-agent-tailscale:latest

  - name: trigger-zot-refresh-and-cve-scan
    image: curlimages/curl:8.10.1
    environment:
      ZOT_USER:
        from_secret: ZOT_USER
      ZOT_PASS:
        from_secret: ZOT_PASS
      REGISTRY_URL:
        from_secret: REGISTRY_URL
    commands:
      - |
        echo "Triggering Zot metadata refresh..."
        curl -u "$DOCKER_USER:$DOCKER__PASS" -X POST "$REGISTRY_URL/v2/_zot/ext/refresh"

        echo "Triggering CVE scan..."
        curl -u "$DOCKER_USER:$DOCKER_PASS" -X POST \
          -H "Content-Type: application/json" \
          "$REGISTRY_URL/v2/_zot/ext/cve/scan" \
          -d '{"repo":"public/portainer-agent-tailscale"}'


volumes:
  - name: docker_sock
    host:
      path: /var/run/docker.sock