name: Build and Push Docker Image to Docker Hub

on:
  pull_request:
    branches:
      - main
      - base
    paths:
      - .dockerignore
      - Dockerfile
      - package.json
      - package-lock.json
      - tsconfig*.json
      - vite.config*.ts
      - packages/**
      - bin/**
      - scripts/**
      - .github/workflows/docker-publish.yml
  workflow_dispatch:
  release:
    types: [published]

permissions:
  contents: read

concurrency:
  group: docker-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

env:
  IMAGE_NAME: hermes-web-ui

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    timeout-minutes: 45

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up QEMU
        if: github.event_name != 'pull_request'
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Docker Hub
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build PR image
        if: github.event_name == 'pull_request'
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          platforms: linux/amd64
          load: true
          push: false
          tags: ${{ env.IMAGE_NAME }}:ci

      - name: Smoke test PR image
        if: github.event_name == 'pull_request'
        run: |
          set -euo pipefail
          cid=""
          cleanup() {
            if [ -n "$cid" ]; then
              docker logs "$cid" || true
              docker rm -f "$cid" || true
            fi
          }
          trap cleanup EXIT

          cid=$(docker run -d \
            -e PORT=6060 \
            -e BIND_HOST=0.0.0.0 \
            -e HERMES_WEB_UI_HOME=/tmp/hermes-web-ui \
            -e HERMES_HOME=/home/agent/.hermes \
            -p 6060:6060 \
            "${IMAGE_NAME}:ci")

          for attempt in $(seq 1 60); do
            if curl -fsS http://127.0.0.1:6060/health | grep -q '"status":"ok"'; then
              echo "Docker image smoke test passed."
              exit 0
            fi
            if ! docker ps --quiet --no-trunc | grep -q "$cid"; then
              echo "Container exited before becoming healthy." >&2
              exit 1
            fi
            sleep 2
          done

          echo "Timed out waiting for /health." >&2
          exit 1

      - name: Build and push Docker image
        if: github.event_name != 'pull_request'
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: |
            ${{ secrets.DOCKERHUB_USERNAME }}/hermes-web-ui:latest
            ${{ secrets.DOCKERHUB_USERNAME }}/hermes-web-ui:${{ github.sha }}
            ${{ secrets.DOCKERHUB_USERNAME }}/hermes-web-ui:${{ github.event.release.tag_name || github.ref_name }}