deploy.yml

# Build and publish GitHub Container Registry (GHCR) images after tests pass.
name: Deploy

run-name: Triggered by successful test workflow
permissions:
  contents: write
  packages: write

# default versions. This is overwritten by distros_tags.sh
env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

concurrency:
  group: gemc-deploy-${{ github.event.workflow_run.id }}
  cancel-in-progress: true

on:
  workflow_run:
    workflows: [ "Test" ]
    types: [ completed ]
    branches: [ main ]

jobs:
  overview:
    if: >-
      ${{
        github.event.workflow_run.conclusion == 'success' &&
        github.event.workflow_run.event == 'push'
      }}
    name: Workflow Overview
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.workflow_run.head_sha }}

      - name: Write overview
        shell: bash
        run: |
          : "${GITHUB_STEP_SUMMARY:=$RUNNER_TEMP/summary.md}"
          bash ci/summary.sh "$GITHUB_STEP_SUMMARY"

  discover:
    if: >-
      ${{
        github.event.workflow_run.conclusion == 'success' &&
        github.event.workflow_run.event == 'push'
      }}
    name: Create Job Matrices
    runs-on: ubuntu-latest
    outputs:
      matrix_build: ${{ steps.scan.outputs.matrix_build }}
      matrix_manifest: ${{ steps.scan.outputs.matrix_manifest }}
      image: ${{ steps.scan.outputs.image }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.workflow_run.head_sha }}
      - id: scan
        name: Build matrix
        run: ci/distros_tags.sh

  # arch build jobs
  # uses matrix_build
  build_arch:
    name: ${{ matrix.image }}/${{ matrix.image_tag }} ${{ matrix.arch }}
    needs: [ overview, discover ]
    runs-on: ${{ matrix.runner }}
    timeout-minutes: 360
    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(needs.discover.outputs.matrix_build) }}

    env:
      CACHE_REF: type=registry,ref=${{ needs.discover.outputs.image }}:cache-${{ matrix.arch }}
      TAG4: ${{ format('{0}-{1}-{2}', matrix.gemc_tag, matrix.image, matrix.image_tag) }}
      LOGNAME: ${{ format('{0}-{1}-{2}-{3}', matrix.gemc_tag, matrix.image, matrix.image_tag, matrix.arch) }}
      DOCKER_BUILD_SUMMARY: false

    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.workflow_run.head_sha }}
          fetch-depth: 0

      - name: Free up disk space
        uses: ./.github/actions/free-disk-space
        with:
          prune_docker: "true"
          show_tree: "true"

      - name: Set up Buildx
        uses: docker/setup-buildx-action@v4

      - name: Log in to GHCR
        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - id: meta
        name: Docker metadata (base tag)
        uses: docker/metadata-action@v6
        with:
          images: ${{ needs.discover.outputs.image }}
          tags: |
            type=raw,value=${{ env.TAG4 }}
          labels: |
            org.opencontainers.image.source=${{ github.repository }}
            org.opencontainers.image.description=GEMC ${{ matrix.gemc_tag }} ${{ matrix.arch }}

      - name: Generate Dockerfile
        run: |
          python3 ci/dockerfile_creator.py \
          -i "${{ matrix.image }}" \
          -t "${{ matrix.image_tag }}" \
          --gemc-version "${{ matrix.gemc_tag }}" \
          --geant4-version "${{ matrix.geant4_tag }}" \
          --with-package \
          --source context \
          --package-arch "${{ matrix.arch }}" \
          > Dockerfile.generated
          cat Dockerfile.generated

      - name: Build & Push
        uses: docker/build-push-action@v7
        with:
          # ensure we have the latest base image
          pull: true
          # force a full rebuild regardless of any local cache from previous workflow runs
          no-cache: true
          context: .
          file: ./Dockerfile.generated
          target: final
          platforms: ${{ matrix.platform }}
          push: true
          # Add suffix to the arch-specific image tag
          tags: ${{ steps.meta.outputs.tags }}${{ matrix.suffix }}
          labels: ${{ steps.meta.outputs.labels }}
          # build layers are imported from a previously exported BuildKit cache
          # cache-from: ${{ env.CACHE_REF }}
          # publishes the BuildKit cache to your container registry under that tag
          cache-to: ${{ env.CACHE_REF }},mode=max

      # export logs from the logs-export stage in the dockerfile to the runner’s filesystem (no docker pull)
      - name: Export logs (runner artifact)
        uses: docker/build-push-action@v7
        with:
          pull: true
          context: .
          file: ./Dockerfile.generated
          target: logs-export
          push: false
          cache-from: ${{ env.CACHE_REF }}
          outputs: type=local,dest=${{ runner.temp }}/artifacts/${{ matrix.logs_dir }}

      - name: Export GEMC tarball (runner artifact)
        uses: docker/build-push-action@v7
        with:
          pull: true
          context: .
          file: ./Dockerfile.generated
          target: package-export
          push: false
          cache-from: ${{ env.CACHE_REF }}
          outputs: type=local,dest=${{ runner.temp }}/artifacts/package-${{ env.LOGNAME }}

      - name: Pack logs
        shell: bash
        run: |
          LOGROOT="${{ runner.temp }}/artifacts/${{ matrix.logs_dir }}"
          TAR="logs-${LOGNAME}.tgz"
          cd "$LOGROOT"
          tar -czf "$TAR" logs
          echo "LOG_TAR=$LOGROOT/$TAR" >> "$GITHUB_ENV"

      - name: Upload logs artifact
        uses: actions/upload-artifact@v7
        with:
          name: logs-${{ env.LOGNAME }}
          path: ${{ env.LOG_TAR }}
          if-no-files-found: ignore

      - name: Upload GEMC tarball artifact
        uses: actions/upload-artifact@v7
        with:
          name: gemc-tarball-${{ env.LOGNAME }}
          path: ${{ runner.temp }}/artifacts/package-${{ env.LOGNAME }}/*.tar.gz
          if-no-files-found: error

  # Manifest stitch
  # uses matrix_manifest so it's not repeated for each arch
  # docker buildx imagetools create: assembles an OCI manifest list
  # from already-pushed per-arch image tags.
  manifest:
    name: ${{ matrix.image }}/${{ matrix.image_tag }}
    needs: [ build_arch, discover ]
    runs-on: ubuntu-latest
    timeout-minutes: 60
    # If arm64 was skipped (e.g., archlinux), still publish amd64-only manifest.
    strategy:
      fail-fast: false
      matrix: ${{ fromJSON(needs.discover.outputs.matrix_manifest) }}
    env:
      TAG4: ${{ format('{0}-{1}-{2}', matrix.gemc_tag, matrix.image, matrix.image_tag) }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.workflow_run.head_sha }}

      - name: Log in to GHCR
        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Buildx
        uses: docker/setup-buildx-action@v4

      - id: meta
        name: Docker metadata (base tag)
        uses: docker/metadata-action@v6
        with:
          images: ${{ needs.discover.outputs.image }}
          tags: |
            type=raw,value=${{ env.TAG4 }}

      - name: Create multi-arch manifest
        shell: bash
        run: |
          BASE_TAG="${{ steps.meta.outputs.tags }}"
          AMD_TAG="${BASE_TAG}-amd64"
          ARM_TAG="${BASE_TAG}-arm64"

          # If the arm64 build was skipped (e.g., archlinux), only include amd64
          if docker buildx imagetools inspect "$ARM_TAG" >/dev/null 2>&1; then
            docker buildx imagetools create -t "$BASE_TAG" "$AMD_TAG" "$ARM_TAG"
          else
            docker buildx imagetools create -t "$BASE_TAG" "$AMD_TAG"
          fi

      - name: Download logs artifacts (all arches)
        if: ${{ always() }}
        uses: actions/download-artifact@v7
        with:
          pattern: logs-${{ env.TAG4 }}-*
          path: ${{ runner.temp }}/downloaded-logs
          merge-multiple: true

      - name: Summary (manifest)
        if: ${{ always() }}
        shell: bash
        env:
          IMAGE: ${{ needs.discover.outputs.image }}
          TAG: ${{ env.TAG4 }}
        run: |
          SUMMARY_FILE="${GITHUB_STEP_SUMMARY:-$RUNNER_TEMP/manifest_summary.md}"
          echo "MANIFEST_SUMMARY_FILE=$SUMMARY_FILE" >> "$GITHUB_ENV"
          bash ci/manifest.sh "$SUMMARY_FILE" "$IMAGE" "$TAG" "${{ runner.temp }}/downloaded-logs"
          
          mkdir -p "$GITHUB_WORKSPACE/summaries"
          OUT="$GITHUB_WORKSPACE/summaries/summary-${TAG}-${{ job.status }}.md"
          cp "$SUMMARY_FILE" "$OUT" || true
          echo "Wrote $OUT"

      - name: Upload summary artifact (manifest)
        uses: actions/upload-artifact@v7
        with:
          name: summary-${{ env.TAG4 }}-manifest
          path: ${{ env.MANIFEST_SUMMARY_FILE }}
          if-no-files-found: warn

  # Mirror the GHCR multi-arch manifests to Docker Hub. Copied with skopeo, not
  # `docker buildx imagetools`: the latter's blob-upload finalize is rejected by
  # Docker Hub's registry with "400 Bad Request", whereas skopeo's streaming
  # upload is accepted. The copy is registry-to-registry (no pull, no rebuild)
  # and `--all` carries every architecture in the manifest list. Tags are copied
  # one at a time (sequential) with skopeo's own retry. Skipped when the
  # DOCKERHUB_USERNAME secret is absent (e.g. on forks).
  dockerhub_mirror:
    name: Mirror images to Docker Hub
    needs: [ discover, manifest ]
    if: ${{ always() && needs.manifest.result == 'success' }}
    runs-on: ubuntu-latest
    env:
      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
      DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO || 'gemc/gemc' }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.workflow_run.head_sha }}

      - name: Log in to GHCR
        if: ${{ env.DOCKERHUB_USERNAME != '' }}
        uses: docker/login-action@v4
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Log in to Docker Hub
        if: ${{ env.DOCKERHUB_USERNAME != '' }}
        uses: docker/login-action@v4
        with:
          registry: docker.io
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Install skopeo
        if: ${{ env.DOCKERHUB_USERNAME != '' }}
        run: |
          sudo apt-get update
          sudo apt-get install -y skopeo

      - name: Mirror all tags (sequential)
        if: ${{ env.DOCKERHUB_USERNAME != '' }}
        shell: bash
        env:
          SRC_IMAGE: ${{ needs.discover.outputs.image }}
        run: |
          set -uo pipefail
          source ci/tags_config.sh

          # skopeo reads the credentials written by the docker login steps above.
          AUTHFILE="$HOME/.docker/config.json"

          rc=0
          for gemcv in $(get_gemc_tags); do
            for pair in "${OS_VERSIONS[@]}"; do
              os="${pair%%=*}"; ver="${pair#*=}"
              tag="${gemcv}-${os}-${ver}"
              echo "Mirroring ${SRC_IMAGE}:${tag} -> ${DOCKERHUB_REPO}:${tag}"
              if skopeo copy --all --retry-times 5 --authfile "$AUTHFILE" \
                   "docker://${SRC_IMAGE}:${tag}" \
                   "docker://${DOCKERHUB_REPO}:${tag}"; then
                echo "mirrored ${DOCKERHUB_REPO}:${tag}"
              else
                echo "::error::failed to mirror ${SRC_IMAGE}:${tag} -> ${DOCKERHUB_REPO}:${tag}"
                rc=1
              fi
            done
          done
          exit "$rc"

  # Push the Docker Hub overview README once per deploy, after the images exist.
  # Skipped automatically when the DOCKERHUB_USERNAME secret is absent.
  dockerhub_readme:
    name: Update Docker Hub description
    needs: dockerhub_mirror
    if: ${{ always() && needs.dockerhub_mirror.result == 'success' }}
    runs-on: ubuntu-latest
    env:
      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
      DOCKERHUB_REPO: ${{ vars.DOCKERHUB_REPO || 'gemc/gemc' }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          ref: ${{ github.event.workflow_run.head_sha }}

      - name: Resolve Docker Hub repository path
        if: ${{ env.DOCKERHUB_USERNAME != '' }}
        shell: bash
        run: echo "DH_REPO_PATH=${DOCKERHUB_REPO#docker.io/}" >> "$GITHUB_ENV"

      - name: Push README to Docker Hub
        if: ${{ env.DOCKERHUB_USERNAME != '' }}
        uses: peter-evans/dockerhub-description@v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
          repository: ${{ env.DH_REPO_PATH }}
          short-description: "GEMC — database-driven Geant4 simulation framework, ready-to-run dev images"
          readme-filepath: ./ci/dockerhub/README.md

  final:
    name: Deploy - summary
    if: >-
      ${{
        always() &&
        github.event.workflow_run.conclusion == 'success' &&
        github.event.workflow_run.event == 'push'
      }}
    needs: [ build_arch, manifest, dockerhub_mirror, dockerhub_readme ]
    runs-on: ubuntu-latest
    steps:
      - name: Fail if any required job failed
        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
        run: |
          echo "### Some GEMC deploy jobs failed or were cancelled." >> "$GITHUB_STEP_SUMMARY"
          exit 1

      - name: Pass
        run: |
          echo "### GEMC deploy workflow passed." >> "$GITHUB_STEP_SUMMARY"