name: Build base images from code repos

on:
  workflow_call:
    inputs:
      image_tag:
        required: true
        type: string

jobs:
  docker-base-build-and-push:

    runs-on: ubuntu-22.04 #ubuntu-latest

    steps:
    - id: get-id
      name: Get a unique tag for this build
      run: |
        echo "DOCKER_IMAGE=${{ vars.GCP_DOCKER_REGISTRY }}/${{ github.repository }}:${{ inputs.image_tag }}" >> "$GITHUB_OUTPUT";

    - name: Print image name
      run: |
        echo "${{ steps.get-id.outputs.DOCKER_IMAGE }}";

    - uses: actions/checkout@v4

      # ✅ 1) Auth to GCP (this is where your SA key is used)
    - name: Auth to GCP
      uses: google-github-actions/auth@v2
      with:
        # using your existing secret that contains the SA JSON
        credentials_json: ${{ secrets.GCP_SA_KEY }}

      # ✅ 2) Install gcloud (no creds here)
    - name: Set up gcloud
      uses: google-github-actions/setup-gcloud@v2
      with:
        project_id: ${{ vars.GCP_PROJECT_ID }}
        export_default_credentials: true

    - name: Configure Docker for GAR
      run: |
        gcloud auth configure-docker ${{vars.GCP_REGION}}-docker.pkg.dev

    - name: Build and push the Docker image
      run: |
        docker build \
          --file fab/d/actions-base.Dockerfile \
          --tag ${{ steps.get-id.outputs.DOCKER_IMAGE }} \
          .;

    - name: Container details
      run: |
        IMAGE_SIZE=`docker inspect -f "{{ .Size }}" ${{ steps.get-id.outputs.DOCKER_IMAGE }} | numfmt --to=si`;
        echo "$IMAGE_SIZE container ${{ steps.get-id.outputs.DOCKER_IMAGE }}";

    - name: Push the container image
      run: docker push ${{ steps.get-id.outputs.DOCKER_IMAGE }}
  
    - name: Scan Docker Image for vulnerabilities with Grype
      uses: anchore/scan-action@v6
      with:
        image: ${{ steps.get-id.outputs.DOCKER_IMAGE }}
        cache-db: true #Cache Grype DB in Github Actions
        output-format: table
        only-fixed: true
        severity-cutoff: critical
        fail-build: true