name: Build production Docker image

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  build-backend-image:
    runs-on: wsl2-docker-host
    env:
      IMAGE_NAME: eryao-backend
      IMAGE_SIZE_LIMIT_BYTES: 500000000
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Validate ECR configuration
        run: |
          set -euo pipefail
          test -n "${{ secrets.AWS_ACCESS_KEY_ID }}"
          test -n "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
          test -n "${{ secrets.AWS_REGION }}"
          test -n "${{ secrets.AWS_ACCOUNT_ID }}"
          test -n "${{ secrets.ECR_REPOSITORY }}"

      - name: Build backend production image
        run: |
          set -euo pipefail
          docker buildx build \
            --provenance=false \
            --load \
            --file backend/Dockerfile \
            --tag ${IMAGE_NAME}:prod-${GITHUB_SHA} \
            --tag ${IMAGE_NAME}:prod-latest \
            .

      - name: Check image size budget
        run: |
          set -euo pipefail
          image_size_bytes="$(docker image inspect ${IMAGE_NAME}:prod-${GITHUB_SHA} --format '{{.Size}}')"
          echo "Image size: ${image_size_bytes} bytes"
          if [ "${image_size_bytes}" -gt "${IMAGE_SIZE_LIMIT_BYTES}" ]; then
            echo "Image exceeds ${IMAGE_SIZE_LIMIT_BYTES} bytes" >&2
            exit 1
          fi

      - name: Smoke test backend image
        run: |
          set -euo pipefail
          docker run --rm \
            -e ERYAO_RUNTIME__ENVIRONMENT=prod \
            -e ERYAO_SUPABASE__PUBLIC_URL=http://localhost:8001 \
            -e ERYAO_POINTS_POLICY__REGISTER_BONUS_HMAC_KEY=ci-smoke-test-key \
            --entrypoint python \
            ${IMAGE_NAME}:prod-${GITHUB_SHA} \
            -c "import app; print(app.app.title)"

      - name: Push backend image to ECR
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
          AWS_REGION: ${{ secrets.AWS_REGION }}
          AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
          ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
        run: |
          set -euo pipefail
          caller_account_id="$(aws sts get-caller-identity --query Account --output text)"
          if [ "${caller_account_id}" != "${AWS_ACCOUNT_ID}" ]; then
            echo "AWS_ACCOUNT_ID does not match caller identity" >&2
            exit 1
          fi

          ecr_registry="${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
          ecr_image="${ecr_registry}/${ECR_REPOSITORY}"

          aws ecr describe-repositories \
            --region "${AWS_REGION}" \
            --repository-names "${ECR_REPOSITORY}" >/dev/null 2>&1 \
            || aws ecr create-repository \
              --region "${AWS_REGION}" \
              --repository-name "${ECR_REPOSITORY}" \
              --image-scanning-configuration scanOnPush=true \
              --encryption-configuration encryptionType=AES256 >/dev/null

          aws ecr get-login-password --region "${AWS_REGION}" \
            | docker login --username AWS --password-stdin "${ecr_registry}"

          docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:${GITHUB_SHA}"
          docker tag "${IMAGE_NAME}:prod-${GITHUB_SHA}" "${ecr_image}:latest"
          docker push "${ecr_image}:${GITHUB_SHA}"
          docker push "${ecr_image}:latest"