name: Deploy docker images
on:
  workflow_call:
    inputs:
      dockerTag:
        required: true
        description: 'tag to assign docker images'
        type: string
    secrets:
      DOCKERHUB_TOKEN:
        required: true

permissions:
  contents: read

env:
  DOCKER_TAG: "${{ inputs.dockerTag }}"

jobs:
  # The credentials used in the following jobs are for the shared
  # certbotbot account on Docker Hub.
  # They are located under the certbot organization settings,
  # under Secrets and Variables -> Actions.
  # DOCKERHUB_USERNAME is saved as a variable.
  # DOCKERHUB_TOKEN is a secret, and it is a PAT created by
  # following the instructions at
  # https://docs.docker.com/security/access-tokens/
  # with Read and Write permissions. The access token can be deleted
  # on Docker Hub if these credentials need to be revoked.
  # The password is a PAT following the advice given by
  # https://github.com/docker/login-action?tab=readme-ov-file#docker-hub
  publish_docker_by_arch:
    name: Publish docker by arch
    runs-on:
      - 'ubuntu-24.04'
    strategy:
      fail-fast: false
      matrix:
        DOCKER_ARCH:
        - arm32v6
        - arm64v8
        - amd64
    steps:
    - name: Checkout
      uses: actions/checkout@v6.0.2
      with:
        persist-credentials: false
    - name: Retrieve Docker images
      uses: actions/download-artifact@v8.0.1
      with:
        name: docker_${{ matrix.DOCKER_ARCH }}
        path: "${{ github.workspace }}"
    - name: Load Docker images
      run: docker load --input ${{ github.workspace }}/images.tar
      shell: bash
    - name: Login to Docker Hub
      uses: docker/login-action@v4.1.0
      with:
        username: "${{ vars.DOCKERHUB_USERNAME }}"
        password: "${{ secrets.DOCKERHUB_TOKEN }}"
    - name: Deploy the Docker images by architecture
      run: tools/docker/deploy_images.sh "$DOCKER_TAG" ${{ matrix.DOCKER_ARCH }}
      shell: bash
  publish_docker_multiarch:
    name: Publish docker multiarch
    needs: publish_docker_by_arch
    runs-on:
      - 'ubuntu-24.04'
    steps:
    - name: Checkout
      uses: actions/checkout@v6.0.2
      with:
        persist-credentials: false
    - name: Login to Docker Hub
      uses: docker/login-action@v4.1.0
      with:
        username: "${{ vars.DOCKERHUB_USERNAME }}"
        password: "${{ secrets.DOCKERHUB_TOKEN }}"
    - name: Deploy the Docker multiarch manifests
      run: tools/docker/deploy_manifests.sh "$DOCKER_TAG" all
      shell: bash