name: Build

on:
  workflow_call:
    inputs:
      snapshot:
        description: "Whether to run in snapshot mode"
        required: false
        type: boolean
        default: false

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: write
      attestations: write
      id-token: write
    env:
      CGO_ENABLED: 0
      TAG: ${{ github.ref_name }}
    steps:
      - name: Checkout
        uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
        with:
          fetch-depth: 0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
        with:
          platforms: linux/amd64,linux/arm64,linux/386,linux/arm/v6

      - name: Set up Go
        uses: actions/setup-go@29694d72cd5e7ef3b09496b39f28a942af47737e
        with:
          go-version: 1.24.3

      - name: Login to Docker Hub
        uses: docker/login-action@6d4b68b490aef8836e8fb5e50ee7b3bdfa5894f0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GHCR
        uses: docker/login-action@6d4b68b490aef8836e8fb5e50ee7b3bdfa5894f0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@90c43f2c197eeb47adb636c4329af34ae5a2a5f0
        with:
          distribution: goreleaser
          version: v2.7.0
          args: release --clean ${{ inputs.snapshot && '--snapshot' || '' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2
        if: success()
        with:
          subject-path: "dist/**/*"