name: Publish tb-cli Image

on:
  workflow_dispatch: # Manual trigger from GitHub UI or CLI
  push:
    branches: [main]
    paths:
      - 'docker/tb-cli/**'

permissions:
  contents: read
  packages: write

jobs:
  publish:
    name: Build and push tb-cli to GHCR
    runs-on: ubuntu-latest
    if: github.repository == 'TryGhost/Ghost' && github.ref == 'refs/heads/main'
    concurrency:
      group: publish-tb-cli
      cancel-in-progress: true
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4

      - name: Login to GHCR
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7
        with:
          context: .
          file: docker/tb-cli/Dockerfile
          push: true
          tags: |
            ghcr.io/tryghost/tb-cli:latest
            ghcr.io/tryghost/tb-cli:${{ github.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max