name: Barman Base Image
on:
  pull_request:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * 0"

env:
  IMAGE_NAME: "ghcr.io/cloudnative-pg/plugin-barman-cloud-base"
  PLATFORMS: "linux/amd64,linux/arm64"

permissions:
  contents: write
  packages: write
  security-events: write

jobs:
  build:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        with:
          platforms: ${{ env.PLATFORMS }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to the GitHub Container registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build Docker Image
        uses: docker/build-push-action@v6
        with:
          platforms: ${{ env.PLATFORMS }}
          context: .
          file: ./containers/Dockerfile.barmanbase
          push: true
          tags: ${{ env.IMAGE_NAME }}:latest

      - name: Run Snyk to check Docker image for vulnerabilities
        uses: snyk/actions/docker@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          image: "${{ env.IMAGE_NAME }}:latest"
          args: --severity-threshold=high --file=./containers/Dockerfile.barmanbase
      -
        name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: snyk.sarif