meldestelle/.gitea/workflows/docker-publish.yaml

name: Build and Publish Docker Images
run-name: Build & Publish by @${{ github.actor }}

on:
  push:
    branches: [ "main" ]
    paths:
      - 'backend/**'
      - 'platform/**'
      - 'core/**'
      - 'frontend/**'
      - 'config/docker/**'
      - 'docker-compose.yaml'
      - '.gitea/workflows/docker-publish.yaml'

env:
  REGISTRY: git.mo-code.at
  # Interner Registry-Endpunkt (direkter HTTP, kein Pangolin-Timeout)
  REGISTRY_INTERNAL: 10.0.0.22:3000
  # WICHTIG: Kleingeschrieben für Docker-Konformität
  IMAGE_PREFIX: mocode-software/meldestelle
  # Build Arguments für Zora (ARM64 Power)
  JAVA_VERSION: "25"
  GRADLE_VERSION: "9.3.1"
  # OPTIMIERUNG: Gradle Parameter für mehr Speed
  GRADLE_OPTS: "-Dorg.gradle.parallel=true -Dorg.gradle.workers.max=8"
  # Deine neuen JVM Power-Flags für ARM64 (Cortex-A720)
  JVM_OPTS_ARM64: "-XX:ActiveProcessorCount=12 -XX:+UseG1GC -XX:+UseTransparentHugePages -XX:+UseSVE=1"

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - service: api-gateway
            context: .
            dockerfile: backend/infrastructure/gateway/Dockerfile
            image: api-gateway
          - service: ping-service
            context: .
            dockerfile: backend/services/ping/Dockerfile
            image: ping-service
          - service: web-app
            context: .
            dockerfile: config/docker/caddy/web-app/Dockerfile
            image: web-app
          - service: keycloak
            context: .
            dockerfile: config/docker/keycloak/Dockerfile
            image: keycloak

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Java Setup (Wichtig für Gradle-Builds im Runner)
      - name: Set up JDK 25
        uses: actions/setup-java@v4
        with:
          java-version: ${{ env.JAVA_VERSION }}
          distribution: "temurin"
          cache: gradle
      # Cache für Gradle (Beschleunigt Folgebauvorgänge massiv)
      - name: Setup Gradle Cache
        uses: actions/cache@v4
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper            
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
          restore-keys: |
            ${{ runner.os }}-gradle-            

      # Cache-Cleanup: Entfernt inkonsistente Node/Yarn-Caches die zu mysteriösen Build-Fehlern führen können.
      # Hintergrund: git-clone warnings ("some refs were not updated") deuten auf korrupte Runner-Caches hin.
      # Dieser Step ist idempotent — schlägt nie fehl, auch wenn die Verzeichnisse nicht existieren.
      - name: Cleanup stale build caches
        if: matrix.service == 'web-app'
        run: |
          echo "Cleaning stale Kotlin/JS and Node caches..."
          rm -rf frontend/shells/meldestelle-portal/build/js/node_modules/.cache || true
          rm -rf frontend/shells/meldestelle-portal/build/js/.yarn/cache || true
          rm -rf ~/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-compiler-embeddable || true
          echo "Cache cleanup done."          

      - name: Build Frontend (Kotlin JS)
        if: matrix.service == 'web-app'
        run: |
          chmod +x gradlew
          ./gradlew :frontend:shells:meldestelle-portal:jsBrowserDistribution \
            -Pproduction=true \
            --max-workers=8 \
            -Dkotlin.daemon.jvm.options="-Xmx4g"          

      # Pangolin-Bypass: Docker-Daemon + buildkitd für interne HTTP-Registry konfigurieren.
      # Problem: git.mo-code.at läuft über Pangolin (HTTPS), große Layer-Uploads timeouton (502).
      # Lösung: Push direkt auf 10.0.0.22:3000 (intern, HTTP). sudo tee funktioniert auf dem Runner.
      - name: Docker-Daemon für interne Registry konfigurieren (Pangolin-Bypass)
        run: |
          echo '{"insecure-registries":["10.0.0.22:3000"]}' | sudo tee /etc/docker/daemon.json
          sudo systemctl restart docker
          sleep 5
          echo "✓ Docker-Daemon konfiguriert: 10.0.0.22:3000 als insecure-registry"          

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          config-inline: |
            [registry."10.0.0.22:3000"]
              http = true
              insecure = true            

      - name: Bei Registry intern anmelden (Pangolin-Bypass)
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY_INTERNAL }}
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_INTERNAL }}/${{ env.IMAGE_PREFIX }}/${{ matrix.image }}
          tags: |
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
            type=sha,format=long            

      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: ${{ matrix.context }}
          file: ${{ matrix.dockerfile }}
          push: true
          # Fokus auf ARM64 für Zora, AMD64 bleibt für Kompatibilität (optional)
          platforms: linux/arm64
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          # Attestation-Manifeste deaktivieren: verhindert extra OAuth-Token-Requests
          # die bei proxied Registries (Pangolin) ebenfalls mit 502 fehlschlagen können
          provenance: false
          sbom: false
          build-args: |
            DOCKER_BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
            VERSION=${{ github.sha }}
            GRADLE_VERSION=${{ env.GRADLE_VERSION }}
            JAVA_VERSION=${{ env.JAVA_VERSION }}
            KEYCLOAK_IMAGE_TAG=26.4
            JVM_OPTS_APPEND=${{ env.JVM_OPTS_ARM64 }}