name: 'Sync images and artifacts to ghcr'
on:
  schedule:
    - cron: '30 1 * * *'
  push:
    branches:
      - main
  workflow_dispatch:

permissions: read-all

jobs:
  sync-golang:
    name: 'golang'
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        golang_version:
          - "1.25"
          - "1.26"
    runs-on: ubuntu-latest
    steps:
      - name: Log in to GitHub Docker Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Tag and push golang to ghcr
        run: |
          docker pull golang:${{ matrix.golang_version }}
          docker tag golang:${{ matrix.golang_version }} ghcr.io/${{ github.repository_owner }}/golang:${{ matrix.golang_version }}
          docker push ghcr.io/${{ github.repository_owner }}/golang:${{ matrix.golang_version }}
  sync-trivy:
    name: 'trivy-db'
    permissions:
      contents: read
      packages: write
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          sparse-checkout: |
            Makefile
          sparse-checkout-cone-mode: false
          persist-credentials: false
      - name: Copy trivy-db using oras cli
        env:
          GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # setup oras
          make $PWD/hack/tools/bin/oras
          export PATH=$PATH:$PWD/hack/tools/bin
          test -n "${GHCR_TOKEN}" || { echo "Missing GHCR token"; exit 1; }
          echo "${GHCR_TOKEN}" | oras login -u "${GITHUB_ACTOR}" --password-stdin ghcr.io
          oras copy ghcr.io/aquasecurity/trivy-db:2 ghcr.io/${{ github.repository_owner }}/trivy-db:2
          oras copy ghcr.io/aquasecurity/trivy-db:latest ghcr.io/${{ github.repository_owner }}/trivy-db:latest
          oras copy ghcr.io/aquasecurity/trivy-java-db:1 ghcr.io/${{ github.repository_owner }}/trivy-java-db:1
  sync-localstack:
    name: 'localstack'
    permissions:
      contents: read
      packages: write
    strategy:
      matrix:
        localstack_version:
          - "3.3.0"
    runs-on: ubuntu-latest
    steps:
      - name: Log in to GitHub Docker Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Tag and push localstack to ghcr
        run: |
          docker pull localstack/localstack:${{ matrix.localstack_version }}
          docker tag localstack/localstack:${{ matrix.localstack_version }} ghcr.io/${{ github.repository_owner }}/ci-images/localstack:${{ matrix.localstack_version }}
          docker push ghcr.io/${{ github.repository_owner }}/ci-images/localstack:${{ matrix.localstack_version }}