name: Build & publish docker images

on:
  push:
    branches:
      - "master"
      - "[0-9].[0-9]*"
  pull_request:
    branches:
      - "master"

permissions:
  contents: read
  pull-requests: read

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.run_id }}
  cancel-in-progress: true

jobs:
  changes:
    runs-on: ubuntu-24.04
    timeout-minutes: 10
    permissions:
      contents: read
      pull-requests: read
    outputs:
      python: ${{ steps.check.outputs.python }}
      frontend: ${{ steps.check.outputs.frontend }}
      docker: ${{ steps.check.outputs.docker }}
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Check for file changes
        id: check
        uses: ./.github/actions/change-detector/
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

  setup_matrix:
    runs-on: ubuntu-24.04
    timeout-minutes: 5
    outputs:
      matrix_config: ${{ steps.set_matrix.outputs.matrix_config }}
    steps:
      - id: set_matrix
        run: |
          MATRIX_CONFIG=$(if [ "${{ github.event_name }}" == "pull_request" ]; then echo '["dev", "lean"]'; else echo '["dev", "lean", "py310", "websocket", "dockerize", "py311", "py312"]'; fi)
          echo "matrix_config=${MATRIX_CONFIG}" >> $GITHUB_OUTPUT
          echo $GITHUB_OUTPUT

  docker-build:
    name: docker-build
    needs: [setup_matrix, changes]
    if: >-
      needs.changes.outputs.python == 'true' ||
      needs.changes.outputs.frontend == 'true' ||
      needs.changes.outputs.docker == 'true'
    runs-on: ubuntu-24.04
    timeout-minutes: 60
    strategy:
      matrix:
        build_preset: ${{fromJson(needs.setup_matrix.outputs.matrix_config)}}
      fail-fast: false
    env:
      DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
      IMAGE_TAG: apache/superset:GHA-${{ matrix.build_preset }}-${{ github.run_id }}

    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

      - name: Setup Docker Environment
        uses: ./.github/actions/setup-docker
        with:
          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
          build: "true"

      - name: Setup supersetbot
        uses: ./.github/actions/setup-supersetbot/

      - name: Build Docker Image
        shell: bash
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BUILD_PRESET: ${{ matrix.build_preset }}
        run: |
          # Single platform builds in pull_request context to speed things up
          if [ "$GITHUB_EVENT_NAME" = "push" ]; then
            PLATFORM_ARG="--platform linux/arm64 --platform linux/amd64"
            # can only --load images in single-platform builds
            PUSH_OR_LOAD="--push"
          elif [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
            PLATFORM_ARG="--platform linux/amd64"
            PUSH_OR_LOAD="--load"
          fi

          supersetbot docker \
            $PUSH_OR_LOAD \
            --preset "$BUILD_PRESET" \
            --context "$EVENT" \
            --context-ref "$RELEASE" $FORCE_LATEST \
            --extra-flags "--build-arg INCLUDE_CHROMIUM=false --tag $IMAGE_TAG" \
            $PLATFORM_ARG

      # in the context of push (using multi-platform build), we need to pull the image locally
      - name: Docker pull
        if: github.event_name == 'push'
        run: |
          for i in 1 2 3; do
            docker pull $IMAGE_TAG && break
            [ $i -lt 3 ] && sleep 30
          done

      - name: Print docker stats
        run: |
          echo "SHA: ${{ github.sha }}"
          echo "IMAGE: $IMAGE_TAG"
          docker images $IMAGE_TAG
          docker history $IMAGE_TAG

      - name: docker-compose sanity check
        if: matrix.build_preset == 'dev'
        shell: bash
        env:
          BUILD_PRESET: ${{ matrix.build_preset }}
        run: |
          export SUPERSET_BUILD_TARGET=$BUILD_PRESET
          # This should reuse the CACHED image built in the previous steps
          docker compose build superset-init --build-arg DEV_MODE=false --build-arg INCLUDE_CHROMIUM=false
          docker compose up superset-init --exit-code-from superset-init

  docker-compose-image-tag:
    # Run this job only on pushes to master (not for PRs)
    # goal is to check that building the latest image works, not required for all PR pushes
    needs: changes
    if: github.event_name == 'push' && github.ref == 'refs/heads/master' && needs.changes.outputs.docker == 'true'
    runs-on: ubuntu-24.04
    timeout-minutes: 30
    steps:
      - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Setup Docker Environment
        uses: ./.github/actions/setup-docker
        with:
          dockerhub-user: ${{ secrets.DOCKERHUB_USER }}
          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}
          build: "false"
          install-docker-compose: "true"
      - name: docker-compose sanity check
        shell: bash
        run: |
          docker compose -f docker-compose-image-tag.yml up superset-init --exit-code-from superset-init