# Builds the nix CI toolchain image (.gitea/ci-image/Dockerfile) and pushes it
# to the Gitea registry. The gate (ci.yaml) runs *inside* this image, so this
# workflow is the gate's prerequisite. It only needs to run when the image's
# inputs change — the Dockerfile, the flake, or the toolchain pin — plus on
# manual dispatch.
#
# DinD pattern: plain docker:27-dind (one of the tested ci-test samples). No
# registry proxy here — the runner's containers have direct internet egress
# (the ci-probe run cloned github.com and pulled docker.io with no proxy), and
# this image's RUN steps fetch from apt + nixos.org, which the proxy isn't
# guaranteed to forward. The dind-cached:local + REGISTRY_PROXY_HOST variant is
# a later speed optimisation for base-image pull caching, not needed for green.
name: build-ci-image
on:
  push:
    paths:
      - '.gitea/ci-image/Dockerfile'
      - 'flake.nix'
      - 'flake.lock'
      - 'rust-toolchain.toml'
      - '.gitea/workflows/build-ci-image.yaml'
  workflow_dispatch:

jobs:
  build:
    runs-on: ci-public
    services:
      docker:
        image: docker:27-dind
        options: --privileged
        env:
          DOCKER_TLS_CERTDIR: ""
    env:
      DOCKER_HOST: tcp://docker:2375
      IMAGE: git.lazyeval.net/oli/rdbms-playground-ci
    steps:
      - uses: actions/checkout@v4
      - name: wait for docker
        run: until docker version >/dev/null 2>&1; do sleep 1; done
      - name: registry login
        run: |
          echo "${{ secrets.REGISTRY_TOKEN }}" \
            | docker login git.lazyeval.net -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
      - name: build
        run: docker build -f .gitea/ci-image/Dockerfile -t "$IMAGE:latest" .
      - name: push
        run: docker push "$IMAGE:latest"