name: Publish Kata release artifacts for arm64
on:
  workflow_call:
    inputs:
      target-arch:
        required: true
        type: string
    secrets:
      QUAY_DEPLOYER_PASSWORD:
        required: true
      KBUILD_SIGN_PIN:
        required: true

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-release-arm64
  cancel-in-progress: false # Note - don't cancel the in progress build as we could end up with inconsistent results

permissions: {}

jobs:
  build-kata-static-tarball-arm64:
    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
    with:
      push-to-registry: yes
      stage: release
    secrets:
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
    permissions:
      contents: read
      packages: write
      id-token: write
      attestations: write

  kata-deploy:
    name: kata-deploy
    needs: build-kata-static-tarball-arm64
    permissions:
      contents: read
      packages: write
    runs-on: ubuntu-24.04-arm
    steps:
      - name: Login to Kata Containers ghcr.io
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Login to Kata Containers quay.io
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: quay.io
          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: get-kata-tarball
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: kata-static-tarball-arm64

      - name: build-and-push-kata-deploy-ci-arm64
        id: build-and-push-kata-deploy-ci-arm64
        env:
          TARGET_ARCH: ${{ inputs.target-arch }}
        run: |
          # We need to do such trick here as the format of the $GITHUB_REF
          # is "refs/tags/<tag>"
          tag=$(echo "$GITHUB_REF" | cut -d/ -f3-)
          if [ "${tag}" = "main" ]; then
              tag=$(./tools/packaging/release/release.sh release-version)
              tags=("${tag}" "latest")
          else
              tags=("${tag}")
          fi
          for tag in "${tags[@]}"; do
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.zst "ghcr.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
              ./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
                  "$(pwd)"/kata-static.tar.zst "quay.io/kata-containers/kata-deploy" \
                  "${tag}-${TARGET_ARCH}"
          done