name: Run the CoCo Kata Containers Stability CI
on:
  workflow_call:
    inputs:
      commit-hash:
        required: true
        type: string
      pr-number:
        required: true
        type: string
      tag:
        required: true
        type: string
      target-branch:
        required: false
        type: string
        default: ""

jobs:
  build-kata-static-tarball-amd64:
    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}

  publish-kata-deploy-payload-amd64:
    needs: build-kata-static-tarball-amd64
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
      registry: ghcr.io
      repo: ${{ github.repository_owner }}/kata-deploy-ci
      tag: ${{ inputs.tag }}-amd64
      commit-hash: ${{ inputs.commit-hash }}
      target-branch: ${{ inputs.target-branch }}
      runner: ubuntu-22.04
      arch: amd64
    secrets: inherit

  build-and-publish-tee-confidential-unencrypted-image:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          ref: ${{ inputs.commit-hash }}
          fetch-depth: 0

      - name: Rebase atop of the latest target branch
        run: |
          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

      - name: Login to Kata Containers ghcr.io
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker build and push
        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
        with:
          tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
          push: true
          context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/
          platforms: linux/amd64
          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile

  run-kata-coco-stability-tests:
    needs: [publish-kata-deploy-payload-amd64, build-and-publish-tee-confidential-unencrypted-image]
    uses: ./.github/workflows/run-kata-coco-stability-tests.yaml
    with:
      registry: ghcr.io
      repo: ${{ github.repository_owner }}/kata-deploy-ci
      tag: ${{ inputs.tag }}-amd64
      commit-hash: ${{ inputs.commit-hash }}
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
      tarball-suffix: -${{ inputs.tag }}
    secrets: inherit