stages:
  - build

variables:
  DOCKER_TLS_CERTDIR: "/certs"
  DOCKER_DRIVER: overlay2
  IMAGE: "$CI_REGISTRY_IMAGE"

build_and_push_image:
  stage: build
  image: docker:27
  services:
    - name: docker:27-dind
      command: ["--mtu=1460"]
  rules:
    - if: $CI_COMMIT_TAG
    - if: $CI_COMMIT_BRANCH
  before_script:
    - docker info
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
  script:
    - docker build --pull -t "$IMAGE:sha-$CI_COMMIT_SHORT_SHA" .
    - docker push "$IMAGE:sha-$CI_COMMIT_SHORT_SHA"

    # Tag/push "latest" only on default branch
    - |
      if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
        docker tag "$IMAGE:sha-$CI_COMMIT_SHORT_SHA" "$IMAGE:latest"
        docker push "$IMAGE:latest"
      fi

    # If this pipeline runs on a Git tag, also push the tag name as an image tag
    - |
      if [ -n "$CI_COMMIT_TAG" ]; then
        docker tag "$IMAGE:sha-$CI_COMMIT_SHORT_SHA" "$IMAGE:$CI_COMMIT_TAG"
        docker push "$IMAGE:$CI_COMMIT_TAG"
      fi

    # Optional: export image as GitLab job artifact (tarball)
    - docker save "$IMAGE:sha-$CI_COMMIT_SHORT_SHA" -o image.tar
  artifacts:
    when: always
    expire_in: 7 days
    paths:
      - image.tar