name: Build Docker Images

on:
  push:
    branches: [main]
    paths:
      - "sh/docker/**"
  schedule:
    # Daily: pick up new agent releases
    - cron: "0 6 * * *"
  workflow_dispatch:

permissions:
  packages: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        agent: [claude, codex, cursor, openclaw, opencode, kilocode, hermes, junie, pi]
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4

      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a  # v4

      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4

      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9  # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8  # v6
        with:
          context: .
          file: sh/docker/${{ matrix.agent }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ghcr.io/openrouterteam/spawn-${{ matrix.agent }}:latest

      # Verify the pushed manifest actually contains both architectures.
      # Catches regressions where setup-qemu/buildx gets dropped or the
      # platforms flag gets lost in a future refactor.
      - name: Verify multi-arch manifest
        run: |
          set -euo pipefail
          image="ghcr.io/openrouterteam/spawn-${{ matrix.agent }}:latest"
          echo "Inspecting $image"
          manifest="$(docker buildx imagetools inspect "$image")"
          echo "$manifest"
          for arch in linux/amd64 linux/arm64; do
            if ! grep -qF "$arch" <<< "$manifest"; then
              echo "::error::$image is missing $arch in the published manifest"
              exit 1
            fi
          done