name: Build chrome-service-novnc

# ADR-0002: infra-owned image built off-infra on GHA → ghcr (public).
# Source Dockerfile identical on both git remotes, so the github checkout builds
# the current image. Rebuilds are rare (stable noVNC proxy) → dispatch + path.
on:
  push:
    branches: [master]
    paths:
      - 'stacks/chrome-service/files/novnc/**'
  workflow_dispatch: {}

permissions:
  contents: read
  packages: write

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/build-push-action@v6
        with:
          context: stacks/chrome-service/files/novnc
          platforms: linux/amd64
          provenance: false
          push: true
          tags: |
            ghcr.io/viktorbarzin/chrome-service-novnc:latest
            ghcr.io/viktorbarzin/chrome-service-novnc:${{ github.sha }}