name: Build Custom Authentik Image

# ADR-0002: infra-owned image built off-infra on GHA → ghcr.
# Thin SLOW-1a overlay over the official authentik server (narrows the login
# identification stage's select_subclasses() to the login-capable source subtypes;
# see stacks/authentik/Dockerfile). Rebuild only when the Dockerfile changes — on
# every authentik bump, edit the FROM tag + the patchN suffix here + the image tag
# in modules/authentik/values.yaml together.
on:
  push:
    branches: [master]
    paths:
      - 'stacks/authentik/Dockerfile'
  workflow_dispatch: {}

permissions:
  contents: read
  packages: write

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/build-push-action@v6
        with:
          context: stacks/authentik
          platforms: linux/amd64
          provenance: false
          push: true
          tags: |
            ghcr.io/viktorbarzin/authentik-server:2026.2.4-patch3
            ghcr.io/viktorbarzin/authentik-server:latest