name: Build and Deploy

on:
  push:
    branches: [main]
  workflow_dispatch:

env:
  REGISTRY: ${{ vars.REGISTRY || '10.100.0.2:3000' }}
  IMAGE_NAME: ${{ github.repository }}

jobs:
  lint:
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install ruff black
      - name: Run ruff
        run: ruff check app tests scripts
      - name: Run black
        run: black --check app tests scripts

  test:
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements-dev.txt
      - name: Run tests
        run: pytest -q tests -v

  type-check:
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install mypy
          pip install -r requirements.txt
      - name: Run mypy
        run: mypy app scripts --ignore-missing-imports

  build:
    runs-on: docker
    needs: [lint, test, type-check]
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
          provenance: false

  deploy:
    runs-on: docker
    needs: build
    if: github.ref == 'refs/heads/main'
    container:
      image: catthehacker/ubuntu:act-latest
    env:
      DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
      DEPLOY_USER: ${{ secrets.DEPLOY_USER || 'deploy' }}
      DEPLOY_PORT: ${{ secrets.DEPLOY_PORT || '22' }}
      DEPLOY_PATH: ${{ secrets.DEPLOY_PATH || '/opt/vault-dash' }}
      DEPLOY_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
      APP_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
      APP_ENV: production
      APP_NAME: Vault Dashboard
      APP_PORT: "8000"
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        run: |
          apt-get update && apt-get install -y bash openssh-client curl docker.io docker-compose
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh

      - name: Setup SSH key
        run: |
          printf '%s' "$DEPLOY_SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -p "${DEPLOY_PORT:-22}" "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true

      - name: Deploy
        run: |
          test -n "$DEPLOY_HOST" || (echo "DEPLOY_HOST must be set" && exit 1)
          test -n "$DEPLOY_SSH_PRIVATE_KEY" || (echo "DEPLOY_SSH_PRIVATE_KEY must be set" && exit 1)
          bash scripts/deploy-forgejo.sh