name: Build and Deploy

on:
  workflow_run:
    workflows: [CI]
    types: [completed]
    branches: [main]
  workflow_dispatch:

env:
  REGISTRY: ${{ vars.REGISTRY || '10.100.0.2:3000' }}
  IMAGE_NAME: ${{ github.repository }}
  RESOLVED_SHA: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
  RESOLVED_REF: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_branch || github.ref_name }}

jobs:
  build:
    if: |
      github.event_name == 'workflow_dispatch' ||
      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
    runs-on: [linux, docker]
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ env.RESOLVED_SHA }}
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          registry: docker.io
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver: docker
      - name: Login to Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.REGISTRY_PASSWORD || secrets.GITHUB_TOKEN }}
      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: |
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RESOLVED_SHA }}
            ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
          provenance: false

  deploy:
    runs-on: [linux, docker]
    needs: build
    if: |
      github.event_name == 'workflow_dispatch' ||
      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.head_branch == 'main')
    container:
      image: catthehacker/ubuntu:act-latest
      env:
        DEPLOY_HOST: ${{ vars.DEPLOY_HOST }}
        DEPLOY_USER: ${{ vars.DEPLOY_USER || 'deploy' }}
        DEPLOY_PORT: ${{ vars.DEPLOY_PORT || '22' }}
        DEPLOY_PATH: ${{ vars.DEPLOY_PATH || '/opt/vault-dash' }}
        DEPLOY_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
        APP_IMAGE: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.RESOLVED_SHA }}
        APP_ENV: production
        APP_NAME: Vault Dashboard
        APP_PORT: "8000"
        TURNSTILE_SITE_KEY: ${{ vars.TURNSTILE_SITE_KEY }}
        TURNSTILE_SECRET_KEY: ${{ secrets.TURNSTILE_SECRET_KEY }}
        DATABENTO_API_KEY: ${{ secrets.DATABENTO_API_KEY }}
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ env.RESOLVED_SHA }}

      - name: Install dependencies
        run: |
          apt-get update && apt-get install -y bash openssh-client curl
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh

      - name: Setup SSH key
        run: |
          # Handle base64-encoded key (recommended) or raw key
          mkdir -p ~/.ssh && chmod 700 ~/.ssh
          if echo "$DEPLOY_SSH_PRIVATE_KEY" | base64 -d > ~/.ssh/id_ed25519 2>/dev/null; then
            echo "Decoded base64 key"
          else
            printf '%s\n' "$DEPLOY_SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
          fi
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -p "${DEPLOY_PORT:-22}" "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true

      - name: Deploy
        run: |
          test -n "$DEPLOY_HOST" || (echo "DEPLOY_HOST must be set" && exit 1)
          test -n "$DEPLOY_SSH_PRIVATE_KEY" || (echo "DEPLOY_SSH_PRIVATE_KEY must be set" && exit 1)
          bash scripts/deploy-actions.sh