name: Deploy Production

on:
  push:
    tags: ["v*"]
  workflow_dispatch:

jobs:
  deploy:
    if: ${{ github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/v') }}
    runs-on: ubuntu-latest
    env:
      NODE_MAJOR: "22"
      YARN_VERSION: "stable"
      DEPLOY_HOST: ${{ vars.DEPLOY_HOST }}
      DEPLOY_PORT: ${{ vars.DEPLOY_PORT }}
      DEPLOY_USER: ${{ vars.DEPLOY_USER }}
      DEPLOY_PATH: ${{ vars.DEPLOY_PATH }}
      IMAGE_REPO: ${{ vars.IMAGE_REPO }}
      REGISTRY: ${{ vars.REGISTRY }}

    steps:
      - name: Prepare workspace (checkout + node/yarn)
        run: |
          set -euo pipefail
          chmod +x .gitea/scripts/prepare-workspace.sh
          ./.gitea/scripts/prepare-workspace.sh \
            "${{ github.server_url }}/${{ github.repository }}.git" \
            "${{ github.sha }}"

      - name: Setup SSH
        run: |
          set -euo pipefail
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          ssh-keyscan -p "${DEPLOY_PORT:-22}" "${DEPLOY_HOST}" >> ~/.ssh/known_hosts

      - name: Prepare image tag
        run: |
          set -euo pipefail
          if [[ "${GITHUB_REF:-}" == refs/tags/* ]]; then
            IMAGE_TAG="${GITHUB_REF_NAME}"
          else
            IMAGE_TAG="${GITHUB_SHA:0:12}"
          fi
          echo "IMAGE_TAG=${IMAGE_TAG}" >> "$GITHUB_ENV"

      - name: Build and push image
        run: |
          set -euo pipefail
          if [ -z "${REGISTRY}" ] || [ -z "${IMAGE_REPO}" ]; then
            echo "REGISTRY and IMAGE_REPO vars are required"
            exit 1
          fi

          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login "${REGISTRY}" -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker build -f deploy/docker/Dockerfile -t "${IMAGE_REPO}:${IMAGE_TAG}" .
          docker push "${IMAGE_REPO}:${IMAGE_TAG}"

      - name: Deploy
        run: |
          set -euo pipefail
          ssh -p "${DEPLOY_PORT:-22}" "${DEPLOY_USER}@${DEPLOY_HOST}" <<EOF
          set -euo pipefail
          cd "${DEPLOY_PATH}"

          mkdir -p deploy/docker
          cat > deploy/docker/.env <<EOT
          ${{ vars.DEPLOY_DOCKER_ENV }}
          IMAGE_REPO=${IMAGE_REPO}
          IMAGE_TAG=${IMAGE_TAG}
          EOT

          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login "${REGISTRY}" -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
          docker compose -f deploy/docker/docker-compose.yml --env-file deploy/docker/.env pull app
          docker compose -f deploy/docker/docker-compose.yml --env-file deploy/docker/.env up -d app
          docker compose -f deploy/docker/docker-compose.yml ps
          curl -fsS "http://127.0.0.1:\${HOST_BIND_PORT:-3000}/api/docs" >/dev/null
          EOF