name: Deploy

on:
  push:
    branches: [main]
    tags: ["v*"]

# Required repository secrets:
#   REGISTRY            git.librete.ch
#   REGISTRY_USER       libretech (user-namespace packages — bot can't push)
#   REGISTRY_PASS       libretech-user PAT scoped write:package
#   DEPLOY_HOST         user@your-deploy-host
#   DEPLOY_KEY          passphrase-less private key on netcup root authorized_keys
#   DEPLOY_PATH         /srv/cc
#   HEALTH_URL          https://cc.cloud.librete.ch/
#   VITE_SUPABASE_URL   public; baked at build time
#   VITE_SUPABASE_ANON_KEY  public-by-design supabase anon key; baked at build time
#
# Required repository variable:
#   DEPLOY_ENABLED      "true" to enable
#
# Image: git.librete.ch/public/code-crispies
#   main pushes  → :main + :sha-<short>
#   tag pushes   → :<tag> + :latest

jobs:
  deploy:
    runs-on: ubuntu-latest
    container:
      image: git.librete.ch/public/runner-image:v0.1.0:9d1e204fe8e06b7d16cdc8da0c7077fa4171daef62099cc8c09993834e576ca5
    timeout-minutes: 20
    if: ${{ vars.DEPLOY_ENABLED == 'true' }}
    steps:
      - uses: actions/checkout@v4

      - uses: docker/setup-buildx-action@v3

      - uses: docker/login-action@v3
        with:
          registry: ${{ secrets.REGISTRY }}
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_PASS }}

      - id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ secrets.REGISTRY }}/public/code-crispies
          tags: |
            type=ref,event=branch
            type=ref,event=tag
            type=sha,format=short
            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') }}

      - uses: docker/build-push-action@v6
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            VITE_SUPABASE_URL=${{ secrets.VITE_SUPABASE_URL }}
            VITE_SUPABASE_ANON_KEY=${{ secrets.VITE_SUPABASE_ANON_KEY }}

      - name: Deploy to host
        env:
          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
          DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
          HEALTH_URL: ${{ secrets.HEALTH_URL }}
        run: |
          mkdir -p ~/.ssh && chmod 700 ~/.ssh
          printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/id_deploy
          chmod 600 ~/.ssh/id_deploy

          ssh -i ~/.ssh/id_deploy \
              -o StrictHostKeyChecking=accept-new \
              "$DEPLOY_HOST" \
              "set -e
               cd '$DEPLOY_PATH'
               git pull --ff-only
               docker compose pull
               docker compose up -d --remove-orphans"

          # Wait up to 60s for the cc vhost to return a 200.
          for i in $(seq 1 12); do
            curl -fsS "$HEALTH_URL" >/dev/null && exit 0
            sleep 5
          done
          echo "deploy health check failed"; exit 1