name: Deployment CI/CD

on:
  push:
    branches:
      - main
  pull_request:

permissions:
  contents: read

jobs:
  validate:
    runs-on: qlockify-deploy
    steps:
      - name: Install dependencies
        run: |
          apt-get update
          apt-get install -y --no-install-recommends bash ca-certificates git python3 python3-yaml

      - name: Checkout repository
        env:
          REPO_URL: ${{ gitea.server_url }}/${{ gitea.repository }}.git
          REPO_SHA: ${{ gitea.sha }}
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          WORKSPACE: ${{ gitea.workspace }}
        run: |
          mkdir -p "$WORKSPACE"
          cd "$WORKSPACE"
          git init
          git remote add origin "$REPO_URL"
          git -c http.extraHeader="Authorization: Bearer $GITEA_TOKEN" fetch --depth 1 origin "$REPO_SHA"
          git checkout --detach FETCH_HEAD

      - name: Validate deployment script
        working-directory: ${{ gitea.workspace }}
        run: bash -n scripts/deploy.sh

      - name: Validate docker-compose.yml syntax
        working-directory: ${{ gitea.workspace }}
        run: |
          python3 - <<'PY'
          from pathlib import Path
          import yaml

          path = Path("docker-compose.yml")
          data = yaml.safe_load(path.read_text(encoding="utf-8"))
          assert isinstance(data, dict), "docker-compose.yml must contain a mapping at the top level"
          assert "services" in data, "docker-compose.yml must define services"
          PY

  deploy:
    if: github.event_name == 'push' && github.ref_name == 'main'
    needs:
      - validate
    runs-on: qlockify-deploy
    steps:
      - name: Install SSH client
        run: |
          apt-get update
          apt-get install -y --no-install-recommends bash openssh-client

      - name: Configure SSH
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
        run: |
          install -m 700 -d ~/.ssh
          printf '%s\n' "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          printf '%s\n' "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
          chmod 644 ~/.ssh/known_hosts

      - name: Deploy updated infrastructure
        env:
          DEPLOY_HOST: ${{ vars.DEPLOY_HOST }}
          DEPLOY_PORT: ${{ vars.DEPLOY_PORT }}
          DEPLOY_USER: ${{ vars.DEPLOY_USER }}
          DEPLOY_PATH: ${{ vars.DEPLOY_PATH }}
          DEPLOY_BRANCH: ${{ vars.DEPLOY_BRANCH }}
          BACKEND_BRANCH: ${{ vars.BACKEND_BRANCH }}
          FRONTEND_BRANCH: ${{ vars.FRONTEND_BRANCH }}
        run: |
          ssh -p "${DEPLOY_PORT:-22}" "${DEPLOY_USER}@${DEPLOY_HOST}" \
            "DEPLOY_ROOT='${DEPLOY_PATH}' DEPLOY_BRANCH='${DEPLOY_BRANCH}' BACKEND_BRANCH='${BACKEND_BRANCH}' FRONTEND_BRANCH='${FRONTEND_BRANCH}' bash '${DEPLOY_PATH}/scripts/deploy.sh' deployment"