name: CD

on:
  push:
    branches: [main]
    tags: ["v*"]
  pull_request:
    branches: [main]

env:
  IMAGE: __PROJECT_NAME__

jobs:
  check:
    name: Lint / Test / Vet
    runs-on: self-hosted
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with:
          go-version-file: go.mod
          cache: false

      - name: Install toolchain
        run: |
          go version
          go install github.com/a-h/templ/cmd/templ@latest
          curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh \
            | sh -s -- -b "$(go env GOPATH)/bin" v2.11.4

      - name: Run checks
        run: task check

  build:
    name: Build & Import
    needs: check
    runs-on: self-hosted
    if: github.event_name != 'pull_request'
    outputs:
      image-tag: ${{ steps.meta.outputs.sha-tag }}
    steps:
      - uses: actions/checkout@v4

      - name: Derive image tags
        id: meta
        run: |
          SHA=$(git rev-parse --short HEAD)
          echo "sha-tag=${SHA}" >> "$GITHUB_OUTPUT"

      - name: Build and push to local registry
        run: |
          REGISTRY="localhost:5000"
          REF="${REGISTRY}/${{ env.IMAGE }}:${{ steps.meta.outputs.sha-tag }}"
          buildah build \
            --label "org.opencontainers.image.revision=${{ github.sha }}" \
            -t ${REF} \
            -t ${REGISTRY}/${{ env.IMAGE }}:latest \
            .
          buildah push --tls-verify=false ${REF}
          buildah push --tls-verify=false ${REGISTRY}/${{ env.IMAGE }}:latest
          echo "✓ Image pushed to ${REF}"

  deploy:
    name: Deploy via GitOps
    needs: build
    runs-on: self-hosted
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    environment: staging
    steps:
      - name: Update image tag in infra repo
        env:
          IMAGE_TAG: ${{ needs.build.outputs.image-tag }}
          DEPLOY_KEY: ${{ secrets.INFRA_DEPLOY_KEY }}
        run: |
          set -euo pipefail
          mkdir -p ~/.ssh
          echo "$DEPLOY_KEY" > ~/.ssh/id_infra
          chmod 600 ~/.ssh/id_infra
          ssh-keyscan -p 30022 10.0.1.20 >> ~/.ssh/known_hosts 2>/dev/null
          export GIT_SSH_COMMAND="ssh -i ~/.ssh/id_infra -o IdentitiesOnly=yes"
          rm -rf /tmp/infra
          git clone -b main ssh://git@10.0.1.20:30022/mathias/infra.git /tmp/infra
          cd /tmp/infra
          DEPLOYMENT="k3s/apps/__PROJECT_NAME__/deployment.yaml"
          sed -i "s|image: localhost:5000/__PROJECT_NAME__:.*|image: localhost:5000/__PROJECT_NAME__:${IMAGE_TAG}|" "$DEPLOYMENT"
          grep -q "localhost:5000/__PROJECT_NAME__:${IMAGE_TAG}" "$DEPLOYMENT" \
            || { echo "✗ image tag patch failed"; exit 1; }
          if git diff --quiet "$DEPLOYMENT"; then
            echo "ℹ image tag unchanged — skipping push"
          else
            git -c user.name="__PROJECT_NAME__ CI" \
                -c user.email="ci@__PROJECT_NAME__.local" \
                commit -m "chore(deploy): __PROJECT_NAME__ → ${IMAGE_TAG}" "$DEPLOYMENT"
            git push origin main
            echo "✓ pushed to infra repo"
          fi
          shred -u ~/.ssh/id_infra

      - name: Trigger Flux reconcile
        run: |
          kubectl -n flux-system annotate gitrepository flux-system \
            reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite
          kubectl -n flux-system annotate kustomization apps \
            reconcile.fluxcd.io/requestedAt="$(date +%s)" --overwrite

      - name: Verify rollout
        run: |
          kubectl rollout status deployment/__PROJECT_NAME__ \
            --namespace __PROJECT_NAME__ \
            --timeout=120s \
          || {
            kubectl get pods -n __PROJECT_NAME__ -o wide
            kubectl get events -n __PROJECT_NAME__ --sort-by='.lastTimestamp' | tail -20
            exit 1
          }