when:
  - event: push
    branch: main

steps:
  - name: version
    image: alpine:latest
    commands:
      - apk add --no-cache git
      - GIT_REV="$(git rev-parse --short HEAD)"
      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
      - APP_V="$(cat version)"
      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\n" "$GIT_REV" "$BUILD_BRANCH" "$APP_V" | tee .env.version

  - name: secrets
    image: alpine:latest
    depends_on: [ version ]
    environment:
      VAULT_ADDR: https://vault.sendico.io
      VAULT_ROLE_ID:     { from_secret: VAULT_ROLE_ID }
      VAULT_SECRET_ID:   { from_secret: VAULT_SECRET_ID }
    commands:
      - apk add --no-cache curl bash coreutils sed
      - mkdir -p secrets
      - set -a; . ./.env.version; set +a
      # fetch registry creds
      - ./ci/vlt kv_to_file kv sendico/registry user secrets/REGISTRY_USER 600
      - ./ci/vlt kv_to_file kv sendico/registry password secrets/REGISTRY_PASS 600
      # fetch SSH private key for deploy
      - ./ci/vlt kv_to_file kv sendico/ops/deploy/ssh_key private secrets/SSH_KEY 600

  - name: lock-db
    image: quay.io/skopeo/stable:latest
    depends_on: [ secrets ]
    environment:
      REGISTRY_URL: registry.sendico.io
      MONGO_VERSION: latest
    commands:
      - apk add --no-cache bash coreutils sed
      - mkdir -p ci/prod/env
      - set -a; . ./ci/prod/.env.runtime; set +a
      - set -a; . ./.env.version; set +a
      - test -s secrets/REGISTRY_USER && test -s secrets/REGISTRY_PASS
      - CREDS="$(cat secrets/REGISTRY_USER):$(cat secrets/REGISTRY_PASS)"
      # mirror multi-arch image into registry under app version tag
      - skopeo copy --all docker://docker.io/library/mongo:${MONGO_VERSION} docker://${REGISTRY_URL}/mirror/mongo:${APP_V} --dest-creds "$CREDS"
      # inspect the mirrored image to capture immutable digest
      - INSPECT=$(skopeo inspect docker://${REGISTRY_URL}/mirror/mongo:${APP_V} --creds "$CREDS")
      - DIGEST="$(printf '%s' "$INSPECT" | tr -d '\n' | sed -n 's/.*"Digest"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p')"
      - test -n "$DIGEST"
      # store lock both for local deploy metadata and rsync to server
      - printf 'MONGO_TAG=%s\nMONGO_DIGEST=%s\n' "$APP_V" "$DIGEST" | tee .env.lock ci/prod/env/.env.lock.db
      - cat .env.lock

  - name: deploy
    image: alpine:latest
    depends_on: [ lock-db ]
    commands:
      - apk add --no-cache openssh-client rsync
      - set -a; . ./ci/prod/.env.runtime; set +a            # SSH_HOST, SSH_USER, REMOTE_DIR берём из репо
      - set -a; . ./.env.version; set +a
      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
      # ensure target dir layout
      - ssh -o StrictHostKeyChecking=no ${SSH_USER}@${SSH_HOST} "mkdir -p ${REMOTE_DIR}/{ops,vault/templates,backup,.woodpecker}"
      # sync non-secret runtime files from repo → server
      - rsync -avz --delete ci/prod/compose/ ${SSH_USER}@${SSH_HOST}:${REMOTE_BASE}/${DB_DIR}/compose/
      - rsync -avz .woodpecker/ ${SSH_USER}@${SSH_HOST}:${REMOTE_DIR}/.woodpecker/
      - rsync -avz ci/prod/.env.runtime ${SSH_USER}@${SSH_HOST}:${REMOTE_BASE}/${DB_DIR}/env/.env.runtime
      - rsync -avz ci/prod/env/.env.lock.db ${SSH_USER}@${SSH_HOST}:${REMOTE_BASE}/${DB_DIR}/env/.env.lock.db
      # upload the generated lock
      - scp -o StrictHostKeyChecking=no .env.lock ${SSH_USER}@${SSH_HOST}:${REMOTE_DIR}/.env.lock
      # deploy
      - ssh -o StrictHostKeyChecking=no ${SSH_USER}@${SSH_HOST} "
          set -euo pipefail
          cd ${REMOTE_DIR}
          docker compose -f .woodpecker/db.yml pull
          docker compose -f .woodpecker/db.yml up -d --remove-orphans
        "