kind: pipeline
type: docker
name: db

when:
  - event: push
    branch: main

steps:
  - name: version
    image: alpine:latest
    commands:
      - set -euo pipefail
      - apk add --no-cache git
      - GIT_REV="$(git rev-parse --short HEAD)"
      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
      - APP_V="$(cat version)"
      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\n" "$GIT_REV" "$BUILD_BRANCH" "$APP_V" | tee .env.version

  - name: secrets
    image: alpine:latest
    depends_on: [ version ]
    environment:
      # CI's own AppRole creds for accessing Vault to fetch the SSH key (existing names)
      VAULT_ADDR: { from_secret: VAULT_ADDR }
      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
    commands:
      - set -euo pipefail
      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
      - mkdir -p secrets
      # Retrieve SSH private key for deploy (existing helper)
      - ./ci/vlt kv_to_file kv ops/deploy/ssh_key private_b64 secrets/SSH_KEY.b64 600
      - base64 -d secrets/SSH_KEY.b64 > secrets/SSH_KEY
      - chmod 600 secrets/SSH_KEY
      - ssh-keygen -y -f secrets/SSH_KEY >/dev/null

  - name: deploy
    image: alpine:latest
    depends_on: [ secrets ]
    # Reuse the SAME Woodpecker secrets to pass AppRole to the Vault Agent at runtime
    environment:
      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
    commands:
      - set -euo pipefail
      - apk add --no-cache bash openssh-client rsync coreutils
      - mkdir -p /root/.ssh
      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
      - sed -i 's/\r$//' ./ci/prod/.env.runtime
      - set -a
      - . ./ci/prod/.env.runtime
      - . ./.env.version
      - set +a
      - bash ci/prod/scripts/bootstrap/network.sh
      - bash ci/prod/scripts/deploy/db.sh