when:
  - event: push
    branch: main
    path:
      exclude: ['**']
      ignore_message: '[infra]'

steps:
  - name: version
    image: alpine:latest
    commands:
      - set -euo pipefail
      - apk add --no-cache git
      - GIT_REV="$(git rev-parse --short HEAD)"
      - BUILD_BRANCH="$(git rev-parse --abbrev-ref HEAD)"
      - APP_V="$(cat version)"
      - printf "GIT_REV=%s\nBUILD_BRANCH=%s\nAPP_V=%s\n" "$GIT_REV" "$BUILD_BRANCH" "$APP_V" | tee .env.version

  - name: secrets
    image: alpine:latest
    depends_on: [ version ]
    environment:
      # CI's own AppRole creds for accessing Vault to fetch the SSH key (existing names)
      VAULT_ADDR: { from_secret: VAULT_ADDR }
      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
    commands:
      - set -euo pipefail
      - apk add --no-cache bash coreutils openssh-keygen curl sed python3
      - sh ci/scripts/common/fetch_deploy_ssh_key.sh secrets/SSH_KEY

  - name: deploy
    image: alpine:latest
    depends_on: [ secrets ]
    # Reuse the SAME Woodpecker secrets to pass AppRole to the Vault Agent at runtime
    environment:
      VAULT_ROLE_ID:   { from_secret: VAULT_APP_ROLE }
      VAULT_SECRET_ID: { from_secret: VAULT_SECRET_ID }
    commands:
      - set -euo pipefail
      - apk add --no-cache bash openssh-client rsync coreutils
      - mkdir -p /root/.ssh
      - install -m 600 secrets/SSH_KEY /root/.ssh/id_rsa
      - . ./ci/scripts/common/runtime_env.sh
      - export RUNTIME_ENV_FILE="$(resolve_runtime_env_file "$(resolve_runtime_env_name)")"
      - sed -i 's/\r$//' "${RUNTIME_ENV_FILE}"
      - set -a
      - . "${RUNTIME_ENV_FILE}"
      - . ./.env.version
      - set +a
      - bash ci/prod/scripts/bootstrap/network.sh
      - bash ci/prod/scripts/deploy/db.sh