name: Build and Deploy

on:
  push:
    branches: [main]
    paths-ignore:
      - ".custodian-brief.md"
      - ".sops.yaml"
      - "app.toml"
      - "deploy/railiance/**"
      - "docs/**"
      - "workplans/**"
  workflow_dispatch:

jobs:
  build-push-deploy:
    runs-on: [self-hosted, haskelseed]
    timeout-minutes: 120

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Build OCI image
        shell: bash -l {0}
        run: |
          set -euo pipefail
          nix build .#docker \
            --accept-flake-config \
            --option lazy-trees false \
            --log-format bar-with-logs

      - name: Push image to Gitea registry
        shell: bash -l {0}
        env:
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          set -euo pipefail
          SHA=$(git rev-parse --short HEAD)
          TOKEN=$(
            curl -fsS \
              "https://gitea.coulomb.social/v2/token?service=container_registry&scope=repository:coulomb/inter-hub:push,pull" \
              -u "tegwick:${REGISTRY_TOKEN}" \
              | awk -F'"' '/token/{print $4}'
          )
          if [ -z "${TOKEN}" ]; then
            echo "Failed to obtain Gitea registry token" >&2
            exit 1
          fi
          skopeo copy --insecure-policy \
            --dest-registry-token "${TOKEN}" \
            docker-archive:result \
            "docker://gitea.coulomb.social/coulomb/inter-hub:${SHA}"
          # Also tag as latest
          skopeo copy --insecure-policy \
            --dest-registry-token "${TOKEN}" \
            docker-archive:result \
            "docker://gitea.coulomb.social/coulomb/inter-hub:latest"
          echo "Pushed inter-hub:${SHA} and inter-hub:latest"

      - name: Deploy to Railiance01
        shell: bash -l {0}
        env:
          KUBECONFIG: ${{ secrets.RAILIANCE01_KUBECONFIG }}
        run: |
          set -euo pipefail
          SHA=$(git rev-parse --short HEAD)
          helm upgrade --install inter-hub deploy/helm/inter-hub \
            --namespace inter-hub --create-namespace \
            --set image.tag="${SHA}" \
            --wait --timeout 5m

      - name: Smoke test
        run: |
          set -euo pipefail
          # Give the new pod time to start
          sleep 15
          curl -sf --retry 5 --retry-delay 5 https://hub.coulomb.social/ \
            | grep -q "inter-hub" && echo "Landing page OK"
          curl -s https://hub.coulomb.social/api/v2/widgets \
            -o /dev/null -w "%{http_code}" | grep -q "401" && echo "API auth gate OK"
          curl -fsS https://hub.coulomb.social/api/v2/hubs \
            | grep -q '"data"' && echo "Hub discovery OK"
          OPENAPI=$(curl -fsS https://hub.coulomb.social/api/v2/openapi.json)
          for path in /hubs /hub-capability-manifests /api-consumers /policy-scopes; do
            grep -q "\"${path}\"" <<< "${OPENAPI}" \
              && echo "OpenAPI path present: ${path}" \
              || { echo "OpenAPI path missing: ${path}" >&2; exit 1; }
          done