SHELL := /usr/bin/env bash
.DEFAULT_GOAL := help

GITEA_RELEASE ?= gitea
GITEA_NAMESPACE ?= default
GITEA_CHART ?= gitea-charts/gitea
GITEA_VALUES ?= helm/gitea-values.sops.yaml
GITEA_REGISTRY_VALUES ?= helm/gitea-registry-values.yaml
GITEA_INGRESS ?= manifests/gitea-ingress.yaml
GITEA_HTTP_SERVICE ?= gitea-http
GITEA_SSH_SERVICE ?= gitea-ssh-nodeport
GITEA_DB_CLUSTER ?= gitea-db
GITEA_DB_NAMESPACE ?= databases
REGISTRY_DOCS ?= docs/gitea-container-registry.md docs/gitea-package-registry.md
EVIDENCE_DOCS ?= docs/observability-operating-evidence.md docs/ci-runner-actions-gitops-ownership.md docs/backup-restore-secret-handoff.md
RUNNER_DOCS ?= docs/gitea-actions-runner-substrate.md docs/gitea-actions-runner-evidence.md
SOPS_SENTINEL ?= $(GITEA_VALUES)

##@ Operator checks

check-tools: ## Check local tools used by forge operator targets
	@missing=0; \
	for tool in kubectl helm sops; do \
		if command -v $$tool >/dev/null 2>&1; then \
			echo "ok: $$tool"; \
		else \
			echo "missing: $$tool"; \
			missing=1; \
		fi; \
	done; \
	if command -v tea >/dev/null 2>&1; then \
		echo "ok: tea"; \
	else \
		echo "optional: tea not found"; \
	fi; \
	exit $$missing

check-sops: ## Verify the configured SOPS sentinel can decrypt
	sops -d $(SOPS_SENTINEL) >/dev/null

registry-docs: ## Print canonical registry docs
	@for doc in $(REGISTRY_DOCS); do \
		printf '\n## %s\n\n' "$$doc"; \
		sed -n '1,220p' "$$doc"; \
	done

evidence-docs: ## Print forge evidence and handoff contracts
	@for doc in $(EVIDENCE_DOCS); do \
		printf '\n## %s\n\n' "$$doc"; \
		sed -n '1,260p' "$$doc"; \
	done

runner-docs: ## Print Gitea Actions runner substrate docs and evidence
	@for doc in $(RUNNER_DOCS); do \
		printf '\n## %s\n\n' "$$doc"; \
		sed -n '1,260p' "$$doc"; \
	done

runner-status: ## Read-only Actions runner, host, and inter-hub registry probes
	bash tools/gitea-runner-status.sh

check-runner-tools: ## Check local tools used by runner inspection targets
	@missing=0; \
	for tool in curl ssh docker; do \
		if command -v $$tool >/dev/null 2>&1; then \
			echo "ok: $$tool"; \
		else \
			echo "missing: $$tool"; \
			missing=1; \
		fi; \
	done; \
	for tool in skopeo act_runner; do \
		if command -v $$tool >/dev/null 2>&1; then \
			echo "ok: $$tool"; \
		else \
			echo "optional: $$tool not found"; \
		fi; \
	done; \
	exit $$missing

##@ Current Gitea

gitea-deploy: ## Deploy / upgrade current Gitea forge runtime
	helm upgrade --install $(GITEA_RELEASE) $(GITEA_CHART) \
		-f <(sops -d $(GITEA_VALUES)) \
		-f $(GITEA_REGISTRY_VALUES) \
		--namespace $(GITEA_NAMESPACE) --create-namespace

gitea-ingress-deploy: ## Apply the public Gitea HTTPS ingress
	kubectl apply -f $(GITEA_INGRESS)

gitea-status: ## Read-only status for current Gitea runtime and database
	kubectl get pods -n $(GITEA_NAMESPACE) -l app.kubernetes.io/instance=$(GITEA_RELEASE)
	kubectl get svc -n $(GITEA_NAMESPACE) $(GITEA_HTTP_SERVICE) --ignore-not-found
	kubectl get svc -n $(GITEA_NAMESPACE) $(GITEA_SSH_SERVICE) --ignore-not-found
	kubectl get ingress -n $(GITEA_NAMESPACE) $(GITEA_RELEASE) --ignore-not-found
	@if kubectl cnpg status $(GITEA_DB_CLUSTER) -n $(GITEA_DB_NAMESPACE) >/dev/null 2>&1; then \
		kubectl cnpg status $(GITEA_DB_CLUSTER) -n $(GITEA_DB_NAMESPACE); \
	else \
		echo "kubectl cnpg plugin not available; falling back to cnpg resources"; \
		kubectl get cluster $(GITEA_DB_CLUSTER) -n $(GITEA_DB_NAMESPACE); \
		kubectl get pods -n $(GITEA_DB_NAMESPACE) -l cnpg.io/cluster=$(GITEA_DB_CLUSTER); \
	fi

##@ Help

help: ## Show this help
	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} \
	  /^[a-zA-Z0-9_-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } \
	  /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)

.PHONY: check-tools check-sops registry-docs evidence-docs runner-docs runner-status check-runner-tools gitea-deploy gitea-ingress-deploy gitea-status help
