name: Deploy QA

on:
  push:
    branches:
      - dev

env:
  REGISTRY_URL: ${{ vars.REGISTRY_URL }}
  IMAGE_NAME: ${{ vars.IMAGE_NAME }}
  APP_ENV: qa

jobs:
  build-and-push:
    name: Build and Push
    runs-on: ubuntu-latest
    outputs:
      image_tag: ${{ steps.meta.outputs.image_tag }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Gitea Registry
        run: |
          set -euo pipefail
          echo "${{ secrets.TOKEN }}" | docker login $REGISTRY_URL -u ${{ gitea.actor }} --password-stdin

      - name: Build and push
        id: meta
        run: |
          set -euo pipefail
          SHA_TAG="${{ gitea.sha }}"
          QA_TAG="qa-latest"
          BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")

          docker buildx build \
            --push \
            --build-arg APP_VERSION=dev-${SHA_TAG} \
            --build-arg BUILD_DATE=${BUILD_DATE} \
            --build-arg GIT_COMMIT=${SHA_TAG} \
            --build-arg GIT_BRANCH=dev \
            -t ${REGISTRY_URL}/${IMAGE_NAME}:${QA_TAG} \
            -t ${REGISTRY_URL}/${IMAGE_NAME}:sha-${SHA_TAG} \
            .

          echo "image_tag=${QA_TAG}" >> $GITEA_OUTPUT
          echo "::notice::Image pushed: ${REGISTRY_URL}/${IMAGE_NAME}:${QA_TAG}"

  deploy:
    name: Deploy to QA
    runs-on: ubuntu-latest
    needs: build-and-push
    steps:
      - name: Deploy via SSH
        env:
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
          DEPLOY_PASSPHRASE: ${{ secrets.DEPLOY_PASSPHRASE }}
        run: |
          set -euo pipefail
          IMAGE_TAG="${{ needs.build-and-push.outputs.image_tag }}"

          printf '%s\n' "$DEPLOY_SSH_KEY" > /tmp/deploy_key
          chmod 600 /tmp/deploy_key
          printf '%s\n' "$DEPLOY_PASSPHRASE" > /tmp/passphrase

          sudo apt-get update -qq && sudo apt-get install -y -qq sshpass

          ssh-keyscan -H ${{ secrets.DEPLOY_HOST }} >> ~/.ssh/known_hosts 2>/dev/null

          sshpass -f /tmp/passphrase ssh -i /tmp/deploy_key \
            -o StrictHostKeyChecking=no \
            ${{ secrets.DEPLOY_USERNAME }}@${{ secrets.DEPLOY_HOST }} bash -s \
            -e REGISTRY_URL=${{ env.REGISTRY_URL }} \
            -e IMAGE_NAME=${{ env.IMAGE_NAME }} \
            -e IMAGE_TAG=${IMAGE_TAG} \
            -e GIT_SHA=${{ gitea.sha }} \
            -e GIT_BRANCH=dev \
            -e GITEA_ACTOR=${{ gitea.actor }} \
            -e BUILD_NUMBER=${{ gitea.run_id }} \
            -e TOKEN=${{ secrets.TOKEN }} << 'EOF'
            set -euo pipefail
            BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
            echo "Pulling image..."
            echo "$TOKEN" | docker login $REGISTRY_URL -u $GITEA_ACTOR --password-stdin
            docker pull $REGISTRY_URL/$IMAGE_NAME:$IMAGE_TAG
            echo "Stopping existing container..."
            docker stop cicd-qa 2>/dev/null || true
            docker rm cicd-qa 2>/dev/null || true
            echo "Starting new container..."
            docker run -d --name cicd-qa --restart unless-stopped -p 8081:80 \
              -e APP_ENV=qa \
              -e APP_VERSION=dev-${GIT_SHA} \
              -e GIT_COMMIT=${GIT_SHA} \
              -e GIT_BRANCH=${GIT_BRANCH} \
              -e BUILD_DATE=${BUILD_DATE} \
              -e DEPLOY_TIME=${BUILD_DATE} \
              -e BUILD_NUMBER=${BUILD_NUMBER} \
              $REGISTRY_URL/$IMAGE_NAME:$IMAGE_TAG
            echo "Waiting for health check..."
            for i in $(seq 1 12); do
              if curl -sf http://localhost:8081/health > /dev/null 2>&1; then
                echo "::notice::QA deployment healthy"
                exit 0
              fi
              sleep 5
            done
            echo "::error::QA health check failed"
            exit 1
          EOF