name: Deploy to GitOps

# Manually triggered. Bumps the image tag in pieced-gitops so ArgoCD rolls
# the new version out. Does not build anything itself — the build workflow
# is the only thing that creates and pushes images.
on:
  workflow_dispatch:
    inputs:
      version:
        description: 'Version to deploy (e.g. 0.1.5). Must already exist in the registry.'
        required: true
        type: string

env:
  REGISTRY: registry.c5ai.ch
  IMAGE: pieced/pieced-portal
  GITOPS_REPO: admin/pieced-gitops
  GITOPS_FILE: apps/portal/deployment.yaml

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
      - name: Verify image exists in registry
        # Fail fast if the user typed a version that was never built. Catches
        # typos before we touch the gitops repo. Uses env-var pattern for
        # credentials to avoid shell interpolation mangling special characters.
        env:
          REG_USER: ${{ secrets.REGISTRY_USERNAME }}
          REG_PASS: ${{ secrets.REGISTRY_PASSWORD }}
        run: |
          set -euo pipefail
          status=$(curl -sf -o /dev/null -w '%{http_code}' \
            -u "$REG_USER:$REG_PASS" \
            "https://${REGISTRY}/v2/${IMAGE}/manifests/${{ inputs.version }}" \
            || true)
          if [ "$status" != "200" ]; then
            echo "::error::Image ${REGISTRY}/${IMAGE}:${{ inputs.version }} not found (HTTP $status)"
            exit 1
          fi
          echo "Confirmed: ${REGISTRY}/${IMAGE}:${{ inputs.version }} exists."

      - name: Checkout pieced-gitops
        uses: actions/checkout@v4
        with:
          repository: ${{ env.GITOPS_REPO }}
          token: ${{ secrets.CI_TOKEN }}
          path: gitops
          # We need history to commit + push back; default fetch-depth: 1 is fine
          # for a single commit but force a clean shallow clone:
          fetch-depth: 1

      - name: Update image tag
        working-directory: gitops
        env:
          VERSION: ${{ inputs.version }}
        run: |
          set -euo pipefail
          file="${GITOPS_FILE}"
          if [ ! -f "$file" ]; then
            echo "::error::$file not found in gitops repo"
            exit 1
          fi
          # Anchored to the full image path to avoid accidentally rewriting
          # any unrelated 'image:' line that might appear later.
          sed -i -E \
            "s|(image: ${REGISTRY}/${IMAGE}:)[^[:space:]]+|\1${VERSION}|" \
            "$file"
          echo "--- diff ---"
          git --no-pager diff "$file" || true

      - name: Commit and push
        working-directory: gitops
        env:
          VERSION: ${{ inputs.version }}
        run: |
          set -euo pipefail
          if git diff --quiet; then
            echo "No changes — image tag was already ${VERSION}."
            exit 0
          fi
          git config user.name "pieced-ci"
          git config user.email "ci@pieced.ch"
          git add "${GITOPS_FILE}"
          git commit -m "Bump pieced-portal to ${VERSION}"
          git push

      - name: Summary
        env:
          VERSION: ${{ inputs.version }}
        run: |
          {
            echo "## Deployed: pieced-portal ${VERSION}"
            echo
            echo "ArgoCD will sync within its refresh interval."
            echo "Watch with: \`kubectl get app -n argocd portal -w\`"
          } >> "$GITHUB_STEP_SUMMARY"