# Push to main → scp backend sources to ark-library-backend-1, rebuild api.
#
# Gitea repo secrets (Settings → Actions → Secrets):
#   DEPLOY_SSH_KEY   — PEM private key for ec2-user@ark-library-backend-1 (no passphrase)
#
# Optional secrets (override defaults):
#   DEPLOY_HOST      — SSH host (default ark-library-backend-1)
#   DEPLOY_USER      — default ec2-user
#   REMOTE_REPO      — default /home/ec2-user/arkieproject
#
# Runner must reach the host. Server needs ${REMOTE_REPO}/.env and deploy/ (bootstrap via deploy/sync-admin.sh).

name: Deploy API

on:
  push:
    branches: [main]
  workflow_dispatch:

env:
  DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
  DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
  REMOTE_REPO: ${{ secrets.REMOTE_REPO }}

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Resolve deploy target
        run: |
          echo "DEPLOY_HOST=${DEPLOY_HOST:-ark-library-backend-1}" >> "$GITHUB_ENV"
          echo "DEPLOY_USER=${DEPLOY_USER:-ec2-user}" >> "$GITHUB_ENV"
          echo "REMOTE_REPO=${REMOTE_REPO:-/home/ec2-user/arkieproject}" >> "$GITHUB_ENV"
          echo "REMOTE_BACKEND=${REMOTE_REPO:-/home/ec2-user/arkieproject}/backend" >> "$GITHUB_ENV"

      - name: Configure SSH
        env:
          DEPLOY_SSH_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
        run: |
          if [[ -z "${DEPLOY_SSH_KEY}" ]]; then
            echo "Missing repository secret DEPLOY_SSH_KEY" >&2
            exit 1
          fi
          install -d -m 700 ~/.ssh
          printf '%s\n' "${DEPLOY_SSH_KEY}" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts 2>/dev/null || true
          cat >> ~/.ssh/config <<EOF
          Host deploy-target
            HostName ${DEPLOY_HOST}
            User ${DEPLOY_USER}
            IdentityFile ~/.ssh/deploy_key
            StrictHostKeyChecking accept-new
            ConnectTimeout 30
          EOF
          chmod 600 ~/.ssh/config

      - name: Package backend sources
        run: |
          tar czf /tmp/backend-deploy.tar.gz \
            --exclude='./.git' \
            --exclude='./uploads' \
            --exclude='./.env' \
            --exclude='./.env.*' \
            --exclude='./.DS_Store' \
            --exclude='./.gitea' \
            -C . .

      - name: Deploy backend sources (scp)
        run: |
          scp /tmp/backend-deploy.tar.gz deploy-target:/tmp/backend-deploy.tar.gz
          ssh deploy-target bash -s <<REMOTE
          set -euo pipefail
          REMOTE_BACKEND="${REMOTE_BACKEND}"
          mkdir -p "\${REMOTE_BACKEND}"
          find "\${REMOTE_BACKEND}" -mindepth 1 -maxdepth 1 -exec rm -rf {} +
          tar xzf /tmp/backend-deploy.tar.gz -C "\${REMOTE_BACKEND}"
          rm -f /tmp/backend-deploy.tar.gz
          REMOTE

      - name: Rebuild and restart API container
        run: |
          ssh deploy-target bash -s <<REMOTE
          set -euo pipefail
          cd "${REMOTE_REPO}"
          if [[ ! -f .env ]]; then
            echo "Missing ${REMOTE_REPO}/.env on server — bootstrap with deploy/sync-admin.sh first." >&2
            exit 1
          fi
          DC='sudo docker compose -f deploy/docker-compose.admin.yml --env-file .env'
          \${DC} build api
          \${DC} up -d --no-deps api
          \${DC} ps api
          REMOTE