name: Build & Deploy unom website
run-name: ${{ gitea.actor }} is deploying unom/website

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4.2.2

      - name: Set up Docker Buildx
        env:
          BUILDER: builder-unom-website
        run: |
          cat > /tmp/buildkitd.toml <<'EOF'
          [registry."docker.io"]
            mirrors = ["192.168.1.52:5000"]
          [registry."192.168.1.52:5000"]
            http = true
            insecure = true
          EOF
          docker buildx rm "$BUILDER" 2>/dev/null || true
          docker buildx create --name "$BUILDER" --use --bootstrap \
            --driver docker-container \
            --config /tmp/buildkitd.toml

      - name: Log in to Gitea registry
        env:
          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin

      - name: Stage .npmrc with @unom registry auth
        env:
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        run: |
          cat > /tmp/.npmrc <<EOF
          @unom:registry=https://git.unom.io/api/packages/unom/npm/
          //git.unom.io/api/packages/unom/npm/:_authToken=${REGISTRY_TOKEN}
          EOF

      - name: Build & push
        env:
          BUILDER: builder-unom-website
          IMAGE: git.unom.io/${{ gitea.repository }}
          SHA: ${{ gitea.sha }}
        run: |
          docker buildx build \
            --builder "$BUILDER" \
            --push \
            --file ./Dockerfile \
            --tag "$IMAGE:latest" \
            --tag "$IMAGE:$SHA" \
            --secret id=npmrc,src=/tmp/.npmrc \
            --cache-from "type=registry,ref=$IMAGE:cache" \
            --cache-to "type=registry,ref=$IMAGE:cache,mode=min" \
            .

      - name: Tear down builder
        if: always()
        env:
          BUILDER: builder-unom-website
        run: |
          docker buildx rm "$BUILDER" 2>/dev/null || true

  deploy:
    runs-on: ubuntu-24.04
    needs: build
    steps:
      - name: Pull and start web
        uses: appleboy/ssh-action@v1.2.5
        env:
          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
          REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
        with:
          host: ${{ secrets.DEPLOY_HOST }}
          username: ${{ secrets.DEPLOY_USER }}
          port: ${{ secrets.DEPLOY_PORT }}
          key: ${{ secrets.DEPLOY_SSH_KEY }}
          # Pass the registry creds into the remote shell's environment so the
          # `docker login`, the clone-if-absent, and the git pull below can all
          # reuse them WITHOUT ever interpolating the token into the script text
          # (which would land it in the run log / process args).
          envs: REGISTRY_USER,REGISTRY_TOKEN
          script: |
            set -euo pipefail
            printf '%s' "$REGISTRY_TOKEN" | docker login git.unom.io -u "$REGISTRY_USER" --password-stdin
            # Self-install on a blank host: make sure git exists, then clone the
            # repo if it isn't already checked out (mirrors played/workflows
            # build-deploy-game.yml). The deploy user has NOPASSWD sudo.
            command -v git >/dev/null 2>&1 || { sudo apt-get update -qq && sudo apt-get install -y git; }
            [ -d "$HOME/unom-website/.git" ] || git clone "https://${REGISTRY_USER}:${REGISTRY_TOKEN}@git.unom.io/unom/website.git" "$HOME/unom-website"
            cd ~/unom-website
            git fetch origin main
            git reset --hard origin/main
            docker compose -f compose.production.yml pull web
            docker compose -f compose.production.yml up -d --no-build web