name: aurask-release

on:
  push:
    branches:
      - master
    paths:
      - .gitea/workflows/aurask-release.yml
      - api/**
      - protal/**
      - manager/**
      - deploy/images/aurask-api/**
      - deploy/images/aurask-web/**
      - deploy/images/aurask-manager/**
      - deploy/k3s/**
      - deploy/k3s/README.md
      - tests/**
      - pyproject.toml
      - README.md
      - AGENTS.md
      - Aurask_Technical_Operations_Plan.md
  workflow_dispatch:

permissions:
  contents: read

env:
  REGISTRY_HOST: registry.mydevcloud.love
  REGISTRY_NAMESPACE: devcloud
  DEPLOY_HOST: 64.90.15.15
  DEPLOY_USER: root
  AURASK_NAMESPACE: aurask
  KUSTOMIZE_PATH: /tmp/aurask-release/overlays/production

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Install job dependencies
        run: |
          apt-get update
          DEBIAN_FRONTEND=noninteractive apt-get install -y docker.io openssh-client curl

      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run unit tests
        env:
          PYTHONPATH: api
        run: |
          python3 -m unittest discover -s tests -v

      - name: Prepare SSH key
        run: |
          install -m 700 -d ~/.ssh
          printf '%s\n' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -H "${DEPLOY_HOST}" >> ~/.ssh/known_hosts

      - name: Login private registry
        run: |
          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login "${REGISTRY_HOST}" --username "${{ secrets.REGISTRY_USER }}" --password-stdin

      - name: Build and push aurask-api image
        run: |
          api_image="${REGISTRY_HOST}/${REGISTRY_NAMESPACE}/aurask-api"
          docker build -t "${api_image}:${GITHUB_SHA}" -t "${api_image}:latest" -f deploy/images/aurask-api/Dockerfile .
          docker push "${api_image}:${GITHUB_SHA}"
          docker push "${api_image}:latest"

      - name: Build and push aurask-web image
        run: |
          web_image="${REGISTRY_HOST}/${REGISTRY_NAMESPACE}/aurask-web"
          docker build -t "${web_image}:${GITHUB_SHA}" -t "${web_image}:latest" -f deploy/images/aurask-web/Dockerfile .
          docker push "${web_image}:${GITHUB_SHA}"
          docker push "${web_image}:latest"

      - name: Build and push aurask-manager image
        run: |
          manager_image="${REGISTRY_HOST}/${REGISTRY_NAMESPACE}/aurask-manager"
          docker build -t "${manager_image}:${GITHUB_SHA}" -t "${manager_image}:latest" -f deploy/images/aurask-manager/Dockerfile .
          docker push "${manager_image}:${GITHUB_SHA}"
          docker push "${manager_image}:latest"

      - name: Deploy aurask production overlay
        run: |
          ssh -i ~/.ssh/id_ed25519 "${DEPLOY_USER}@${DEPLOY_HOST}" "rm -rf /tmp/aurask-release"
          scp -i ~/.ssh/id_ed25519 -r deploy/k3s "${DEPLOY_USER}@${DEPLOY_HOST}:/tmp/aurask-release"
          ssh -i ~/.ssh/id_ed25519 "${DEPLOY_USER}@${DEPLOY_HOST}" "
            set -euo pipefail
            kubectl create namespace ${AURASK_NAMESPACE} --dry-run=client -o yaml | kubectl apply -f -
            kubectl -n ${AURASK_NAMESPACE} create secret docker-registry devcloud-registry \
              --docker-server=${REGISTRY_HOST} \
              --docker-username='${{ secrets.REGISTRY_USER }}' \
              --docker-password='${{ secrets.REGISTRY_PASSWORD }}' \
              --dry-run=client -o yaml | kubectl apply -f -
            kubectl -n ${AURASK_NAMESPACE} create secret generic aurask-postgres \
              --from-literal=POSTGRES_DB='${{ secrets.POSTGRES_DB }}' \
              --from-literal=POSTGRES_USER='${{ secrets.POSTGRES_USER }}' \
              --from-literal=POSTGRES_PASSWORD='${{ secrets.POSTGRES_PASSWORD }}' \
              --dry-run=client -o yaml | kubectl apply -f -
            kubectl apply -k ${KUSTOMIZE_PATH}
            kubectl -n ${AURASK_NAMESPACE} set image deployment/aurask-api api=${REGISTRY_HOST}/${REGISTRY_NAMESPACE}/aurask-api:${GITHUB_SHA}
            kubectl -n ${AURASK_NAMESPACE} set image deployment/aurask-worker worker=${REGISTRY_HOST}/${REGISTRY_NAMESPACE}/aurask-api:${GITHUB_SHA}
            kubectl -n ${AURASK_NAMESPACE} set image deployment/aurask-web web=${REGISTRY_HOST}/${REGISTRY_NAMESPACE}/aurask-web:${GITHUB_SHA}
            kubectl -n ${AURASK_NAMESPACE} set image deployment/aurask-manager manager=${REGISTRY_HOST}/${REGISTRY_NAMESPACE}/aurask-manager:${GITHUB_SHA}
            kubectl -n ${AURASK_NAMESPACE} rollout status deployment/aurask-api --timeout=600s
            kubectl -n ${AURASK_NAMESPACE} rollout status deployment/aurask-worker --timeout=600s
            kubectl -n ${AURASK_NAMESPACE} rollout status deployment/aurask-web --timeout=600s
            kubectl -n ${AURASK_NAMESPACE} rollout status deployment/aurask-manager --timeout=600s
            kubectl -n ${AURASK_NAMESPACE} rollout status statefulset/postgres --timeout=600s
            kubectl -n ${AURASK_NAMESPACE} rollout status statefulset/redis --timeout=600s
            kubectl -n ${AURASK_NAMESPACE} get pods -o wide
          "