name: CD

on:
  push:
    branches: [master, main]
  pull_request:

env:
  IMAGE_BASE: ${{ secrets.AR_LOCATION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/${{ secrets.AR_REPO }}

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      # Instala kubectl + auth plugin (gcloud já vem via setup-gcloud).
      # Build é feito remoto via Cloud Build (não precisa Docker no runner).
      - name: Install kubectl + gke-auth-plugin
        run: |
          apt-get update -qq
          apt-get install -y -qq apt-transport-https ca-certificates gnupg curl
          curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
          echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" > /etc/apt/sources.list.d/google-cloud-sdk.list
          apt-get update -qq
          apt-get install -y -qq kubectl google-cloud-cli-gke-gcloud-auth-plugin
          kubectl version --client=true

      - name: Auth GCP
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@v2
        with:
          project_id: ${{ secrets.GCP_PROJECT }}

      - name: Build & push (Cloud Build, sem Docker local)
        run: |
          IMG="${IMAGE_BASE}/${{ gitea.event.repository.name }}:lab-${{ gitea.run_number }}"
          # --gcs-source-staging-dir: pula auto-detect que precisa de
          #   storage.buckets.list (project-scope) — gitea-cd só tem grant
          #   na bucket _cloudbuild, não no projeto inteiro.
          # --suppress-logs: gcloud streama logs do Cloud Build pra stdout e
          #   isso exige Viewer/Owner no projeto. SA não tem; suprimir os
          #   logs ainda espera o build terminar e propaga o exit code.
          gcloud builds submit \
            --tag "$IMG" \
            --project=${{ secrets.GCP_PROJECT }} \
            --timeout=30m \
            --gcs-source-staging-dir="gs://${{ secrets.GCP_PROJECT }}_cloudbuild/source" \
            --suppress-logs
          echo "IMG=$IMG" >> $GITHUB_ENV

      - name: Deploy hml2 (apenas em push pra master/main)
        if: github.event_name == 'push'
        env:
          USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
        run: |
          gcloud container clusters get-credentials ${{ secrets.GKE_CLUSTER }} --region ${{ secrets.GKE_REGION }} --project ${{ secrets.GCP_PROJECT }}
          NS=${{ secrets.K8S_NAMESPACE }}

          # 1) Aplica manifests (idempotente — cria PVC/Service/Ingress/Deployment se faltarem)
          if [ -d k8s ]; then
            kubectl apply -n "$NS" -f k8s/
          fi

          # 2) Atualiza image
          DEPLOYMENT="${{ gitea.event.repository.name }}-deployment"
          if kubectl get deployment "$DEPLOYMENT" -n "$NS" >/dev/null 2>&1; then
            CONTAINER=$(kubectl get deployment "$DEPLOYMENT" -n "$NS" -o jsonpath='{.spec.template.spec.containers[0].name}')
            kubectl set image deployment/"$DEPLOYMENT" -n "$NS" "$CONTAINER=$IMG"
            kubectl rollout status deployment/"$DEPLOYMENT" -n "$NS" --timeout=600s
          else
            echo "Deployment $DEPLOYMENT não existe no ns $NS — pulei set image (provavelmente é o 1º deploy e o kubectl apply acabou de criar)"
          fi