name: CD

on:
  push:
    branches: [master, main]
  pull_request:

env:
  IMG: ${{ secrets.AR_LOCATION }}-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/${{ secrets.AR_REPO }}/${{ gitea.event.repository.name }}:lab-${{ gitea.run_number }}

jobs:
  # Build + push da imagem usando Kaniko (sem Docker daemon, sem Cloud Build).
  # Roda dentro da imagem oficial do Kaniko que tem busybox + binary executor.
  build:
    runs-on: ubuntu-latest
    container:
      image: gcr.io/kaniko-project/executor:v1.23.2-debug
    steps:
      - uses: actions/checkout@v4

      - name: Auth Artifact Registry + Build & Push (kaniko)
        run: |
          set -e
          mkdir -p /kaniko/.docker
          # Grava a chave da SA em arquivo via heredoc (preserva quebras/aspas)
          cat > /tmp/sa.json <<'__SA_EOF__'
          ${{ secrets.GCP_SA_KEY }}
          __SA_EOF__
          # Docker config: Basic Auth com user `_json_key` + JSON da SA
          AUTH_B64=$(printf '_json_key:%s' "$(cat /tmp/sa.json)" | base64 -w0)
          cat > /kaniko/.docker/config.json <<EOF
          {
            "auths": {
              "${{ secrets.AR_LOCATION }}-docker.pkg.dev": { "auth": "${AUTH_B64}" }
            }
          }
          EOF
          /kaniko/executor \
            --context dir://. \
            --dockerfile Dockerfile \
            --destination "${IMG}" \
            --cache=true \
            --cache-ttl=168h \
            --snapshot-mode=redo \
            --use-new-run

  # Deploy só roda em push pra master/main, depois do build OK.
  # Usa runner default (node:18-bullseye) — instala kubectl + gke-auth-plugin.
  deploy:
    runs-on: ubuntu-latest
    needs: build
    if: github.event_name == 'push'
    steps:
      - uses: actions/checkout@v4

      - name: Install kubectl + gke-auth-plugin
        run: |
          apt-get update -qq
          apt-get install -y -qq apt-transport-https ca-certificates gnupg curl
          curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
          echo "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" > /etc/apt/sources.list.d/google-cloud-sdk.list
          apt-get update -qq
          apt-get install -y -qq kubectl google-cloud-cli-gke-gcloud-auth-plugin
          kubectl version --client=true

      - name: Auth GCP
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}

      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@v2
        with:
          project_id: ${{ secrets.GCP_PROJECT }}

      - name: Deploy hml2
        env:
          USE_GKE_GCLOUD_AUTH_PLUGIN: "True"
        run: |
          gcloud container clusters get-credentials ${{ secrets.GKE_CLUSTER }} --region ${{ secrets.GKE_REGION }} --project ${{ secrets.GCP_PROJECT }}
          NS=${{ secrets.K8S_NAMESPACE }}

          # 1) Aplica manifests (idempotente)
          if [ -d k8s ]; then
            kubectl apply -n "$NS" -f k8s/
          fi

          # 2) Atualiza imagem
          DEPLOYMENT="${{ gitea.event.repository.name }}-deployment"
          if kubectl get deployment "$DEPLOYMENT" -n "$NS" >/dev/null 2>&1; then
            CONTAINER=$(kubectl get deployment "$DEPLOYMENT" -n "$NS" -o jsonpath='{.spec.template.spec.containers[0].name}')
            kubectl set image deployment/"$DEPLOYMENT" -n "$NS" "$CONTAINER=${IMG}"
            kubectl rollout status deployment/"$DEPLOYMENT" -n "$NS" --timeout=600s
          else
            echo "Deployment $DEPLOYMENT não existe — kubectl apply acabou de criar (1º deploy)"
          fi