name: "Build: Dev"

on:
  push:
    branches: [dev]
  workflow_dispatch:

permissions:
  contents: read
  packages: write

jobs:
  build:
    runs-on: runners-farhoodlabs
    timeout-minutes: 30
    outputs:
      image-tag: ${{ steps.tag.outputs.sha }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set image tag
        id: tag
        run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to GHCR
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/farhoodlabs/paperclip-dev
          tags: |
            type=raw,value=latest
            type=sha,prefix=
            type=semver,pattern={{version}}

      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: .farhoodlabs/Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          no-cache: true

  update-infra:
    needs: build
    runs-on: runners-farhoodlabs
    steps:
      - name: Generate app token
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.PAPERCLIP_APP_ID }}
          private-key: ${{ secrets.PAPERCLIP_APP_PRIVATE_KEY }}
          repositories: paperclip-infra

      - name: Update dev image tag in infra repo
        run: |
          SHA="${{ needs.build.outputs.image-tag }}"
          FILE="overlays/dev/kustomization.yaml"

          response=$(curl -sS \
            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
            -H "Accept: application/vnd.github.v3+json" \
            "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE")

          file_sha=$(echo "$response" | jq -r '.sha')
          content=$(echo "$response" | jq -r '.content' | base64 -d)
          new_content=$(echo "$content" | sed "s/newTag: \".*\"/newTag: \"$SHA\"/")
          encoded=$(printf '%s' "$new_content" | base64 -w 0)

          curl -sS -X PUT \
            -H "Authorization: Bearer ${{ steps.app-token.outputs.token }}" \
            -H "Accept: application/vnd.github.v3+json" \
            "https://api.github.com/repos/farhoodlabs/paperclip-infra/contents/$FILE" \
            -d "{\"message\":\"chore(cd): update paperclip-dev to $SHA\",\"content\":\"$encoded\",\"sha\":\"$file_sha\"}"