name: CI

on:
  push:
    branches: [main, dev]
  pull_request:
    branches: [main, dev]
  workflow_dispatch:

jobs:
  lint-typecheck:
    name: Lint & Typecheck
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Typecheck
        run: pnpm typecheck

      - name: Lint
        run: pnpm lint

  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Run tests
        run: pnpm test

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: [lint-typecheck, test]
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Build all packages
        env:
          VITE_API_URL: ""
        run: pnpm build

  docker:
    name: Build & Push Docker Images
    runs-on: ubuntu-latest
    needs: [build]
    outputs:
      tag: ${{ steps.version.outputs.tag }}
    steps:
      - uses: actions/checkout@v4

      - name: Generate image tag
        id: version
        run: |
          # Always include short SHA so each build is immutable and cache-from can never
          # cross-contaminate between commits. For PRs the format is pr-N-sha7; for main
          # it is YYYY.MM.DD-sha7.
          if [ "${{ github.event_name }}" = "pull_request" ]; then
            TAG="pr-${{ github.event.pull_request.number }}-${GITHUB_SHA::7}"
          else
            TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
          fi
          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
          echo "Image tag: $TAG"

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Gitea Container Registry
        uses: docker/login-action@v3
        with:
          registry: git.farh.net
          username: ${{ gitea.actor }}
          password: ${{ secrets.REGISTRY_TOKEN }}

      - name: Build and push API image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/api/Dockerfile
          target: runner
          push: true
          tags: |
            git.farh.net/groombook/api:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/api:latest' || '' }}
          cache-from: type=registry,ref=git.farh.net/groombook/cache:api
          cache-to: type=registry,ref=git.farh.net/groombook/cache:api,mode=max

      - name: Build and push Migrate image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/api/Dockerfile
          target: migrate
          push: true
          tags: |
            git.farh.net/groombook/migrate:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/migrate:latest' || '' }}
          cache-from: type=registry,ref=git.farh.net/groombook/cache:migrate
          cache-to: type=registry,ref=git.farh.net/groombook/cache:migrate,mode=max

      - name: Build and push Seed image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/api/Dockerfile
          target: seed
          push: true
          tags: |
            git.farh.net/groombook/seed:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/seed:latest' || '' }}
          cache-from: type=registry,ref=git.farh.net/groombook/cache:seed
          cache-to: type=registry,ref=git.farh.net/groombook/cache:seed,mode=max

      - name: Build and push Reset image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/api/Dockerfile
          target: reset
          push: true
          tags: |
            git.farh.net/groombook/reset:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/reset:latest' || '' }}
          cache-from: type=registry,ref=git.farh.net/groombook/cache:reset
          cache-to: type=registry,ref=git.farh.net/groombook/cache:reset,mode=max

      - name: Build and push Web image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/web/Dockerfile
          push: true
          tags: |
            git.farh.net/groombook/web:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'git.farh.net/groombook/web:latest' || '' }}
          cache-from: type=registry,ref=git.farh.net/groombook/cache:web
          cache-to: type=registry,ref=git.farh.net/groombook/cache:web,mode=max

  deploy-dev:
    name: Deploy PR to groombook-dev
    runs-on: runners-groombook
    needs: [docker]
    if: github.event_name == 'pull_request'
    steps:
      - name: Install kubectl
        run: |
          curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          chmod +x kubectl
          sudo mv kubectl /usr/local/bin/
          kubectl version --client

      - name: Deploy to groombook-dev
        env:
          PR_NUM: ${{ github.event.pull_request.number }}
          SHA: ${{ github.sha }}
        run: |
          TAG="pr-$PR_NUM-${SHA::7}"
          echo "Deploying images tagged $TAG to groombook-dev..."

          kubectl delete job "migrate-pr-$PR_NUM" -n groombook-dev --ignore-not-found
          cat <<EOF | kubectl apply -n groombook-dev -f -
          apiVersion: batch/v1
          kind: Job
          metadata:
            name: migrate-pr-$PR_NUM
          spec:
            ttlSecondsAfterFinished: 3600
            backoffLimit: 2
            template:
              spec:
                restartPolicy: Never
                containers:
                - name: migrate
                  image: git.farh.net/groombook/migrate:$TAG
                  env:
                  - name: DATABASE_URL
                    valueFrom:
                      secretKeyRef:
                        name: groombook-postgres-credentials-dev
                        key: uri
          EOF
          kubectl wait --for=condition=complete "job/migrate-pr-$PR_NUM" \
            -n groombook-dev --timeout=120s

          kubectl set image deployment/api api=git.farh.net/groombook/api:$TAG -n groombook-dev
          kubectl set image deployment/web web=git.farh.net/groombook/web:$TAG -n groombook-dev

          kubectl rollout status deployment/api -n groombook-dev --timeout=300s
          kubectl rollout status deployment/web -n groombook-dev --timeout=300s

          echo "Deployment complete."

      - name: Comment on PR
        env:
          PR_NUM: ${{ github.event.pull_request.number }}
        run: |
          PR_NUM="$PR_NUM"
          BODY=$(cat <<'EOFBODY'
          ## Deployed to groombook-dev

          **Images:** `pr-'"$PR_NUM"'`

          **URL:** https://dev.groombook.farh.net

          Ready for UAT validation.
          EOFBODY
          )
          curl -s -X POST "https://git.farh.net/api/v1/repos/groombook/app/issues/${PR_NUM}/comments" \
            -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" \
            -H "Content-Type: application/json" \
            -d "{\"body\": $(echo "$BODY" | jq -Rs .)}"

  web-e2e:
    name: Web E2E (Dev)
    runs-on: ubuntu-latest
    needs: [docker, deploy-dev]
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: '9.15.4'

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Install Playwright browsers
        run: pnpm --filter @groombook/web exec playwright install --with-deps chromium

      - name: Run Web E2E tests
        run: pnpm --filter @groombook/web test:e2e
        timeout-minutes: 10

  cd:
    name: Update Infra Image Tags
    runs-on: ubuntu-latest
    needs: [docker]
    if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev') && github.event_name == 'push'
    steps:
      - name: Clone groombook/infra
        run: |
          git clone https://oauth2:${{ secrets.REGISTRY_TOKEN }}@git.farh.net/groombook/infra.git /tmp/infra

      - name: Install yq
        run: |
          sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
          sudo chmod +x /usr/local/bin/yq

      - name: Update dev overlay image tags
        env:
          TAG: ${{ needs.docker.outputs.tag }}
          SHA: ${{ github.sha }}
        run: |
          if [ -z "$TAG" ]; then
            TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
          fi
          export SHORT_SHA="${SHA::7}"
          echo "Updating dev overlay image tags to: $TAG"
          echo "Updating migration/seed Job names with SHA: $SHORT_SHA"
          cd /tmp/infra
          DEV_KUST="apps/overlays/dev/kustomization.yaml"
          yq -i '(.images[] | select(.name == "git.farh.net/groombook/api")).newTag = env(TAG)' "$DEV_KUST"
          yq -i '(.images[] | select(.name == "git.farh.net/groombook/web")).newTag = env(TAG)' "$DEV_KUST"
          yq -i '(.images[] | select(.name == "git.farh.net/groombook/migrate")).newTag = env(TAG)' "$DEV_KUST"
          yq -i '(.images[] | select(.name == "git.farh.net/groombook/seed")).newTag = env(TAG)' "$DEV_KUST"
          yq -i '(.images[] | select(.name == "git.farh.net/groombook/reset")).newTag = env(TAG)' "$DEV_KUST"

          MIGRATE_JOB="apps/base/migrate-job.yaml"
          if [ -f "$MIGRATE_JOB" ]; then
            yq -i '.metadata.name = "migrate-schema-" + env(SHORT_SHA)' "$MIGRATE_JOB"
            yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$MIGRATE_JOB"
            yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$MIGRATE_JOB"
          fi

          SEED_JOB="apps/base/seed-job.yaml"
          if [ -f "$SEED_JOB" ]; then
            yq -i '.metadata.name = "seed-test-data-" + env(SHORT_SHA)' "$SEED_JOB"
            yq -i '.metadata.annotations."groombook.app/deploy-version" = env(TAG)' "$SEED_JOB"
            yq -i '.spec.ttlSecondsAfterFinished = (.spec.ttlSecondsAfterFinished // 86400)' "$SEED_JOB"
          fi

          git -C /tmp/infra diff --stat

      - name: Create PR on groombook/infra
        env:
          TAG: ${{ needs.docker.outputs.tag }}
        run: |
          if [ -z "$TAG" ]; then
            TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
          fi

          cd /tmp/infra
          git config user.name "groombook-engineer[bot]"
          git config user.email "groombook-engineer@farh.net"
          git checkout -b "chore/update-image-tags-${TAG}"
          git add apps/overlays/dev/ apps/base/migrate-job.yaml apps/base/seed-job.yaml
          git commit -m "chore: update image tags and migration/seed Job names to ${TAG}"

          git push -u origin "chore/update-image-tags-${TAG}"

          EXISTING_PR=$(curl -s "https://git.farh.net/api/v1/repos/groombook/infra/pulls?state=open&head=groombook:chore/update-image-tags-${TAG}" \
            -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" | jq -r '.[0].number')
          if [ -n "$EXISTING_PR" ] && [ "$EXISTING_PR" != "null" ]; then
            echo "PR #$EXISTING_PR already exists for this tag, merging existing PR"
            curl -s -X PUT "https://git.farh.net/api/v1/repos/groombook/infra/pulls/${EXISTING_PR}/merge" \
              -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" \
              -H "Content-Type: application/json" \
              -d '{"do": "merge"}'
          else
            PR_RESPONSE=$(curl -s -X POST "https://git.farh.net/api/v1/repos/groombook/infra/pulls" \
              -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" \
              -H "Content-Type: application/json" \
              -d "{
                \"base\": \"main\",
                \"head\": \"chore/update-image-tags-${TAG}\",
                \"title\": \"chore: deploy ${TAG} to dev\",
                \"body\": \"[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge\"
              }")
            PR_NUM=$(echo "$PR_RESPONSE" | jq -r '.number')
            echo "Created PR #$PR_NUM"
            curl -s -X PUT "https://git.farh.net/api/v1/repos/groombook/infra/pulls/${PR_NUM}/merge" \
              -H "Authorization: Bearer ${{ secrets.REGISTRY_TOKEN }}" \
              -H "Content-Type: application/json" \
              -d '{"do": "merge"}'
          fi