name: Deploy to Production
run-name: 🚀 Deploy by @${{ gitea.actor }}

# ───────────────────────────────────────────────────────
# Owner: DevOps (Architekt)
# CD v3 — 2026-06-13
#
# Triggers:
#   1. AUTOMATIC after successful CI on main (workflow_run)
#      → Uses safe defaults: patch bump, all services, main ref.
#      → Commits marked with [skip ci] are filtered at job level
#        (prevents version-bump loops).
#   2. MANUAL via workflow_dispatch with full parameter control.
#
# Concurrency: one deploy at a time.
#   Queued deploys wait — no race conditions with parallel builds.
#
# Version-Bump / CI Loop Prevention:
#   The version-bump commit includes "[skip ci]" in its message,
#   which Gitea Actions respects. The auto-trigger additionally
#   checks for "[skip ci]" as a second safety layer. Together
#   they guarantee that a version-bump commit does NOT trigger
#   another CI → Deploy → Bump → CI cycle.
# ───────────────────────────────────────────────────────
concurrency:
  group: deploy-production
  cancel-in-progress: false

on:
  # ── Auto-Trigger: after successful CI on main ──
  workflow_run:
    workflows: ["CI - Build & Test"]
    types: [completed]
    branches: [main]

  # ── Manual Trigger (full control) ──
  workflow_dispatch:
    inputs:
      version_bump:
        description: 'Version bump type'
        required: true
        default: 'patch'
        type: choice
        options:
          - patch
          - minor
          - major
      service:
        description: 'Service to deploy (empty = all)'
        required: false
        default: ''
        type: string
      no_cache:
        description: 'Disable Docker build cache'
        required: false
        default: false
        type: boolean
      git_ref:
        description: 'Git ref to deploy (branch, tag, or commit SHA; default: main)'
        required: false
        default: 'main'
        type: string

jobs:
  deploy:
    name: Deploy Nexus
    runs-on: ubuntu-latest
    if: |
      (github.event_name == 'workflow_dispatch') ||
      (github.event_name == 'workflow_run' &&
       github.event.workflow_run.conclusion == 'success' &&
       !contains(github.event.workflow_run.head_commit.message, '[skip ci]'))

    # ── Env for the deploy target path ──
    env:
      DEPLOY_PATH: /opt/openclaw/data/openclaw/workspace/nexus
      ENV_TMPFILE: /tmp/nexus-deploy-env
      ENV_POSTGRES_PASSWORD: ${{ secrets.ENV_POSTGRES_PASSWORD }}
      ENV_JWT_KEY: ${{ secrets.ENV_JWT_KEY }}
      ENV_OWNER_PASSWORD: ${{ secrets.ENV_OWNER_PASSWORD }}
      ENV_OPENCLAW_TOKEN: ${{ secrets.ENV_OPENCLAW_TOKEN }}

    steps:
      # ═══════════════════════════════════════════════════
      # Step 1: Checkout
      # ═══════════════════════════════════════════════════
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event_name == 'workflow_dispatch' && inputs.git_ref || 'main' }}
          fetch-depth: 0
          fetch-tags: true

      # ═══════════════════════════════════════════════════
      # Step 2: Set up Git identity
      # ═══════════════════════════════════════════════════
      - name: Configure Git
        run: |
          git config user.email "devops@noveria.net"
          git config user.name "DevOps"

      # ═══════════════════════════════════════════════════
      # Step 3: Resolve deploy version
      #
      # Deploying main: DevOps may bump VERSION and create a tag.
      # Deploying any other ref: deploy exactly that ref, but DO NOT
      # mutate main or create a version-bump commit on another branch.
      #
      # For auto-deploys (workflow_run): always "patch" bump on main.
      # ═══════════════════════════════════════════════════
      - name: Resolve Version
        id: version
        run: |
          set -euo pipefail

          # Determine bump type (auto-deploy → patch; manual → user choice)
          BUMP_TYPE="${{ github.event_name == 'workflow_dispatch' && inputs.version_bump || 'patch' }}"

          # Read current version
          if [ ! -f VERSION ]; then
            echo "❌ VERSION file not found"
            exit 1
          fi

          CURRENT=$(cat VERSION | tr -d '[:space:]')
          if ! echo "$CURRENT" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+$'; then
            echo "❌ Invalid semver in VERSION: '$CURRENT'"
            exit 1
          fi

          MAJOR=$(echo "$CURRENT" | cut -d. -f1)
          MINOR=$(echo "$CURRENT" | cut -d. -f2)
          PATCH=$(echo "$CURRENT" | cut -d. -f3)

          case "$BUMP_TYPE" in
            major) NEW_MAJOR=$((MAJOR + 1)); NEW_MINOR=0; NEW_PATCH=0 ;;
            minor) NEW_MAJOR=$MAJOR; NEW_MINOR=$((MINOR + 1)); NEW_PATCH=0 ;;
            patch) NEW_MAJOR=$MAJOR; NEW_MINOR=$MINOR; NEW_PATCH=$((PATCH + 1)) ;;
            *) echo "❌ Unknown bump type: $BUMP_TYPE"; exit 1 ;;
          esac

          # Determine git ref — auto-deploy always uses main
          DEPLOY_REF="${{ github.event_name == 'workflow_dispatch' && inputs.git_ref || 'main' }}"
          if [ -z "$DEPLOY_REF" ] || [ "$DEPLOY_REF" = "main" ] || [ "$DEPLOY_REF" = "refs/heads/main" ]; then
            NEW_VERSION="${NEW_MAJOR}.${NEW_MINOR}.${NEW_PATCH}"
            echo "$NEW_VERSION" > VERSION
            git add VERSION
            git commit -m "chore: bump version to ${NEW_VERSION} [skip ci]"
            git tag -a "v${NEW_VERSION}" -m "Release v${NEW_VERSION}"
            git push origin HEAD:main --tags
            echo "version=$NEW_VERSION" >> "$GITEA_OUTPUT"
            echo "mutated_main=true" >> "$GITEA_OUTPUT"
            echo "📦 Main deploy: version $CURRENT -> v${NEW_VERSION} (bump: $BUMP_TYPE, trigger: ${{ github.event_name }})"
          else
            echo "version=$CURRENT" >> "$GITEA_OUTPUT"
            echo "mutated_main=false" >> "$GITEA_OUTPUT"
            echo "📦 Non-main deploy from '$DEPLOY_REF': using committed VERSION $CURRENT without git mutation"
          fi

      # ═══════════════════════════════════════════════════
      # Step 4: Build .env from secrets (SAFE)
      #
      # Secrets are written to /tmp/nexus-deploy-env — NEVER
      # to a file inside the workspace that gets rsync'd to
      # the host. The temp file is deleted immediately after
      # compose operations complete.
      # ═══════════════════════════════════════════════════
      - name: Prepare .env (secrets → temp file)
        run: |
          set -euo pipefail

          cat > "${ENV_TMPFILE}" <<EOF
          # Nexus Production Environment — auto-generated by CD pipeline
          # Managed via Gitea Secrets → do NOT edit manually on the host.
          # This file lives in /tmp and is removed after deploy completes.
          POSTGRES_DB=nexus
          POSTGRES_USER=nexus
          POSTGRES_PASSWORD=${ENV_POSTGRES_PASSWORD}
          JWT_KEY=${ENV_JWT_KEY}
          JWT_ISSUER=nexus
          JWT_AUDIENCE=nexus-web
          OWNER_EMAIL=vmbao62@hotmail.de
          OWNER_PASSWORD=${ENV_OWNER_PASSWORD}
          OWNER_DISPLAY_NAME=
          OPENCLAW_BASE_URL=http://host.docker.internal:18789
          OPENCLAW_GATEWAY_TOKEN=${ENV_OPENCLAW_TOKEN}
          OPENCLAW_GATEWAY_PASSWORD=
          EOF

          chmod 600 "${ENV_TMPFILE}"
          echo "✅ .env written to ${ENV_TMPFILE} (mode 600)"

      # ═══════════════════════════════════════════════════
      # Step 5: Sync code to host (without .env in workspace)
      # ═══════════════════════════════════════════════════
      - name: Sync code to host
        run: |
          set -euo pipefail

          docker run --rm \
            -v "${{ gitea.workspace }}:/src:ro" \
            -v "${DEPLOY_PATH}:/dest" \
            alpine:latest \
            sh -c "
              cd /src && \
              find . -mindepth 1 -maxdepth 1 \
                ! -name .git \
                -exec cp -r {} /dest/ \; && \
              DEST_OWNER=\$(stat -c '%u:%g' /dest) && \
              chown -R \"\$DEST_OWNER\" /dest
            "

          echo "✅ Code synced to ${DEPLOY_PATH}"

      # ═══════════════════════════════════════════════════
      # Step 6: Build & Deploy
      #
      # The temp .env file is bind-mounted read-only into the
      # docker:cli container so compose can resolve variables.
      # It is NEVER written into the workspace directory.
      # ═══════════════════════════════════════════════════
      - name: Build & Deploy
        run: |
          set -euo pipefail

          # Auto-deploy: always use cache. Manual: respect no_cache input.
          NO_CACHE="${{ github.event_name == 'workflow_dispatch' && inputs.no_cache || false }}"
          BUILD_ARGS=""
          if [ "$NO_CACHE" = "true" ]; then
            BUILD_ARGS="--no-cache"
          fi

          SERVICE_ARG="${{ github.event_name == 'workflow_dispatch' && inputs.service || '' }}"

          docker run --rm \
            -v "${DEPLOY_PATH}:/workspace/nexus" \
            -v /var/run/docker.sock:/var/run/docker.sock \
            -w /workspace/nexus \
            -i \
            docker:cli \
            sh -c "
              set -e
              trap 'rm -f /tmp/nexus-deploy-env' EXIT
              cat > /tmp/nexus-deploy-env
              if [ -n '${SERVICE_ARG}' ]; then
                echo '🚀 Deploying service: ${SERVICE_ARG}'
                docker compose --env-file /tmp/nexus-deploy-env build ${BUILD_ARGS} ${SERVICE_ARG}
                docker compose --env-file /tmp/nexus-deploy-env up -d --wait --force-recreate ${SERVICE_ARG}
              else
                echo '🚀 Deploying all services'
                docker compose --env-file /tmp/nexus-deploy-env build ${BUILD_ARGS}
                docker compose --env-file /tmp/nexus-deploy-env up -d --wait --force-recreate
              fi
            " < "${ENV_TMPFILE}"

          echo "✅ Docker compose up completed"

      # ═══════════════════════════════════════════════════
      # Step 7: Clean up temp .env
      # ═══════════════════════════════════════════════════
      - name: Clean up temp .env
        if: always()
        run: |
          if [ -f "${ENV_TMPFILE}" ]; then
            shred -u "${ENV_TMPFILE}" 2>/dev/null || rm -f "${ENV_TMPFILE}"
            echo "🧹 Temp .env removed"
          fi

      # ═══════════════════════════════════════════════════
      # Step 8: Health Check (exponential backoff)
      # ═══════════════════════════════════════════════════
      - name: Health Check
        run: |
          echo "🏥 Health check..."
          RETRY=0
          MAX=6
          WAIT=1
          while [ $RETRY -lt $MAX ]; do
            RETRY=$((RETRY + 1))
            if curl -sf --max-time 10 https://nexus.noveria.net/health; then
              echo ""
              echo "✅ Health check passed (attempt $RETRY/$MAX)"
              exit 0
            fi
            echo "⏳ Attempt $RETRY/$MAX failed, waiting ${WAIT}s..."
            sleep $WAIT
            # Fibonacci-ish backoff: 1,2,3,5,8,13
            NEXT=$((WAIT + RETRY))
            [ $NEXT -le 15 ] && WAIT=$NEXT || WAIT=15
          done
          echo "❌ Health check failed after $MAX attempts"
          exit 1

      # ═══════════════════════════════════════════════════
      # Step 9: Smoke Test
      # ═══════════════════════════════════════════════════
      - name: Smoke Test
        run: |
          echo "🔍 Smoke test..."
          PASS=0
          FAIL=0
          BASE="https://nexus.noveria.net"

          check() {
            local path="$1" label="$2" expected="${3:-200}"
            local code
            code=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "${BASE}${path}")
            printf "  %-25s HTTP %s" "${label}:" "${code}"
            if [ "$code" = "$expected" ]; then
              echo " ✅"
              PASS=$((PASS + 1))
            else
              echo " ❌ (expected $expected)"
              FAIL=$((FAIL + 1))
            fi
          }

          check "/dashboard"                  "Dashboard"              200
          check "/health"                     "Health API"             200
          check "/api/v1/operations/snapshot" "Operations API (auth)" 401

          echo ""
          echo "Results: $PASS passed, $FAIL failed"
          if [ "$FAIL" -gt 0 ]; then
            echo "❌ Smoke test failed!"
            exit 1
          fi
          echo "✅ Smoke test passed — v${{ steps.version.outputs.version }} is live"

      # ═══════════════════════════════════════════════════
      # Step 10: Deployment Summary
      # ═══════════════════════════════════════════════════
      - name: Deployment Summary
        if: always()
        run: |
          TRIGGER="${{ github.event_name == 'workflow_run' && 'Auto (CI success)' || 'Manual (workflow_dispatch)' }}"
          VERSION_BUMP="${{ github.event_name == 'workflow_dispatch' && inputs.version_bump || 'patch (auto)' }}"
          echo ""
          echo "═══════════════════════════════════════"
          echo "  📦 Deploy Summary"
          echo "═══════════════════════════════════════"
          echo "  Version:     v${{ steps.version.outputs.version }}"
          echo "  Git ref:     ${{ github.event_name == 'workflow_dispatch' && inputs.git_ref || 'main' }}"
          echo "  Main bump:   ${{ steps.version.outputs.mutated_main }}"
          echo "  Service:     ${{ github.event_name == 'workflow_dispatch' && inputs.service || 'all' }}"
          echo "  Trigger:     ${TRIGGER}"
          echo "  Bump type:   ${VERSION_BUMP}"
          echo "  Actor:       @${{ gitea.actor }}"
          echo "  Status:      ${{ job.status }}"
          echo "═══════════════════════════════════════"

      # ═══════════════════════════════════════════════════
      # Step 11: Failure → Reviewer Handoff
      #
      # On failure: DevOps (Architekt) analyses the log,
      # notifies Reviewer (Code-Fixer) with the exact error.
      # This output provides a ready-to-copy message.
      # ═══════════════════════════════════════════════════
      - name: 🔴 Failure — Reviewer Handoff
        if: failure()
        run: |
          echo ""
          echo "┌─────────────────────────────────────────────────────────────┐"
          echo "│  🔴 DEPLOY FAILED — Reviewer muss fixen                     │"
          echo "├─────────────────────────────────────────────────────────────┤"
          echo "│                                                             │"
          echo "│  Version: v${{ steps.version.outputs.version }}"
          echo "│  Job:     ${{ gitea.server_url }}/${{ gitea.repository }}/actions/runs/${{ gitea.run_id }}"
          echo "│                                                             │"
          echo "│  → DevOps (Architekt) analysiert den Fehler                │"
          echo "│  → Reviewer (Code-Fixer) behebt das Problem                │"
          echo "│  → DevOps verifiziert mit neuem Deploy                     │"
          echo "│                                                             │"
          echo "│  Rollback: Trigger 'Rollback to Previous Version'           │"
          echo "│  workflow manuell in Gitea Actions.                         │"
          echo "│                                                             │"
          echo "└─────────────────────────────────────────────────────────────┘"