name: GitOps image update

on:
  # Auto-fires when "Build and Push" completes successfully (tag push).
  workflow_run:
    workflows: ["Build and Push"]
    types: [completed]

  # Manual trigger for dry-runs and one-off bumps.
  workflow_dispatch:
    inputs:
      tag:
        description: "Git tag to deploy (without the -go suffix, e.g. 0.37)"
        required: true
      dry_run:
        description: "Dry run — print diff, do not open a PR"
        type: boolean
        default: false
      uh_cli_version:
        description: "uh-cli version override (e.g. v0.2.0). Defaults to v0.1.0."
        required: false

env:
  TEA_VERSION: "0.9.2"
  # Resolved priority: manual input → repo/org variable → hardcoded default.
  UH_CLI_VERSION: ${{ inputs.uh_cli_version || vars.UH_CLI_VERSION || 'v0.1.0' }}

jobs:
  gitops-pr:
    runs-on: ubuntu-latest
    # Skip if triggered by workflow_run that did not succeed.
    if: >
      github.event_name == 'workflow_dispatch' ||
      github.event.workflow_run.conclusion == 'success'
    container:
      image: ubuntu:latest

    env:
      GITEA_TOKEN: ${{ secrets.GITOPS_TOKEN }}

    steps:
      - name: Install git, curl, ca-certificates
        run: |
          apt-get update -qq
          apt-get install -y --no-install-recommends git curl ca-certificates

      - name: Install tea
        run: |
          curl -fsSL \
            "https://gitea.com/gitea/tea/releases/download/v${TEA_VERSION}/tea-${TEA_VERSION}-linux-amd64" \
            -o /usr/local/bin/tea
          chmod +x /usr/local/bin/tea

      - name: Install uh-cli
        run: |
          curl -fsSL \
            "https://gitea.home.hrajfrisbee.cz/kacerr/uh-cli/releases/download/${UH_CLI_VERSION}/uh-cli-${UH_CLI_VERSION}-linux-amd64" \
            -o /usr/local/bin/uh-cli
          chmod +x /usr/local/bin/uh-cli

      - name: Resolve image tag
        id: resolve
        run: |
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            GIT_TAG="${{ inputs.tag }}"
          else
            # workflow_run: use the ref name of the triggering workflow (the pushed git tag).
            GIT_TAG="${{ github.event.workflow_run.head_branch }}"
          fi
          IMAGE="gitea.home.hrajfrisbee.cz/${{ github.repository }}:${GIT_TAG}-go"
          echo "image=${IMAGE}" >> "$GITHUB_OUTPUT"
          echo "Resolved image: ${IMAGE}"

      - name: Configure git identity and credentials
        run: |
          git config --global user.name  "uh-cli bot"
          git config --global user.email "bot@hrajfrisbee.cz"
          # Store credentials separately so the --git-repo URL stays clean.
          # Tea matches the login URL against the remote URL; embedded credentials
          # break that matching and cause "path segment [0] is empty" on pr create.
          git config --global credential.helper store
          echo "https://kacerr:${GITEA_TOKEN}@gitea.home.hrajfrisbee.cz" >> ~/.git-credentials

      - name: Authenticate tea
        run: |
          tea login add \
            --name     ci \
            --url      https://gitea.home.hrajfrisbee.cz \
            --token    "$GITEA_TOKEN"

      - name: Open image-update PR (or dry run)
        run: |
          set -x
          uh-cli -v gitops deployment update \
            --deployment-name fuj-management \
            --deployment-namespace fuj \
            --set-image "${{ steps.resolve.outputs.image }}" \
            --git-repo "https://gitea.home.hrajfrisbee.cz/kacerr/home-kubernetes" \
            --git-path gitops/home-kubernetes \
            ${{ (github.event_name == 'workflow_dispatch' && inputs.dry_run == 'true') && '--dry-run' || '' }}