name: deploy

on:
  push:
    branches:
      - main
  workflow_dispatch:

jobs:
  deploy:
    runs-on: linux-amd64
    env:
      IMAGE_TAG: ${{ github.sha }}
      REGISTRY_HOST: ${{ vars.REGISTRY_HOST }}
      PROJECT_NAME: ${{ vars.PROJECT_NAME || 'unrip' }}
      PROJECT_NAMESPACE: ${{ vars.PROJECT_NAMESPACE || vars.PROJECT_NAME || 'unrip' }}
      PROJECT_DEPLOYMENTS: ${{ vars.PROJECT_DEPLOYMENTS || 'near-intents-ingest,dummy-reactor,dummy-executor,dummy-consumer' }}
      PROJECT_REGISTRY_SECRET_NAME: ${{ vars.PROJECT_REGISTRY_SECRET_NAME || format('{0}-registry-creds', vars.PROJECT_NAME || 'unrip') }}
      REPO_CLONE_URL: ${{ github.server_url }}/${{ github.repository }}.git
    steps:
      - name: Install tooling
        run: |
          apk add --no-cache git kubectl

      - name: Load kubeconfig
        run: |
          mkdir -p "$HOME/.kube"
          printf '%s' '${{ secrets.KUBECONFIG_B64 }}' | base64 -d > "$HOME/.kube/config"
          kubectl get ns

      - name: Checkout repo
        env:
          REPO_TOKEN: ${{ github.token }}
        run: |
          git -c credential.username=oauth2 -c http.extraHeader="Authorization: Bearer ${REPO_TOKEN}" clone --depth=1 "${REPO_CLONE_URL}" /workspace
          cd /workspace
          git -c credential.username=oauth2 -c http.extraHeader="Authorization: Bearer ${REPO_TOKEN}" fetch --depth=1 origin "${GITHUB_SHA}"
          git checkout --detach "${GITHUB_SHA}"

      - name: Resolve deployment settings
        run: |
          IMAGE="$REGISTRY_HOST/$PROJECT_NAME:$IMAGE_TAG"
          BUILD_JOB="image-build-${GITHUB_SHA:0:12}"
          {
            echo "IMAGE=$IMAGE"
            echo "BUILD_JOB=$BUILD_JOB"
          } >> "$GITHUB_ENV"

      - name: Apply manifests
        run: |
          kubectl apply -k /workspace/deploy/k8s/base

      - name: Build and push image in-cluster
        env:
          REPO_TOKEN: ${{ github.token }}
        run: |
          cat <<EOF | kubectl apply -f -
          apiVersion: batch/v1
          kind: Job
          metadata:
            name: ${BUILD_JOB}
            namespace: ${PROJECT_NAMESPACE}
          spec:
            backoffLimit: 0
            ttlSecondsAfterFinished: 3600
            template:
              spec:
                restartPolicy: Never
                volumes:
                  - name: workspace
                    emptyDir: {}
                  - name: registry-creds
                    secret:
                      secretName: ${PROJECT_REGISTRY_SECRET_NAME}
                      items:
                        - key: .dockerconfigjson
                          path: config.json
                initContainers:
                  - name: checkout
                    image: alpine/git:2.47.2
                    env:
                      - name: REPO_TOKEN
                        value: ${REPO_TOKEN}
                      - name: REPO_CLONE_URL
                        value: ${REPO_CLONE_URL}
                      - name: GITHUB_SHA
                        value: ${GITHUB_SHA}
                    command: ["/bin/sh", "-lc"]
                    args:
                      - >-
                        git -c credential.username=oauth2 -c http.extraHeader="Authorization: Bearer ${REPO_TOKEN}" clone --depth=1 "${REPO_CLONE_URL}" /workspace &&
                        cd /workspace &&
                        git -c credential.username=oauth2 -c http.extraHeader="Authorization: Bearer ${REPO_TOKEN}" fetch --depth=1 origin "${GITHUB_SHA}" &&
                        git checkout --detach "${GITHUB_SHA}"
                    volumeMounts:
                      - name: workspace
                        mountPath: /workspace
                containers:
                  - name: kaniko
                    image: gcr.io/kaniko-project/executor:v1.23.2-debug
                    args:
                      - --context=/workspace
                      - --dockerfile=/workspace/Dockerfile
                      - --destination=${IMAGE}
                      - --cache=true
                    volumeMounts:
                      - name: workspace
                        mountPath: /workspace
                      - name: registry-creds
                        mountPath: /kaniko/.docker
          EOF
          kubectl -n "$PROJECT_NAMESPACE" wait --for=condition=Complete --timeout=20m "job/$BUILD_JOB"
          kubectl -n "$PROJECT_NAMESPACE" logs "job/$BUILD_JOB"

      - name: Roll deployments to new image
        run: |
          IFS=',' read -r -a DEPLOYMENTS <<< "$PROJECT_DEPLOYMENTS"

          for deployment in "${DEPLOYMENTS[@]}"; do
            deployment="$(echo "$deployment" | xargs)"
            [ -n "$deployment" ] || continue

            kubectl -n "$PROJECT_NAMESPACE" set image "deployment/$deployment" app="$IMAGE"
            kubectl -n "$PROJECT_NAMESPACE" rollout status "deployment/$deployment" --timeout=180s
          done