import test from 'node:test';
import assert from 'node:assert/strict';
import { readFileSync } from 'node:fs';

const workflow = readFileSync(new URL('../.forgejo/workflows/deploy.yml', import.meta.url), 'utf8');
const forgejoBootstrap = readFileSync(new URL('../scripts/deploy/forgejo_repo_bootstrap.py', import.meta.url), 'utf8');

test('deploy workflow upserts dashboard password before applying public dashboard manifest', () => {
  assert.match(workflow, /name: Upsert runtime secrets/);
  assert.match(workflow, /OPERATOR_DASHBOARD_AUTH_PASSWORD: \$\{\{ secrets\.OPERATOR_DASHBOARD_AUTH_PASSWORD \}\}/);
  assert.match(workflow, /missing required repo action secret OPERATOR_DASHBOARD_AUTH_PASSWORD/);
  assert.match(workflow, /patch secret "\$\{PROJECT_NAME\}-secrets"/);
  assert.match(workflow, /--patch-file "\$patch_file"/);
});

test('deploy workflow recreates immutable topic bootstrap job through the repo path', () => {
  const deleteIndex = workflow.indexOf('delete job redpanda-topic-bootstrap --ignore-not-found=true');
  const applyIndex = workflow.indexOf('kubectl kustomize "$WORKSPACE_DIR/deploy/k8s/base"');
  assert.ok(deleteIndex > -1, 'workflow deletes the immutable bootstrap job');
  assert.ok(applyIndex > -1, 'workflow applies rendered manifests');
  assert.ok(deleteIndex < applyIndex, 'workflow deletes the immutable bootstrap job before applying manifests');
});

test('Forgejo bootstrap can publish dashboard password as a repo action secret', () => {
  assert.match(forgejoBootstrap, /--operator-dashboard-auth-password/);
  assert.match(forgejoBootstrap, /OPERATOR_DASHBOARD_AUTH_PASSWORD/);
  assert.match(forgejoBootstrap, /upserted repo action secret OPERATOR_DASHBOARD_AUTH_PASSWORD/);
});