name: ReleaseApp (JS finder + download)

on:
  workflow_dispatch: {}

jobs:
  release:
    runs-on: ubuntu-latest
    env:
      GITEA_BASE_URL: https://code.bim-it.pl
      OWNER: mz
      REPO: DiunaBI
      REQUIRED_ARTIFACTS: frontend,webapi
      SCAN_LIMIT: "100"

    steps:
      - name: Checkout
        uses: https://github.com/actions/checkout@v4

      - name: Use Node.js 20
        uses: https://github.com/actions/setup-node@v4
        with:
          node-version: 20

      - name: Install unzip (for extraction)
        run: |
          sudo apt-get update
          sudo apt-get install -y unzip

      - name: Resolve latest run that exposes required artifacts
        id: resolve
        env:
          GITEA_PAT: ${{ secrets.GITEATOKEN }}
        run: |
          node .gitea/scripts/getLatestRunWithArtifacts.js
          echo "Resolved run_id: $(cat .gitea/.cache/run_id)"
          echo "run_id=$(cat .gitea/.cache/run_id)" >> "$GITHUB_OUTPUT"

      - name: Download frontend artifact
        env:
          GITEA_PAT: ${{ secrets.GITEATOKEN }}
          ARTIFACT_NAME: frontend
          RUN_ID: ${{ steps.resolve.outputs.run_id }}
          OUTPUT_DIR: artifacts/frontend
        run: |
          node .gitea/scripts/downloadArtifactByName.js

      - name: Download webapi artifact
        env:
          GITEA_PAT: ${{ secrets.GITEATOKEN }}
          ARTIFACT_NAME: webapi
          RUN_ID: ${{ steps.resolve.outputs.run_id }}
          OUTPUT_DIR: artifacts/webapi
        run: |
          node .gitea/scripts/downloadArtifactByName.js

      - name: Show artifact structure
        run: |
          echo "::group::frontend"
          ls -laR artifacts/frontend || true
          echo "::endgroup::"
          echo "::group::webapi"
          ls -laR artifacts/webapi || true
          echo "::endgroup::"
          
      - name: Tokenize (replace #{...}# from secrets/vars)
        env:
          SECRETS: ${{ toJson(secrets) }}
          VARIABLES: ${{ toJson(vars) }}
          RUN_ID: ${{ steps.resolve.outputs.run_id }}
        run: |
            set -euo pipefail
            node .gitea/scripts/replaceTokens.js
          
      - name: Package artifacts as ZIPs
        run: |
          mkdir -p build
          (cd artifacts/frontend && zip -rq ../../build/DiunaBI-Morska-Frontend.zip .)
          (cd artifacts/webapi && zip -rq ../../build/DiunaBI-Morska-WebApi.zip .)
          ls -la build
          
      - name: Upload artifacts to remote server
        env:
          SSH_PRIVATE_KEY: ${{ secrets.GITEARUNNER_SSH_KEY }}
          SSH_USER: mz
          SSH_HOST: bim-it.pl
          REMOTE_DIR: deployment
        run: |
          set -euo pipefail
          
          umask 077
          echo "$SSH_PRIVATE_KEY" > private_key
          chmod 600 private_key
          
          mkdir -p ~/.ssh
          ssh-keyscan -H "$SSH_HOST" >> ~/.ssh/known_hosts
          
          ssh -i private_key "$SSH_USER@$SSH_HOST" "mkdir -p ~/$REMOTE_DIR"
          
          scp -i private_key build/DiunaBI-Morska-Frontend.zip "$SSH_USER@$SSH_HOST:~/$REMOTE_DIR/"
          scp -i private_key build/DiunaBI-Morska-WebApi.zip "$SSH_USER@$SSH_HOST:~/$REMOTE_DIR/"
          
          shred -u private_key
          
      - name: Run release script on remote server
        env:
          SSH_PRIVATE_KEY: ${{ secrets.GITEARUNNER_SSH_KEY }}
          SSH_USER: mz
          SSH_HOST: bim-it.pl
        run: |
          set -euo pipefail

          umask 077
          echo "$SSH_PRIVATE_KEY" > private_key
          chmod 600 private_key

          mkdir -p ~/.ssh
          ssh-keyscan -H "$SSH_HOST" >> ~/.ssh/known_hosts

          ssh -i private_key "$SSH_USER@$SSH_HOST" "./deployment/DiunaBI-Morska.Release.sh"

          shred -u private_key