name: Deploy

on:
  workflow_call:
    inputs:
      # Optional: Override the default k8s directory path
      k8s_dir:
        description: "Path to Kubernetes manifests directory"
        required: false
        default: "k8s/"
        type: string
      # Optional: Override the default helmfile path
      helmfile_path:
        description: "Path to helmfile.yaml"
        required: false
        default: "helmfile.yaml"
        type: string
      # Optional: Skip Helm deployment even if helmfile exists
      skip_helm_deployment:
        description: "Skip Helm deployment even if helmfile.yaml exists"
        required: false
        default: false
        type: boolean
      # Optional: Custom secrets to create (JSON array of secret objects)
      custom_secrets:
        description: "JSON array of secrets to create. Each secret should have: name, type, data"
        required: false
        default: "[]"
        type: string
      # Optional: Branch to deploy from
      deploy_branch:
        description: "Branch to deploy from"
        required: false
        default: "main"
        type: string

jobs:
  detect-service-type:
    runs-on: ubuntu-latest
    outputs:
      has_helmfile: ${{ steps.check-helmfile.outputs.exists }}
      has_k8s: ${{ steps.check-k8s.outputs.exists }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check if helmfile.yaml exists
        id: check-helmfile
        run: |
          if [ -f "${{ inputs.helmfile_path }}" ]; then
            echo "exists=true" >> $GITHUB_OUTPUT
            echo "Found helmfile.yaml at ${{ inputs.helmfile_path }}"
          else
            echo "exists=false" >> $GITHUB_OUTPUT
            echo "No helmfile.yaml found at ${{ inputs.helmfile_path }}"
          fi
      - name: Check if k8s directory exists
        id: check-k8s
        run: |
          if [ -d "${{ inputs.k8s_dir }}" ]; then
            echo "exists=true" >> $GITHUB_OUTPUT
            echo "Found k8s directory at ${{ inputs.k8s_dir }}"
          else
            echo "exists=false" >> $GITHUB_OUTPUT
            echo "No k8s directory found at ${{ inputs.k8s_dir }}"
          fi

  deploy-k8s:
    runs-on: ubuntu-latest
    needs: detect-service-type
    if: needs.detect-service-type.outputs.has_k8s == 'true'
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.deploy_branch }}
      - uses: ./.gitea/actions/extract-namespace-from-repo-name
        id: namespace
        with:
          repo: ${{ github.repository }}
      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Create custom secrets
        id: create-secrets
        run: |
          # Parse custom secrets from input
          SECRETS='${{ inputs.custom_secrets }}'
          if [ "$SECRETS" != "[]" ]; then
            echo "Creating custom secrets..."
            echo "$SECRETS" | jq -c '.[]' | while read -r secret; do
              SECRET_NAME=$(echo "$secret" | jq -r '.name')
              SECRET_TYPE=$(echo "$secret" | jq -r '.type // "generic"')
              SECRET_DATA=$(echo "$secret" | jq -r '.data')
              
              echo "Creating secret: $SECRET_NAME (type: $SECRET_TYPE)"
              
              # Create the secret using kubectl
              echo "$SECRET_DATA" | kubectl create secret $SECRET_TYPE $SECRET_NAME \
                --from-literal=secret.json="$SECRET_DATA" \
                --namespace=${{ steps.namespace.outputs.namespace }} \
                --dry-run=client -o yaml | kubectl apply -f -
            done
          else
            echo "No custom secrets to create"
          fi
      - name: Deploy Kubernetes manifests
        uses: azure/k8s-deploy@c8cfec839dc09896b3b8cc40cd13d04792680771 # v5.1.0
        with:
          action: deploy
          manifests: "${{ inputs.k8s_dir }}"
          strategy: basic
          namespace: ${{ steps.namespace.outputs.namespace }}

  deploy-helm:
    runs-on: ubuntu-latest
    needs: detect-service-type
    if: |
      needs.detect-service-type.outputs.has_helmfile == 'true' && 
      needs.detect-service-type.outputs.has_k8s == 'true' && 
      inputs.skip_helm_deployment != 'true'
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.deploy_branch }}
      - uses: ./.gitea/actions/extract-namespace-from-repo-name
        id: namespace
        with:
          repo: ${{ github.repository }}
      - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
      - uses: azure/k8s-set-context@ae59a723ba9abe7a9655538854a025448dbab4aa # v4.0.2
        with:
          method: kubeconfig
          kubeconfig: ${{ secrets.KUBECONFIG }}
      - name: Create custom secrets
        id: create-secrets
        run: |
          # Parse custom secrets from input
          SECRETS='${{ inputs.custom_secrets }}'
          if [ "$SECRETS" != "[]" ]; then
            echo "Creating custom secrets..."
            echo "$SECRETS" | jq -c '.[]' | while read -r secret; do
              SECRET_NAME=$(echo "$secret" | jq -r '.name')
              SECRET_TYPE=$(echo "$secret" | jq -r '.type // "generic"')
              SECRET_DATA=$(echo "$secret" | jq -r '.data')
              
              echo "Creating secret: $SECRET_NAME (type: $SECRET_TYPE)"
              
              # Create the secret using kubectl
              echo "$SECRET_DATA" | kubectl create secret $SECRET_TYPE $SECRET_NAME \
                --from-literal=secret.json="$SECRET_DATA" \
                --namespace=${{ steps.namespace.outputs.namespace }} \
                --dry-run=client -o yaml | kubectl apply -f -
            done
          else
            echo "No custom secrets to create"
          fi
      - name: Deploy Helm
        uses: helmfile/helmfile-action@99b1d18ad3989701cf26a54e65baf4a3ee8156b0 # v2.4.0
        with:
          helmfile-args: apply

  # Summary job that always runs to show what was deployed
  deployment-summary:
    runs-on: ubuntu-latest
    needs: [ detect-service-type, deploy-k8s, deploy-helm ]
    if: always()
    steps:
      - name: Deployment Summary
        run: |
          echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          if [ "${{ needs.detect-service-type.outputs.has_k8s }}" == "true" ]; then
            echo "✅ **Kubernetes deployment**: Completed" >> $GITHUB_STEP_SUMMARY
          else
            echo "❌ **Kubernetes deployment**: Skipped (no k8s/ directory found)" >> $GITHUB_STEP_SUMMARY
          fi

          if [ "${{ needs.detect-service-type.outputs.has_helmfile }}" == "true" ] && [ "${{ inputs.skip_helm_deployment }}" != "true" ]; then
            echo "✅ **Helm deployment**: Completed" >> $GITHUB_STEP_SUMMARY
          elif [ "${{ needs.detect-service-type.outputs.has_helmfile }}" == "true" ] && [ "${{ inputs.skip_helm_deployment }}" == "true" ]; then
            echo "⏭️ **Helm deployment**: Skipped (manually disabled)" >> $GITHUB_STEP_SUMMARY
          else
            echo "⏭️ **Helm deployment**: Skipped (no helmfile.yaml found)" >> $GITHUB_STEP_SUMMARY
          fi

          echo "" >> $GITHUB_STEP_SUMMARY
          echo "**Service Type**: ${{ needs.detect-service-type.outputs.has_helmfile == 'true' && 'Helm + Kubernetes' || 'Kubernetes Only' }}" >> $GITHUB_STEP_SUMMARY

          # Show custom secrets info
          SECRETS='${{ inputs.custom_secrets }}'
          if [ "$SECRETS" != "[]" ]; then
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "**Custom Secrets Created**: $(echo "$SECRETS" | jq length)" >> $GITHUB_STEP_SUMMARY
            echo "$SECRETS" | jq -r '.[] | "- " + .name + " (" + (.type // "generic") + ")"' >> $GITHUB_STEP_SUMMARY
          fi