name: build-and-push

on:
  push:
    branches:
      - main
      - high-performance

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      DOCKER_HOST: unix:///var/run/docker.sock
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        run: |
          export DOCKER_HOST=unix:///var/run/docker.sock
          docker version
          docker buildx create --use || true
          docker buildx inspect --bootstrap

      - name: Login to Registry
        env:
          REGISTRY_HOSTPORT: ${{ secrets.REGISTRY_HOSTPORT }}
          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
        run: |
          set -euo pipefail
          export DOCKER_HOST=unix:///var/run/docker.sock
          test -n "$REGISTRY_HOSTPORT"
          echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_HOSTPORT" -u "$REGISTRY_USERNAME" --password-stdin

      - name: Build and push
        env:
          REGISTRY_HOSTPORT: ${{ secrets.REGISTRY_HOSTPORT }}
        run: |
          set -euo pipefail
          export DOCKER_HOST=unix:///var/run/docker.sock
          docker buildx build --push \
            -f Dockerfile \
            -t "$REGISTRY_HOSTPORT/nxtgauge-ai-assistant:${{ gitea.sha }}" \
            -t "$REGISTRY_HOSTPORT/nxtgauge-ai-assistant:main-latest" \
            .

      - name: Prune old image tags (keep latest 1 SHA)
        if: success()
        continue-on-error: true
        env:
          REGISTRY_HOST: ${{ secrets.REGISTRY_HOSTPORT }}
          REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
        run: |
          set -euo pipefail
          python3 .gitea/scripts/registry_prune.py \
            --registry "$REGISTRY_HOST" \
            --repo "nxtgauge-ai-assistant" \
            --username "$REGISTRY_USERNAME" \
            --password "$REGISTRY_PASSWORD" \
            --keep 1

      - name: Update GitOps and trigger deployment
        if: success()
        continue-on-error: true
        env:
          GITEOPS_REPO: ${{ secrets.GITEOPS_REPO }}
          GITEOPS_SSH_KEY: ${{ secrets.GITEOPS_SSH_KEY }}
        run: |
          set -euo pipefail

          if [ -z "$GITEOPS_REPO" ]; then
            echo "GITEOPS_REPO secret not set, skipping GitOps update"
            exit 0
          fi

          GITEOPS_DIR=$(mktemp -d)
          git clone "$GITEOPS_REPO" "$GITEOPS_DIR"
          cd "$GITEOPS_DIR"

          mkdir -p ~/.ssh
          echo "$GITEOPS_SSH_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan github.com >> ~/.ssh/known_hosts 2>/dev/null

          python3 .gitea/scripts/update-gitops.py \
            --repo "$GITEOPS_DIR" \
            --service "ai-assistant" \
            --sha "${{ gitea.sha }}" \
            --message "chore: deploy ai-assistant@${{ gitea.sha }}"

          rm -rf "$GITEOPS_DIR"