name: release-traceability

on:
  push:
    branches:
      - main
  workflow_dispatch: {}

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      service_image_ref: ${{ steps.meta.outputs.service_image_ref }}
      service_image_tag: ${{ steps.meta.outputs.service_image_tag }}
      service_image_commit: ${{ steps.meta.outputs.service_image_commit }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Derive image identity
        id: meta
        run: bash ./scripts/github-actions/resolve-service-image-ref.sh

      - name: Build image
        env:
          SERVICE_IMAGE_REF: ${{ steps.meta.outputs.service_image_ref }}
          SERVICE_IMAGE_LATEST_REF: ghcr.io/${{ github.repository }}:latest
        run: bash ./scripts/github-actions/build-service-image.sh

      - name: Build linux binary artifact
        env:
          BILLING_SERVICE_BINARY_ARTIFACT: dist/billing-service-linux-amd64
        run: bash ./scripts/github-actions/build-service-binary.sh

      - name: Upload billing-service binary artifact
        uses: actions/upload-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
        with:
          name: billing-service-linux-amd64
          path: dist/billing-service-linux-amd64
          if-no-files-found: error

      - name: Push image
        run: bash ./scripts/github-actions/push-image-placeholder.sh

  deploy:
    runs-on: ubuntu-latest
    needs: build
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Download billing-service binary artifact
        uses: actions/download-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: billing-service-linux-amd64
          path: dist

      - name: Install ansible
        run: sudo apt-get update && sudo apt-get install -y ansible

      - name: Configure deploy SSH
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        run: |
          test -n "${SSH_PRIVATE_KEY}"
          install -d -m 0700 ~/.ssh
          printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519
          ssh-keyscan -H jp-xhttp-contabo.svc.plus >> ~/.ssh/known_hosts

      - name: Deploy via playbook
        env:
          BILLING_SERVICE_IMAGE_REF: ${{ needs.build.outputs.service_image_ref }}
          BILLING_SERVICE_BINARY_ARTIFACT: dist/billing-service-linux-amd64
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
          INTERNAL_SERVICE_TOKEN: ${{ secrets.INTERNAL_SERVICE_TOKEN }}
          STACK_TARGET_HOST: jp-xhttp-contabo.svc.plus
        run: bash ./scripts/github-actions/deploy-billing-service.sh

  validate:
    runs-on: ubuntu-latest
    needs:
      - build
      - deploy
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Verify workflow dependency chain
        run: bash ./scripts/github-actions/test-release-traceability-workflow.sh

      - name: Verify traceability script cases
        run: bash ./scripts/github-actions/test-validate-release-traceability.sh

      - name: Configure validate SSH
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        run: |
          test -n "${SSH_PRIVATE_KEY}"
          install -d -m 0700 ~/.ssh
          printf '%s\n' "${SSH_PRIVATE_KEY}" > ~/.ssh/id_ed25519
          chmod 0600 ~/.ssh/id_ed25519
          ssh-keyscan -H jp-xhttp-contabo.svc.plus >> ~/.ssh/known_hosts

      - name: Validate runtime traceability
        env:
          SERVICE_IMAGE_REF: ${{ needs.build.outputs.service_image_ref }}
          STACK_TARGET_HOST: jp-xhttp-contabo.svc.plus
        run: bash ./scripts/github-actions/validate-release-traceability-remote.sh