name: System Maintenance

on:
  schedule:
    # Täglich um 02:30 UTC (≈ 03:30 CET/04:30 CEST)
    - cron: '30 2 * * *'
  workflow_dispatch:

env:
  DEPLOYMENT_HOST: 94.16.110.151

jobs:
  run-maintenance:
    name: Run Ansible System Maintenance
    runs-on: php-ci
    environment:
      name: production
      url: https://michaelschiemer.de

    steps:
      - name: Checkout deployment repository
        run: |
          REF_NAME="${{ github.ref_name }}"
          if [ -z "$REF_NAME" ]; then
            REF_NAME="main"
          fi
          REPO="${{ github.repository }}"

          echo "📋 Cloning branch: $REF_NAME"

          if [ -n "${{ secrets.CI_TOKEN }}" ]; then
            git clone --depth 1 --branch "$REF_NAME" \
              "https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
              /workspace/repo
          else
            git clone --depth 1 --branch "$REF_NAME" \
              "https://git.michaelschiemer.de/${REPO}.git" \
              /workspace/repo || \
            git clone --depth 1 \
              "https://git.michaelschiemer.de/${REPO}.git" \
              /workspace/repo
          fi

          cd /workspace/repo

      - name: Prepare SSH access
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/production
          chmod 600 ~/.ssh/production
          ssh-keyscan -H ${{ env.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts

      - name: Verify Ansible availability
        run: ansible --version

      - name: Run system maintenance playbook
        run: |
          cd /workspace/repo/deployment/ansible
          ansible-playbook -i inventory/production.yml \
            playbooks/system-maintenance.yml

      - name: Cleanup SSH key
        if: always()
        run: rm -f ~/.ssh/production

      - name: Report success
        if: success()
        run: echo "✅ System maintenance completed"

      - name: Report failure
        if: failure()
        run: echo "❌ System maintenance failed – review Ansible logs"