name: Update Production Secrets

on:
  workflow_dispatch:
    inputs:
      vault_password:
        description: 'Ansible Vault Password'
        required: true
        type: password

env:
  DEPLOYMENT_HOST: 94.16.110.151

jobs:
  deploy-secrets:
    name: Deploy Secrets to Production
    runs-on: php-ci  # Uses pre-built PHP 8.5 CI image with Ansible
    environment:
      name: production-secrets
      url: https://michaelschiemer.de

    steps:
      - name: Checkout deployment configuration
        run: |
          REF_NAME="${{ github.ref_name }}"
          REPO="${{ github.repository }}"
          if [ -z "$REF_NAME" ]; then
            REF_NAME="main"
          fi
          
          if [ -n "${{ secrets.CI_TOKEN }}" ]; then
            git clone --depth 1 --branch "$REF_NAME" \
              "https://${{ secrets.CI_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
              /workspace/repo
          else
            git clone --depth 1 --branch "$REF_NAME" \
              "https://git.michaelschiemer.de/${REPO}.git" \
              /workspace/repo || \
            git clone --depth 1 \
              "https://git.michaelschiemer.de/${REPO}.git" \
              /workspace/repo
          fi
          
          cd /workspace/repo

      - name: Setup SSH key
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/production
          chmod 600 ~/.ssh/production
          ssh-keyscan -H ${{ env.DEPLOYMENT_HOST }} >> ~/.ssh/known_hosts

      # Ansible is pre-installed in php-ci image
      - name: Verify Ansible installation
        run: ansible --version

      - name: Create vault password file
        run: |
          echo "${{ github.event.inputs.vault_password }}" > /tmp/.vault_pass
          chmod 600 /tmp/.vault_pass

      - name: Deploy secrets via Ansible
        run: |
          cd deployment/ansible
          ansible-playbook -i inventory/production.yml \
            playbooks/setup-production-secrets.yml \
            --vault-password-file /tmp/.vault_pass

      - name: Cleanup vault password
        if: always()
        run: |
          rm -f /tmp/.vault_pass

      - name: Verify secrets deployment
        run: |
          ssh -i ~/.ssh/production deploy@${{ env.DEPLOYMENT_HOST }} \
            "docker secret ls && test -f /home/deploy/secrets/.env.production"

      - name: Notify deployment success
        if: success()
        run: |
          echo "✅ Secrets deployed successfully to production"
          echo "Services will be restarted automatically"

      - name: Notify deployment failure
        if: failure()
        run: |
          echo "❌ Secrets deployment failed"
          echo "Check Ansible logs for details"