name: Build and Deploy

on:
  push:
    branches: [main]
  workflow_dispatch:

env:
  SERVICE_NAME: moneycapp-tink-demo
  IMAGE: registry.i80.dk/gitea/moneycapp-tink-demo

jobs:
  deploy:
    runs-on: debian-host

    env:
      PATH: /usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/bin:/snap/bin
      NOMAD_ADDR: "https://nomad.i80.dk:4646"

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Log in to Docker Registry
        run: |
          echo "${{ secrets.HARBOR_ROBOT_TOKEN }}" | docker login registry.i80.dk -u "robot\$gitserver" --password-stdin

      - name: Write production env
        run: |
          cat > .env.production << 'ENVEOF'
          TINK_CLIENT_ID=${{ secrets.TINK_CLIENT_ID }}
          TINK_CLIENT_SECRET=${{ secrets.TINK_CLIENT_SECRET }}
          TINK_REDIRECT_URI=https://tink-demo.i80.dk/callback
          APP_BASE_URL=https://tink-demo.i80.dk
          DEMO_MODE=false
          ENVEOF
          # Strip leading spaces
          sed -i 's/^[[:space:]]*//' .env.production

      - name: Build and push image
        run: |
          docker build -t ${IMAGE}:latest .
          docker push ${IMAGE}:latest

      - name: Validate Nomad job
        run: nomad job validate ${SERVICE_NAME}.nomad

      - name: Deploy to Nomad
        run: nomad job run ${SERVICE_NAME}.nomad

      - name: Health check
        run: |
          sleep 15
          curl -sf https://tink-demo.i80.dk/ || echo "Not yet reachable via Traefik"