name: build-test-deploy

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  build:
    runs-on: ubuntu-22.04
    env:
      PUBLIC_AUTH_SIGNIN_URL: ${{ vars.PUBLIC_AUTH_SIGNIN_URL }}
      PUBLIC_AUTH_SIGNUP_URL: ${{ vars.PUBLIC_AUTH_SIGNUP_URL }}
      PUBLIC_SALES_EMAIL: ${{ vars.PUBLIC_SALES_EMAIL }}

    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Run unit tests
        run: npm test

      - name: Build site
        run: npm run build

      - name: Guard — no TBD markers may ship in built HTML
        run: |
          if grep -rl 'TBD:' dist 2>/dev/null | grep -E '\.(html|svg)$'; then
            echo "Built output contains unfilled <TBD:...> markers."
            echo "Fill in imprint.astro and privacy.astro operator fields before merging to main."
            exit 1
          fi

      - name: Validate HTML
        run: npm run lint:html

      - name: Check internal links
        run: npm run lint:links

      - name: Lighthouse CI
        run: npx lhci autorun

      - name: Upload dist artifact
        if: github.ref == 'refs/heads/main'
        uses: actions/upload-artifact@v4
        with:
          name: dist
          path: dist/
          retention-days: 7

  deploy:
    if: github.ref == 'refs/heads/main'
    needs: build
    runs-on: ubuntu-22.04
    concurrency:
      group: deploy-production
      cancel-in-progress: false

    steps:
      - name: Download dist artifact
        uses: actions/download-artifact@v4
        with:
          name: dist
          path: dist/

      - name: Configure SSH
        env:
          SFTP_KEY: ${{ secrets.SFTP_KEY }}
          SFTP_KNOWN_HOSTS: ${{ secrets.SFTP_KNOWN_HOSTS }}
        run: |
          mkdir -p ~/.ssh
          echo "$SFTP_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          echo "$SFTP_KNOWN_HOSTS" > ~/.ssh/known_hosts
          chmod 644 ~/.ssh/known_hosts

      - name: Deploy via rsync
        env:
          SFTP_USER: ${{ secrets.SFTP_USER }}
          SFTP_HOST: ${{ secrets.SFTP_HOST }}
          SFTP_PATH: ${{ secrets.SFTP_PATH }}
        run: |
          # Fail loudly if any secret is missing — otherwise rsync --delete
          # could be directed at the SSH user's home root.
          : "${SFTP_USER:?SFTP_USER secret must be set}"
          : "${SFTP_HOST:?SFTP_HOST secret must be set}"
          : "${SFTP_PATH:?SFTP_PATH secret must be set}"
          rsync -avz --delete \
            -e "ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes -o UserKnownHostsFile=~/.ssh/known_hosts" \
            dist/ "$SFTP_USER@$SFTP_HOST:$SFTP_PATH/"

      - name: Post-deploy smoke test
        run: |
          set -e
          echo "Checking security headers on www.cameleer.io..."
          HEADERS=$(curl -sI https://www.cameleer.io/ || echo "")
          echo "$HEADERS" | grep -i '^strict-transport-security:' || { echo "HSTS missing"; exit 1; }
          echo "$HEADERS" | grep -i '^content-security-policy:' || { echo "CSP missing"; exit 1; }
          echo "$HEADERS" | grep -i '^x-frame-options:' || { echo "XFO missing"; exit 1; }
          echo "All required headers present on the live origin."