name: deploy-cloudflare

on:
  push:
    branches: [main]
  workflow_dispatch: {}

concurrency:
  group: cloudflare-deploy-${{ forgejo.ref }}
  cancel-in-progress: true

jobs:
  deploy:
    runs-on: codeberg-medium
    steps:
      - name: Checkout
        uses: https://code.forgejo.org/actions/checkout@v4
        with:
          token: ${{ github.token }}
          fetch-depth: 0
          lfs: false

      - name: Bootstrap runner deps
        shell: bash
        run: |
          set -euo pipefail
          as_root() {
            if [[ "$(id -u)" = "0" ]]; then
              "$@"
            elif command -v sudo >/dev/null 2>&1; then
              sudo "$@"
            else
              echo "error: need root or sudo to install runner dependencies"
              exit 2
            fi
          }
          if command -v apt-get >/dev/null 2>&1; then
            as_root apt-get update
            as_root apt-get install -y curl ca-certificates nodejs npm age
          elif command -v apk >/dev/null 2>&1; then
            as_root apk add --no-cache curl ca-certificates nodejs npm age
          fi

      - name: Configure CI Age identity
        env:
          AGE_FORGE_SSH_KEY: ${{ secrets.AGE_FORGE_SSH_KEY }}
        shell: bash
        run: |
          set -euo pipefail
          if [[ -z "${AGE_FORGE_SSH_KEY:-}" ]]; then
            echo "error: missing Actions secret AGE_FORGE_SSH_KEY"
            exit 2
          fi
          install -d -m 700 "$HOME/.ssh"
          if [[ "${AGE_FORGE_SSH_KEY}" == "-----BEGIN OPENSSH PRIVATE KEY-----"* ]]; then
            printf '%s\n' "${AGE_FORGE_SSH_KEY}" > "$HOME/.ssh/age_forge_ed25519"
          else
            printf '%s' "${AGE_FORGE_SSH_KEY}" | base64 -d > "$HOME/.ssh/age_forge_ed25519"
          fi
          chmod 600 "$HOME/.ssh/age_forge_ed25519"

      - name: Decrypt CI secrets from repo
        shell: bash
        run: |
          set -euo pipefail
          key_file="$HOME/.ssh/age_forge_ed25519"
          secret_file="secrets/cloudflare-api-token.age"
          if [[ ! -f "$secret_file" ]]; then
            echo "error: missing ${secret_file}"
            exit 2
          fi
          CLOUDFLARE_API_TOKEN="$(age -d -i "$key_file" "$secret_file")"
          if [[ -z "${CLOUDFLARE_API_TOKEN}" ]]; then
            echo "error: decrypted CLOUDFLARE_API_TOKEN is empty"
            exit 2
          fi
          echo "::add-mask::${CLOUDFLARE_API_TOKEN}"
          echo "CLOUDFLARE_API_TOKEN=${CLOUDFLARE_API_TOKEN}" >> "$GITHUB_ENV"

      - name: Build site (Dioxus web)
        shell: bash
        run: |
          set -euo pipefail
          install -d -m 755 "$HOME/.local/bin"
          export PATH="$HOME/.local/bin:$PATH"
          if ! command -v cargo >/dev/null 2>&1; then
            curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal
            . "$HOME/.cargo/env"
          elif [[ -f "$HOME/.cargo/env" ]]; then
            . "$HOME/.cargo/env"
          fi
          rustup target add wasm32-unknown-unknown
          if ! command -v trunk >/dev/null 2>&1; then
            trunk_version="0.21.14"
            arch="$(uname -m)"
            case "${arch}" in
              x86_64|amd64) trunk_target="x86_64-unknown-linux-gnu" ;;
              aarch64|arm64) trunk_target="aarch64-unknown-linux-gnu" ;;
              *)
                echo "error: unsupported runner arch for trunk prebuilt binary: ${arch}"
                exit 2
                ;;
            esac
            curl -fsSL "https://github.com/trunk-rs/trunk/releases/download/v${trunk_version}/trunk-${trunk_target}.tar.gz" \
              | tar -xz -C "$HOME/.local/bin" trunk
          fi

          cd apps/tauri/ui
          trunk build --release --public-url /

      - name: Deploy worker
        shell: bash
        run: |
          set -euo pipefail
          cd ../../../deploy/cloudflare-worker
          npm ci
          npx wrangler deploy