name: Deploy Production

on:
  push:
    branches:
      - main
      - master
  workflow_dispatch:

jobs:
  deploy:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    
    steps:
      - name: Checkout code
        shell: sh
        run: |
          git clone $GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git /workspace/repo || true
          cd /workspace/repo
          git fetch origin $GITHUB_REF_NAME
          git checkout $GITHUB_REF_NAME
          git pull origin $GITHUB_REF_NAME

      - name: Build Docker Image
        shell: sh
        run: |
          cd /workspace/repo
          docker build -t slipmatz-web:latest .
          docker save slipmatz-web:latest | gzip > slipmatz-web.tar.gz

      - name: Setup SSH and Deploy
        shell: sh
        run: |
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh
          echo "$PROD_DEPLOY_SSH_KEY" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          ssh-keygen -y -f ~/.ssh/deploy_key > /dev/null 2>&1 || { echo "Error: Invalid SSH key format"; exit 1; }
          
          cd /workspace/repo
          scp -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key slipmatz-web.tar.gz docker-compose.yml "$PROD_DEPLOY_USER@$PROD_DEPLOY_HOST:/tmp/"
          
          ssh -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key "$PROD_DEPLOY_USER@$PROD_DEPLOY_HOST" "
            DEPLOY_DIR='/var/www/apps/slipmatz-web'
            mkdir -p \$DEPLOY_DIR
            cd /tmp
            docker load < slipmatz-web.tar.gz
            
            echo 'Removing old slipmatz-web images'
            docker images | grep slipmatz-web | grep -v "\$(docker images slipmatz-web:latest -q)" | awk '{print \$3}' | xargs -r docker rmi -f || true
            
            cp docker-compose.yml \$DEPLOY_DIR/
            cd \$DEPLOY_DIR
            
            # .env file should already exist on server with all required variables
            # Required: NUXT_PUBLIC_*, STRIPE_SECRET_KEY, etc.
            # If it doesn't exist, deployment will fail (this is intentional for security)
            
            docker compose down || true
            docker image prune -f
            docker network inspect traefik-public >/dev/null 2>&1 || docker network create traefik-public
            export DOMAIN=slipmatz.com
            docker compose up -d
            sleep 10
            rm -f /tmp/slipmatz-web.tar.gz /tmp/docker-compose.yml
            
            echo 'Aggressive Docker cleanup to reclaim space'
            docker image prune -af --filter "until=24h" || true
            docker container prune -f || true
            docker volume prune -f || true
            docker builder prune -af --filter "until=48h" || true
            echo 'Docker space usage:'
            docker system df
            
            echo 'Production deployment completed successfully!'
            echo 'Application available at: https://slipmatz.com'
          "
        env:
          PROD_DEPLOY_SSH_KEY: ${{ secrets.PROD_DEPLOY_SSH_KEY }}
          PROD_DEPLOY_USER: ${{ secrets.PROD_DEPLOY_USER }}
          PROD_DEPLOY_HOST: ${{ secrets.PROD_DEPLOY_HOST }}

      - name: Health Check
        shell: sh
        run: |
          sleep 10
          curl -f https://slipmatz.com || exit 1