name: CMS Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      release_tag:
        description: "Release tag in vX.Y.Z format"
        required: false
      rollback_image_tag:
        description: "Optional rollback image tag"
        required: false

env:
  BUN_VERSION: "1.3.5"
  REGISTRY: ${{ secrets.CMS_IMAGE_REGISTRY }}
  IMAGE_NAMESPACE: ${{ secrets.CMS_IMAGE_NAMESPACE }}

jobs:
  release:
    name: Build Push Changelog
    if: github.event_name == 'push' || github.event.inputs.rollback_image_tag == ''
    runs-on: node22-bun
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: ${{ env.BUN_VERSION }}

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Resolve release tag
        id: tag
        run: |
          if [ "${GITHUB_EVENT_NAME}" = "workflow_dispatch" ]; then
            if [ -z "${{ github.event.inputs.release_tag }}" ]; then
              echo "release_tag input is required when publishing a release manually."
              exit 1
            fi
            echo "value=${{ github.event.inputs.release_tag }}" >> "$GITHUB_OUTPUT"
          else
            echo "value=${GITHUB_REF_NAME}" >> "$GITHUB_OUTPUT"
          fi

      - name: Validate tag against package version
        run: sh .gitea/scripts/validate-tag-version.sh "${{ steps.tag.outputs.value }}"

      - name: Generate changelog
        run: bun run changelog:release

      - name: Build release notes payload
        run: |
          if ! sh .gitea/scripts/extract-release-notes.sh "${{ steps.tag.outputs.value }}" > .gitea-release-notes.md; then
            echo "Could not isolate section for tag ${{ steps.tag.outputs.value }}. Falling back to full CHANGELOG.md."
            cp CHANGELOG.md .gitea-release-notes.md
          fi

      - name: Login to image registry
        run: |
          echo "${{ secrets.CMS_IMAGE_REGISTRY_PASSWORD }}" | docker login "${{ env.REGISTRY }}" -u "${{ secrets.CMS_IMAGE_REGISTRY_USER }}" --password-stdin

      - name: Build and push web image
        run: |
          image="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/cms-web:${{ steps.tag.outputs.value }}"
          docker build -f apps/web/Dockerfile -t "$image" .
          docker push "$image"

      - name: Build and push admin image
        run: |
          image="${{ env.REGISTRY }}/${{ env.IMAGE_NAMESPACE }}/cms-admin:${{ steps.tag.outputs.value }}"
          docker build -f apps/admin/Dockerfile -t "$image" .
          docker push "$image"

      - name: Publish release notes to Gitea
        env:
          RELEASE_TAG: ${{ steps.tag.outputs.value }}
          RELEASE_NAME: ${{ steps.tag.outputs.value }}
          RELEASE_BODY_FILE: ".gitea-release-notes.md"
          GITEA_RELEASE_TOKEN: ${{ secrets.GITEA_RELEASE_TOKEN }}
        run: bun .gitea/scripts/publish-gitea-release.mjs

  rollback:
    name: Rollback Production (Manual)
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.rollback_image_tag != ''
    runs-on: node22-bun
    steps:
      - name: Setup SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.CMS_DEPLOY_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          ssh-keyscan -H "${{ secrets.CMS_PRODUCTION_HOST }}" >> ~/.ssh/known_hosts

      - name: Apply rollback image tag on production
        run: |
          ssh "${{ secrets.CMS_PRODUCTION_USER }}@${{ secrets.CMS_PRODUCTION_HOST }}" \
            "cd ${{ secrets.CMS_REMOTE_DEPLOY_PATH }} && CMS_IMAGE_TAG=${{ github.event.inputs.rollback_image_tag }} docker compose -f docker-compose.production.yml pull && CMS_IMAGE_TAG=${{ github.event.inputs.rollback_image_tag }} docker compose -f docker-compose.production.yml up -d"