# ──────────────────────────────────────────────────────────────────────────────
# CrowdSec Admin — Gitea Actions CI/CD
#
# Build image, push to Gitea registry, trigger Portainer redeploy via webhook.
# Stack itself is managed by Portainer (type=git). Env vars (LAPI creds) live
# in the Portainer stack — NOT in repo secrets — so rotation is one place.
#
# Repo secrets required:
#   REGISTRY_TOKEN         token for ci user, scope write:package
#   PORTAINER_WEBHOOK_URL  POST URL from Portainer stack auto-update setting
# ──────────────────────────────────────────────────────────────────────────────

name: Deploy

on:
  push:
    branches:
      - main
  workflow_dispatch:

env:
  IMAGE: git.domverse-berlin.eu/ci/crowdsec-admin/app

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Login to Gitea registry
        run: echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.domverse-berlin.eu -u ci --password-stdin

      - name: Build and push
        run: |
          docker build -t "$IMAGE:latest" -t "$IMAGE:${{ gitea.sha }}" ./app
          docker push "$IMAGE:latest"
          docker push "$IMAGE:${{ gitea.sha }}"

      - name: Trigger Portainer redeploy
        run: |
          curl -sk -X POST --fail "${{ secrets.PORTAINER_WEBHOOK_URL }}"

      - name: Prune dangling images
        run: docker image prune -f