#!/usr/bin/env bash
# Open a digest-bump PR against the PRIVATE home-ops repo after an image is pushed.
# Called by CI (.gitea/workflows/deploy.yml) after scripts/build-image.sh push.
#
# Least-privilege: uses a deploy key scoped to ONLY home-ops, and a token that can
# open a PR. It NEVER pushes to main — main is branch-protected, human-merged.
#
# Required env (CI secrets):
#   HOME_OPS_SSH_KEY   - private deploy key with write to home-ops only
#   GITEA_API          - e.g. https://gitea.bztmon.org/api/v1   (PRIVATE instance)
#   GITEA_TOKEN        - token that can create a PR on home-ops
# Optional:
#   HOME_OPS_REPO_SSH  - default ssh://git@10.0.11.241:22/jwrong96/home-ops.git
#   MANIFEST           - path within home-ops to patch
set -euo pipefail

REGISTRY="${REGISTRY:-git.bztmon.com}"
IMAGE="${IMAGE:-jwright/bztmon-site}"
HOME_OPS_REPO_SSH="${HOME_OPS_REPO_SSH:-ssh://git@10.0.11.241:22/jwrong96/home-ops.git}"
MANIFEST="${MANIFEST:-kubernetes/apps/bztmon-site/bztmon-site.yaml}"
GITEA_API="${GITEA_API:-https://gitea.bztmon.org/api/v1}"

TAG="$(git rev-parse --short HEAD)"
DIGEST="$(cat /tmp/bztmon-site.digest)"
REF="${REGISTRY}/${IMAGE}:${TAG}@${DIGEST}"
echo ">> new image ref: ${REF}"

# --- SSH for the home-ops deploy key --------------------------------------
export GIT_SSH_COMMAND="ssh -o StrictHostKeyChecking=accept-new"
KEYFILE="$(mktemp)"; trap 'rm -f "$KEYFILE"' EXIT
printf '%s\n' "${HOME_OPS_SSH_KEY}" > "$KEYFILE"; chmod 600 "$KEYFILE"
export GIT_SSH_COMMAND="ssh -i ${KEYFILE} -o StrictHostKeyChecking=accept-new"

WORK="$(mktemp -d)"
git clone --depth 1 "${HOME_OPS_REPO_SSH}" "${WORK}/home-ops"
cd "${WORK}/home-ops"

BRANCH="deploy/bztmon-site-${TAG}"
git switch -c "${BRANCH}"

# Replace the image: line for our image (matches any current tag@digest).
sed -i -E "s#(^\s*image:\s*)${REGISTRY}/${IMAGE}.*#\1${REF}#" "${MANIFEST}"
git --no-pager diff -- "${MANIFEST}"

git config user.name "bztmon-site CI"
git config user.email "ci@bztmon.com"
git commit -am "bztmon-site: deploy ${TAG}"
git push origin "${BRANCH}"

# --- PR (never auto-merge) -------------------------------------------------
# Default (least-privilege): just push the branch — Jonathon opens+merges the PR (the approval
# gate + the ArgoCD trigger). Only auto-open a PR if a GITEA_TOKEN is provided.
if [[ -n "${GITEA_TOKEN:-}" ]]; then
  curl -fsSL -X POST "${GITEA_API}/repos/jwrong96/home-ops/pulls" \
    -H "Authorization: token ${GITEA_TOKEN}" \
    -H "Content-Type: application/json" \
    -d "{\"head\":\"${BRANCH}\",\"base\":\"main\",\"title\":\"bztmon-site: deploy ${TAG}\",\"body\":\"Automated digest bump.\\n\\nImage: \`${REF}\`\\n\\nMerge to roll out via ArgoCD.\"}"
  echo ">> PR opened for ${BRANCH}"
else
  echo ">> branch ${BRANCH} pushed (image ${REF})."
  echo ">> open the PR to roll out: https://gitea.bztmon.org/jwrong96/home-ops/compare/main...${BRANCH}"
fi