name: CI TEST (Vault secrets)

on:
  push:
    branches: [ main, master ]

jobs:
  build:
    runs-on: ubuntu-latest
    container:
      image: node:24.13-alpine3.22

    steps:
      - name: Checkout
        uses: https://gitea.nikitapozd.dev/actions/checkout@v6

      - name: Install tools (curl, jq)
        run: |
          set -euxo pipefail
          timeout 30s apk update \
          timeout 30s apk add --no-cache curl jq

      - name: Get Keycloak access token from Gitea secrets
        env:
          KEYCLOAK_TOKEN_URL: ${{ secrets.KEYCLOAK_TOKEN_URL }}
          KEYCLOAK_CLIENT_ID: ${{ secrets.KEYCLOAK_CLIENT_ID }}
          KEYCLOAK_CLIENT_SECRET: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
        run: |
          TOKEN_RESPONSE=$(curl -sS -X POST "$KEYCLOAK_TOKEN_URL" \
            -d "grant_type=client_credentials" \
            -d "client_id=$KEYCLOAK_CLIENT_ID" \
            -d "client_secret=$KEYCLOAK_CLIENT_SECRET")

          ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')

          if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
            echo "ERROR: Failed to obtain access_token from Keycloak"
            echo "$TOKEN_RESPONSE" | jq .
            exit 1
          fi

          # Не печатай токен в лог
          echo "ACCESS_TOKEN=$ACCESS_TOKEN" >> "$GITHUB_ENV"

      - name: Exchange Keycloak token for Vault token (auth/jwt/login)
        env:
          VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
          VAULT_JWT_ROLE: ${{ secrets.VAULT_ROLE }}
        run: |
          LOGIN_RESPONSE=$(curl -sS -X POST "$VAULT_ADDRESS/v1/auth/jwt/login" \
            -H "Content-Type: application/json" \
            -d "{\"role\":\"$VAULT_JWT_ROLE\",\"jwt\":\"$ACCESS_TOKEN\"}")

          VAULT_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.auth.client_token')

          if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
            echo "ERROR: Failed to login to Vault via JWT"
            echo "$LOGIN_RESPONSE" | jq .
            exit 1
          fi

          echo "VAULT_TOKEN=$VAULT_TOKEN" >> "$GITHUB_ENV"

      - name: Read secrets from Vault KV and export to env
        env:
          VAULT_ADDRESS: ${{ secrets.VAULT_ADDRESS }}
          VAULT_KV_PATH: ${{ secrets.VAULT_KV_PATH }}
        run: |
          # KV v2 API endpoint: /v1/<mount>/data/<path>
          # Если VAULT_KV_PATH="blog/frontend", то mount=blog, path=frontend
          
          MOUNT="${VAULT_KV_PATH%%/*}"
          SUBPATH="${VAULT_KV_PATH#*/}"

          JSON=$(curl -sS \
            -H "X-Vault-Token: $VAULT_TOKEN" \
            "$VAULT_ADDRESS/v1/$MOUNT/data/$SUBPATH")

          # Пример: вытащим 2 ключа (замени на свои)
          API_BASE_URL=$(echo "$JSON" | jq -r '.data.data.API_BASE_URL')

          if [ -z "$API_BASE_URL" ] || [ "$API_BASE_URL" = "null" ]; then
            echo "ERROR: API_BASE_URL is missing in Vault at $VAULT_KV_PATH"
            exit 1
          fi

          # Экспортируем в env для следующих шагов:
          echo "API_BASE_URL=$API_BASE_URL" >> "$GITHUB_ENV"

      - name: Verify secrets loaded (safe)
        run: |
          # НЕ печатаем сами значения!
          echo "API_BASE_URL loaded: $([ -n "$API_BASE_URL" ] && echo yes || echo no)"

      - name: Install deps
        run: |
          corepack enable
          pnpm -v || true
          pnpm install

      - name: Build
        env:
          API_BASE_URL: ${{ env.API_BASE_URL }}
          SENTRY_DSN: ${{ env.SENTRY_DSN }}
        run: pnpm build