---
# Drone CI Pipeline
kind: pipeline
type: kubernetes
name: default

clone:
  disable: true

trigger:
  event:
    - push
    - tag
  branch:
    - main

environment:
  REGISTRY: harbor.gitdata.me/gta_team
  CARGO_TERM_COLOR: always
  BUILD_TARGET: x86_64-unknown-linux-gnu

steps:
  - name: clone
    image: bitnami/git:latest
    commands:
      - |
        if [ -n "${DRONE_TAG}" ]; then
          git checkout ${DRONE_TAG}
        fi

  - name: frontend-deps
    image: node:22-alpine
    commands:
      - cd apps/frontend && corepack enable && corepack prepare pnpm@10 --activate && pnpm install --frozen-lockfile

  - name: frontend-build
    image: node:22-alpine
    commands:
      - cd apps/frontend && pnpm build

  - name: docker-build
    image: gcr.io/kaniko-project/executor:latest
    environment:
      DOCKER_CONFIG:
        from_secret: kaniko_secret
    commands:
      - |
        TAG="${DRONE_TAG:-${DRONE_COMMIT_SHA:0:8}}"
        echo "==> Building images with tag: ${TAG}"
        /kaniko/executor --context . --dockerfile docker/app.Dockerfile --build-arg BUILD_TARGET=${BUILD_TARGET} --destination ${REGISTRY}/app:${TAG} --destination ${REGISTRY}/app:latest
        /kaniko/executor --context . --dockerfile docker/gitserver.Dockerfile --build-arg BUILD_TARGET=${BUILD_TARGET} --destination ${REGISTRY}/gitserver:${TAG} --destination ${REGISTRY}/gitserver:latest
        /kaniko/executor --context . --dockerfile docker/email-worker.Dockerfile --build-arg BUILD_TARGET=${BUILD_TARGET} --destination ${REGISTRY}/email-worker:${TAG} --destination ${REGISTRY}/email-worker:latest
        /kaniko/executor --context . --dockerfile docker/git-hook.Dockerfile --build-arg BUILD_TARGET=${BUILD_TARGET} --destination ${REGISTRY}/git-hook:${TAG} --destination ${REGISTRY}/git-hook:latest
        /kaniko/executor --context . --dockerfile docker/migrate.Dockerfile --build-arg BUILD_TARGET=${BUILD_TARGET} --destination ${REGISTRY}/migrate:${TAG} --destination ${REGISTRY}/migrate:latest
        /kaniko/executor --context . --dockerfile docker/operator.Dockerfile --build-arg BUILD_TARGET=${BUILD_TARGET} --destination ${REGISTRY}/operator:${TAG} --destination ${REGISTRY}/operator:latest
        /kaniko/executor --context . --dockerfile docker/static.Dockerfile --build-arg BUILD_TARGET=${BUILD_TARGET} --destination ${REGISTRY}/static:${TAG} --destination ${REGISTRY}/static:latest
        /kaniko/executor --context . --dockerfile docker/frontend.Dockerfile --build-arg BUILD_TARGET=${BUILD_TARGET} --destination ${REGISTRY}/frontend:${TAG} --destination ${REGISTRY}/frontend:latest
        echo "==> All images pushed"
    depends_on: [ frontend-build ]

  - name: prepare-kubeconfig
    image: alpine:latest
    commands:
      - apk add --no-cache kubectl
      - mkdir -p ~/.kube
      - echo "${KUBECONFIG}" | base64 -d > ~/.kube/config
      - chmod 600 ~/.kube/config

  - name: helm-deploy
    image: alpine/helm:latest
    commands:
      - apk add --no-cache curl kubectl
      - curl -fsSL -o /tmp/helm.tar.gz https://get.helm.sh/helm-v3.15.0-linux-amd64.tar.gz
      - tar -xzf /tmp/helm.tar.gz -C /tmp
      - mv /tmp/linux-amd64/helm /usr/local/bin/helm && chmod +x /usr/local/bin/helm
      - |
        TAG="${DRONE_TAG:-${DRONE_COMMIT_SHA:0:8}}"
        helm upgrade --install gitdata deploy/ \
          --namespace gitdataai \
          -f deploy/values.yaml \
          -f deploy/secrets.yaml \
          --set image.registry=${REGISTRY} \
          --set app.image.tag=${TAG} \
          --set gitserver.image.tag=${TAG} \
          --set emailWorker.image.tag=${TAG} \
          --set gitHook.image.tag=${TAG} \
          --set operator.image.tag=${TAG} \
          --set static.image.tag=${TAG} \
          --set frontend.image.tag=${TAG} \
          --wait \
          --timeout 5m \
          --atomic
    depends_on: [ docker-build, prepare-kubeconfig ]
    when:
      branch: [ main ]

  - name: verify-rollout
    image: bitnami/kubectl:latest
    commands:
      - kubectl rollout status deployment/gitdata-frontend -n gitdataai --timeout=300s
      - kubectl rollout status deployment/gitdata-app -n gitdataai --timeout=300s
      - kubectl rollout status deployment/gitdata-gitserver -n gitdataai --timeout=300s
      - kubectl rollout status deployment/gitdata-email-worker -n gitdataai --timeout=300s
      - kubectl rollout status deployment/gitdata-git-hook -n gitdataai --timeout=300s
    depends_on: [ helm-deploy ]
    when:
      branch: [ main ]

# =============================================================================
# Secrets (register via drone CLI)
# =============================================================================
# Harbor username
#   drone secret add --repository <org/repo> --name drone_secret_docker_username --data <username>
#
# Harbor password
#   drone secret add --repository <org/repo> --name drone_secret_docker_password --data <password>
#
# kubeconfig (base64)
#   drone secret add --repository <org/repo> --name kubeconfig --data "$(cat ~/.kube/config | base64 -w 0)"
#
# Kaniko dockerconfigjson (for private registry)
#   drone secret add --repository <org/repo> --name kaniko_secret --data "$(cat ~/.docker/config.json | base64 -w 0)"
#
# Local exec:
#   drone exec --trusted \
#     --secret=DRONE_SECRET_DOCKER_USERNAME=<username> \
#     --secret=DRONE_SECRET_DOCKER_PASSWORD=<password> \
#     --secret=KUBECONFIG=$(base64 -w 0 ~/.kube/config)