name: CI Workflow

on:
  pull_request:
    branches:
      - alpha
      - main
  workflow_dispatch:
  schedule:
    # every sunday at 00:00
    # - cron: '0 0 * * 0'
    # every day at 00:00
    - cron: '0 0 * * *'
  push:
    branches:
      - '!main'
      - '!alpha'

env:
  GO_VERSION: "1.25"
  CODE_COVERAGE_FILE_NAME: "coverage.out" # must be the same as in Makefile
  CODE_COVERAGE_ARTIFACT_NAME: "code-coverage"

jobs:
  publish_test:
    name: "Test readiness for publishing provider"
    needs: config
    runs-on: ubuntu-latest
    permissions:
      actions: read        # Required to identify workflow run.
      checks: write        # Required to add status summary.
      contents: read       # Required to checkout repository.
      pull-requests: write # Required to add PR comment.
    steps:
      - name: Install needed tools
        run: |
          apt-get -y -qq update
          apt-get -y -qq install jq python3 python3-pip python-is-python3 s3cmd git make wget

      - name: Setup Go
        uses: actions/setup-go@v6
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Install go tools
        run: |
          go install golang.org/x/tools/cmd/goimports@latest
          go install github.com/hashicorp/terraform-plugin-codegen-framework/cmd/tfplugingen-framework@latest
          go install github.com/hashicorp/terraform-plugin-codegen-openapi/cmd/tfplugingen-openapi@latest

      - name: Setup JAVA
        uses: actions/setup-java@v5
        with:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '21'

      - name: Checkout
        uses: actions/checkout@v6

      - name: Run build pkg directory
        run: |
          go run cmd/main.go build

      - name: Set up s3cfg
        run: |
          cat <<'EOF' >> ~/.s3cfg
          [default]
          host_base = https://object.storage.eu01.onstackit.cloud
          host_bucket = https://%(bucket).object.storage.eu01.onstackit.cloud
          check_ssl_certificate = False
          access_key = ${{ secrets.S3_ACCESS_KEY }}
          secret_key = ${{ secrets.S3_SECRET_KEY }}
          EOF

      - name: Import GPG key
        run: |
          echo "${{ secrets.PRIVATE_KEY_PEM }}" > ~/private.key.pem
          gpg --import ~/private.key.pem
          rm ~/private.key.pem

      - name: Run GoReleaser with SNAPSHOT
        id: goreleaser
        env:
          GITHUB_TOKEN: ${{ env.FORGEJO_TOKEN }}
          GPG_FINGERPRINT: ${{ secrets.GPG_FINGERPRINT }}
        uses: goreleaser/goreleaser-action@v6
        with:
          args: release --skip publish --clean --snapshot

      - name: Prepare key file
        run: |
          echo "${{ secrets.PUBLIC_KEY_PEM }}" >public_key.pem

      - name: Prepare provider directory structure
        run: |
          VERSION=$(jq -r .version < dist/metadata.json)
          go run cmd/main.go \
            publish \
              --namespace=mhenselin \
              --providerName=stackitprivatepreview \
              --repoName=terraform-provider-stackitprivatepreview \
              --domain=tfregistry.sysops.stackit.rocks \
              --gpgFingerprint="${{ secrets.GPG_FINGERPRINT }}" \
              --gpgPubKeyFile=public_key.pem \
              --version=${VERSION}

  testing:
    name: CI run tests
    runs-on: ubuntu-latest
    needs: config
    env:
      TF_ACC_PROJECT_ID: ${{ vars.TF_ACC_PROJECT_ID }}
      TF_ACC_REGION: ${{ vars.TF_ACC_REGION }}
      TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL: ${{ vars.TF_ACC_TEST_PROJECT_SERVICE_ACCOUNT_EMAIL }}
      TF_ACC_SERVICE_ACCOUNT_FILE: "~/service_account.json"
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Build
        uses: ./.github/actions/build
        with:
          go-version: ${{ env.GO_VERSION }}

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_wrapper: false

      - name: Create service account json file
        if: ${{ github.event_name == 'pull_request' }}
        run: |
          echo "${{ secrets.TF_ACC_SERVICE_ACCOUNT_JSON }}" >~/service_account.json

      - name: Run go mod tidy
        if: ${{ github.event_name == 'pull_request' }}
        run: go mod tidy

      - name: Testing
        run: make test

      - name: Acceptance Testing
        env:
          TF_ACC: "1"
          TF_ACC_SERVICE_ACCOUNT_FILE: "~/service_account.json"
        if: ${{ github.event_name == 'pull_request' }}
        run: make test-acceptance-tf

      - name: Check coverage threshold
        shell: bash
        run: |
          make coverage
          COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
          echo "Coverage: $COVERAGE%"
          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
            echo "Coverage is below 80%"
            # exit 1
          fi

      - name: Archive code coverage results
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"

  main:
    if: ${{ github.event_name != 'schedule' }}
    name: CI run build and linting
    runs-on: ubuntu-latest
    needs: config
    steps:
      - name: Checkout
        uses: actions/checkout@v6
      
      - name: Build
        uses: ./.github/actions/build
        with:
          go-version: ${{ env.GO_VERSION }}
      
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v2
        with:
          terraform_wrapper: false

      - name: "Ensure docs are up-to-date"
        if: ${{ github.event_name == 'pull_request' }}
        run: ./scripts/check-docs.sh
        continue-on-error: true

      - name: "Run go mod tidy"
        if: ${{ github.event_name == 'pull_request' }}
        run: go mod tidy

      - name: golangci-lint
        uses: golangci/golangci-lint-action@v9
        with:
          version: v2.9
          args: --config=golang-ci.yaml --allow-parallel-runners --timeout=5m
        continue-on-error: true

      - name: Linting
        run: make lint
        continue-on-error: true
      
#      - name: Testing
#        run: make test
#
#      - name: Acceptance Testing
#        if: ${{ github.event_name == 'pull_request' }}
#        run: make test-acceptance-tf
#
#      - name: Check coverage threshold
#        shell: bash
#        run: |
#          make coverage
#          COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
#          echo "Coverage: $COVERAGE%"
#          if (( $(echo "$COVERAGE < 80" | bc -l) )); then
#            echo "Coverage is below 80%"
#            # exit 1
#          fi

#      - name: Archive code coverage results
#        uses: actions/upload-artifact@v4
#        with:
#          name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
#          path: "stackit/${{ env.CODE_COVERAGE_FILE_NAME }}"

  config:
    if: ${{ github.event_name != 'schedule' }}
    name: Check GoReleaser config
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Check GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          args: check

  code_coverage:
    name: "Code coverage report"
    if: github.event_name == 'pull_request' # Do not run when workflow is triggered by push to main branch
    runs-on: ubuntu-latest
    needs: main
    permissions:
      contents: read
      actions: read  # to download code coverage results from "main" job
      pull-requests: write # write permission needed to comment on PR
    steps:
      - name: Check new code coverage
        uses: fgrosse/go-coverage-report@v1.2.0
        continue-on-error: true  # Add this line to prevent pipeline failures in forks
        with:
          coverage-artifact-name: ${{ env.CODE_COVERAGE_ARTIFACT_NAME }}
          coverage-file-name: ${{ env.CODE_COVERAGE_FILE_NAME }}
          root-package: 'github.com/stackitcloud/terraform-provider-stackit'