name: Deploy

on:
  push:
    tags:
      - 'preprod'
      - 'production'


jobs:
  notify-argocd:
    runs-on: ubuntu-latest
    steps:
      -
        uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ secrets.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}
          repositories: "people,secrets"
      -
        name: Checkout repository
        uses: actions/checkout@v2
        with:
          submodules: recursive
          token: ${{ steps.app-token.outputs.token }}
      -
        name: Load sops secrets
        uses: rouja/actions-sops@main
        with:
          secret-file: secrets/numerique-gouv/people/secrets.enc.env
          age-key: ${{ secrets.SOPS_PRIVATE }}
      -
        name: Call argocd github webhook
        run: |
          data='{"ref": "'$GITHUB_REF'","repository": {"html_url":"'$GITHUB_SERVER_URL'/'$GITHUB_REPOSITORY'"}}'
          sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
          curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_WEBHOOK_URL
          sig=$(echo -n ${data} | openssl dgst -sha1 -hmac ''${ARGOCD_PRODUCTION_WEBHOOK_SECRET}'' | awk '{print "X-Hub-Signature: sha1="$2}')
          curl -X POST -H 'X-GitHub-Event:push' -H "Content-Type: application/json" -H "${sig}" --data "${data}" $ARGOCD_PRODUCTION_WEBHOOK_URL

  start-test-on-preprod:
    needs:
      - notify-argocd
    runs-on: ubuntu-latest
    if: startsWith(github.event.ref, 'refs/tags/preprod')
    steps:
      -
        name: Debug
        run: |
          echo "Start test when preprod is ready"