name: deploy write
# write.famzheng.me — host systemd service（不是 k8s pod），act_runner fam 用户直接 cp 本地

on:
  push:
    branches: [master]
    paths:
      - 'apps/write/**'
      - 'crates/cube-core/**'
      - 'Cargo.toml'
      - 'Cargo.lock'
      - '.gitea/workflows/deploy-write.yml'
  workflow_dispatch:

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    env:
      APP: write
      # systemctl --user 需要 runtime dir；fam 已 enable linger
      XDG_RUNTIME_DIR: /run/user/1001
    steps:
      - uses: actions/checkout@v4

      - name: Build backend
        run: |
          export PATH="$HOME/.cargo/bin:$PATH"
          cargo build --release -p "$APP"

      - name: Build frontend
        run: |
          cd "apps/$APP/frontend"
          npm ci
          npm run build

      - name: Install binary + dist + systemd unit
        run: |
          mkdir -p \
            "$HOME/.local/bin" \
            "$HOME/.local/share/$APP/dist" \
            "$HOME/.local/state/$APP" \
            "$HOME/.config/$APP" \
            "$HOME/.config/systemd/user"
          install -m 755 "target/release/$APP" "$HOME/.local/bin/$APP"
          rsync -a --delete "apps/$APP/frontend/dist/" "$HOME/.local/share/$APP/dist/"
          install -m 644 "apps/$APP/systemd/$APP.service" "$HOME/.config/systemd/user/$APP.service"
          # 首次部署占位 env（已有则不动，避免覆盖 passphrase）
          if [ ! -f "$HOME/.config/$APP/env" ]; then
            echo "WRITE_PASSPHRASE=CHANGE-ME" > "$HOME/.config/$APP/env"
            chmod 600 "$HOME/.config/$APP/env"
            echo "⚠ created placeholder ~/.config/$APP/env, edit + restart"
          fi

      - name: Reload + restart write.service
        run: |
          systemctl --user daemon-reload
          systemctl --user enable "$APP.service"
          systemctl --user restart "$APP.service"
          sleep 1
          systemctl --user --no-pager status "$APP.service" | head -15

      - name: Apply k8s service/ingress
        run: kubectl apply -f "apps/$APP/k8s/all.yaml"