---
steps:
  - name: deploy-staging
    image: gcr.io/google.com/cloudsdktool/cloud-sdk:latest
    commands:
      - |
        set -eu
        mkdir -p ~/.ssh

        # 🔐 Pull and decode known_hosts (raw in Secret Manager)
        gcloud secrets versions access latest \
          --secret="STAGING_KNOWN_HOSTS" \
          --project="aptivaai-dev" | base64 -d > ~/.ssh/known_hosts
        chmod 644 ~/.ssh/known_hosts

        # 🔐 Pull and decode SSH key (also raw in Secret Manager)
        gcloud secrets versions access latest \
          --secret="STAGING_SSH_KEY" \
          --project="aptivaai-dev" | base64 -d > ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519

        # ✅ Sanity check: SSH handshake only
        ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes jcoakley@10.128.0.12 hostname