steps:
  ssh-test:                       # name unchanged
    image: google/cloud-sdk:latest
    commands:
      - |
        #!/usr/bin/env bash
        set -euo pipefail

        mkdir -p ~/.ssh

        # ── Fetch & install secrets from Secret Manager ─────────────
        gcloud secrets versions access latest \
          --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev | base64 -d > ~/.ssh/known_hosts
        chmod 644 ~/.ssh/known_hosts

        gcloud secrets versions access latest \
          --secret=STAGING_SSH_KEY --project=aptivaai-dev | base64 -d > ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519

        echo "🔑  SSH material ready"

        # ── Tag comes from the commit that triggered Woodpecker ─────
        TAG=$(echo "$CI_COMMIT_SHA" | head -c 8)
        echo "🚀  Deploying tag ${TAG} to staging"

        # ── SSH into the staging VM and re‑create the stack ─────────
          ssh -o StrictHostKeyChecking=yes \
            -i ~/.ssh/id_ed25519 \
            jcoakley@10.128.0.12 <<'EOF'
          set -euo pipefail
          cd /opt/aptiva-staging-app
          echo "Pulling containers with IMG_TAG=${TAG}"
          IMG_TAG=${TAG} docker compose pull
          echo "Recreating services"
          IMG_TAG=${TAG} docker compose up -d --force-recreate --remove-orphans
          echo "✅  Staging stack refreshed"
EOF