steps:
  push-to-staging:
    image: google/cloud-sdk:latest
    commands:
      - |
        #!/bin/bash
        set -eu
        mkdir -p ~/.ssh

        # Inject known hosts
        gcloud secrets versions access latest --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev | base64 -d > ~/.ssh/known_hosts
        chmod 644 ~/.ssh/known_hosts

        # Inject SSH key for staging push
        gcloud secrets versions access latest --secret=STAGING_SSH_KEY --project=aptivaai-dev | base64 -d > ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519

        # Verify injected key (optional)
        echo "Key size: $(wc -c < ~/.ssh/id_ed25519) bytes"
        head -n 2 ~/.ssh/id_ed25519

        # Pull latest master from origin
        git config --global user.name "Woodpecker CI"
        git config --global user.email "ci@aptivaai.com"
        git clone https://jcoakley:f4bf7ac91bdbd16bf47d241860198ba0bbe4b5c6@gitea.dev1.aptivaai.com/jcoakley/dev1.git repo
        cd repo

        # Push to staging remote over SSH
        GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ed25519 -o StrictHostKeyChecking=yes" git push staging master --force