# .woodpecker.yml  (only the relevant step shown)
steps:
  - name: deploy-staging
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -euco
      - |
        #####################################################################
        # 1) PARAMETERS                                                     #
        #####################################################################
        PROJECT=aptivaai-dev               # GCP project that holds secrets
        ENV=staging                        # <‑‑ change once, covers suffixes
        HOST=10.128.0.12                   # staging VM
        SSH_USER=jcoakley

        # One authoritative list of secret names (same as deploy_all.sh)
        SECRETS=(
          JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
          STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET
          STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR
          STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
          DB_HOST DB_NAME DB_PORT DB_USER DB_PASSWORD
          DB_SSL_CERT DB_SSL_KEY DB_SSL_CA
          TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID
          KMS_KEY_NAME DEK_PATH                    # ← NEW
        )

        #####################################################################
        # 2) SSH prerequisites                                              #
        #####################################################################
        mkdir -p ~/.ssh
        gcloud secrets versions access latest \
          --secret=STAGING_KNOWN_HOSTS --project="$PROJECT" | base64 -d \
          > ~/.ssh/known_hosts
        chmod 644 ~/.ssh/known_hosts

        gcloud secrets versions access latest \
          --secret=STAGING_SSH_KEY --project="$PROJECT" | base64 -d \
          > ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519

        echo "🔑  SSH key & known‑hosts installed"

        #####################################################################
        # 3) Build the remote export block                                  #
        #####################################################################
        export_block="PROJECT=${PROJECT}; ENV=${ENV}; "
        export_block+="IMG_TAG=\$(gcloud secrets versions access latest \
                          --secret=IMG_TAG --project=\${PROJECT}); export IMG_TAG; "

        for S in "${SECRETS[@]}"; do
          export_block+="${S}=\$(gcloud secrets versions access latest \
                           --secret=${S}_${ENV} --project=\${PROJECT}); export ${S}; "
        done

        export_block+="export FROM_SECRETS_MANAGER=true; "

        #####################################################################
        # 4) Remote docker‑compose update                                   #
        #####################################################################
        export_block+="cd /home/${SSH_USER}/aptiva-staging-app; "
        # Include every exported var in --preserve-env
        preserve=$(IFS=,; echo IMG_TAG,FROM_SECRETS_MANAGER,${SECRETS[*]})
        export_block+="sudo --preserve-env=${preserve} docker compose pull; "
        export_block+="sudo --preserve-env=${preserve} \
                         docker compose up -d --force-recreate --remove-orphans; "
        export_block+="echo '✅  Staging stack refreshed with tag \$IMG_TAG';"

        #####################################################################
        # 5) Execute over SSH                                               #
        #####################################################################
        ssh -o StrictHostKeyChecking=yes -i ~/.ssh/id_ed25519 \
            "${SSH_USER}@${HOST}" "${export_block}"
    secrets:
      - STAGING_SSH_KEY
      - STAGING_KNOWN_HOSTS