steps:
  ssh-test:
    image: google/cloud-sdk:latest
    commands: |
      #!/usr/bin/env bash
      set -euo pipefail

      mkdir -p ~/.ssh

      # ── Fetch & install secrets from Secret Manager ─────────────
      gcloud secrets versions access latest \
        --secret=STAGING_KNOWN_HOSTS --project=aptivaai-dev | base64 -d > ~/.ssh/known_hosts
      chmod 644 ~/.ssh/known_hosts

      gcloud secrets versions access latest \
        --secret=STAGING_SSH_KEY --project=aptivaai-dev | base64 -d > ~/.ssh/id_ed25519
      chmod 600 ~/.ssh/id_ed25519

      echo "🔑  SSH material ready"

      # ── Tag comes from the commit that triggered Woodpecker ─────
      TAG=$(echo "$CI_COMMIT_SHA" | head -c 8)
      echo "🚀  Deploying tag ${TAG} to staging"

      # ── SSH into the staging VM and re‑create the stack ─────────
      ssh -o StrictHostKeyChecking=yes \
          -i ~/.ssh/id_ed25519 \
          jcoakley@10.128.0.12 <<EOF
        #!/usr/bin/env bash
        set -euo pipefail
        cd /opt/aptiva-staging-app
        echo "Pulling containers with IMG_TAG=${TAG}"
        IMG_TAG=${TAG} docker compose pull
        echo "Recreating services"
        IMG_TAG=${TAG} docker compose up -d --force-recreate --remove-orphans
        echo "✅  Staging stack refreshed"
      EOF

environment:
  - CI_COMMIT_SHA

when:
  event:
    - push