name: Deploy

on:
  push:
    branches: [main]

env:
  AWS_REGION: eu-central-1
  S3_BUCKET: filamenteka-frontend
  INSTANCE_ID: i-03956ecf32292d7d9
  NEXT_PUBLIC_API_URL: https://api.filamenteka.rs/api
  NEXT_PUBLIC_MATOMO_URL: https://analytics.demirix.dev
  NEXT_PUBLIC_MATOMO_SITE_ID: "7"

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Detect changes
        id: changes
        run: |
          FRONTEND_CHANGED=false
          API_CHANGED=false

          if git diff --name-only HEAD~1 HEAD | grep -qvE '^api/'; then
            FRONTEND_CHANGED=true
          fi

          if git diff --name-only HEAD~1 HEAD | grep -qE '^api/'; then
            API_CHANGED=true
          fi

          echo "frontend=$FRONTEND_CHANGED" >> $GITHUB_OUTPUT
          echo "api=$API_CHANGED" >> $GITHUB_OUTPUT
          echo "Frontend changed: $FRONTEND_CHANGED"
          echo "API changed: $API_CHANGED"

      # ── Frontend Deploy ──────────────────────────────────────────────
      - name: Setup Node.js
        if: steps.changes.outputs.frontend == 'true'
        uses: actions/setup-node@v4
        with:
          node-version: 18

      - name: Install dependencies
        if: steps.changes.outputs.frontend == 'true'
        run: npm ci

      - name: Security check & tests
        if: steps.changes.outputs.frontend == 'true'
        run: |
          npm run security:check
          npm test -- --passWithNoTests

      - name: Build Next.js
        if: steps.changes.outputs.frontend == 'true'
        run: npm run build

      - name: Setup AWS
        if: steps.changes.outputs.frontend == 'true' || steps.changes.outputs.api == 'true'
        run: |
          pip3 install -q awscli
          aws configure set aws_access_key_id "${{ secrets.AWS_ACCESS_KEY_ID }}"
          aws configure set aws_secret_access_key "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
          aws configure set region eu-central-1

      - name: Deploy to S3 & invalidate CloudFront
        if: steps.changes.outputs.frontend == 'true'
        run: |
          aws s3 sync out/ s3://$S3_BUCKET/ \
            --delete \
            --exclude "*" \
            --include "*.html" \
            --cache-control "public, max-age=0, must-revalidate" \
            --content-type "text/html"

          aws s3 sync out/_next/ s3://$S3_BUCKET/_next/ \
            --cache-control "public, max-age=31536000, immutable"

          aws s3 sync out/ s3://$S3_BUCKET/ \
            --exclude "*.html" \
            --exclude "_next/*" \
            --cache-control "public, max-age=86400"

          aws cloudfront create-invalidation \
            --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} \
            --paths "/*"

      # ── API Deploy ───────────────────────────────────────────────────
      - name: Deploy API via SSM
        if: steps.changes.outputs.api == 'true'
        run: |
          aws ssm send-command \
            --region $AWS_REGION \
            --instance-ids "$INSTANCE_ID" \
            --document-name "AWS-RunShellScript" \
            --parameters 'commands=[
              "cd /home/ubuntu/filamenteka-api",
              "cp server.js server.js.backup",
              "curl -o server.js https://git.demirix.dev/dax/Filamenteka/raw/branch/main/api/server.js",
              "sudo systemctl restart node-api",
              "sudo systemctl status node-api"
            ]' \
            --output json
          echo "API deploy command sent via SSM"