name: Deploy XIP

# Auto-deploy on every push to main. The runner SSHes into the xip-app CT
# (Echelon CT502) and runs scripts/deploy.sh, which pulls + rebuilds the stack.
on:
  push:
    branches: [main]
  workflow_dispatch:

# Serialize deploys: never run two deploys against the CT at the same time
# (concurrent `docker compose up --build` on the same project races and fails).
concurrency:
  group: deploy-xip-prod
  cancel-in-progress: false

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Deploy over SSH to xip-app
        env:
          # Secrets via env (not inlined in the script) so the multi-line key
          # keeps its newlines and never breaks shell quoting.
          DEPLOY_HOST: ${{ secrets.XIP_DEPLOY_HOST }}
          DEPLOY_USER: ${{ secrets.XIP_DEPLOY_USER }}
          DEPLOY_KEY: ${{ secrets.XIP_DEPLOY_KEY }}
        run: |
          set -e
          command -v ssh >/dev/null 2>&1 || (apt-get update && apt-get install -y --no-install-recommends openssh-client)
          mkdir -p ~/.ssh
          printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh -i ~/.ssh/id_ed25519 \
            -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
            "$DEPLOY_USER@$DEPLOY_HOST" 'bash /opt/xip/scripts/deploy.sh'