name: "Checkout and Config Injection"
description: "Clones the project via SSH and injects configs from a separate repo"
inputs:
  ssh_key:
    description: "SSH Private Key"
    required: true
  config_repo:
    description: "Configuration Repository Path (e.g., dev-ops/configs.git)"
    required: false
    default: ""
  config_repo_branch:
    description: "Configuration Repository Branch"
    required: false
    default: "main"
  app_key:
    description: "Application Key in the config repo"
    required: true
  gitea_host:
    description: "Gitea Hostname"
    required: false
    default: "gitea.hclife.co"
  gitea_port:
    description: "Gitea SSH Port"
    required: false
    default: "2222"
runs:
  using: "composite"
  steps:
    - name: Checkout and Config
      shell: bash
      env:
        SSH_KEY: ${{ inputs.ssh_key }}
        CONFIG_REPO: ${{ inputs.config_repo }}
        CONFIG_REPO_BRANCH: ${{ inputs.config_repo_branch }}
        APP_KEY: ${{ inputs.app_key }}
        GITEA_HOST: ${{ inputs.gitea_host }}
        GITEA_PORT: ${{ inputs.gitea_port }}
      run: |
        set -eu

        SSH_TMP_DIR=$(mktemp -d)
        trap 'rm -rf "$SSH_TMP_DIR"' EXIT

        echo "$SSH_KEY" > "$SSH_TMP_DIR/id_rsa"
        chmod 600 "$SSH_TMP_DIR/id_rsa"

        # Ensure ssh-keyscan is available for strict host key checking
        if ! command -v ssh-keyscan &> /dev/null; then
          echo "ssh-keyscan not found, attempting to install..."
          if command -v apk &> /dev/null; then
            apk add --no-cache openssh-client
          elif command -v apt-get &> /dev/null; then
            export DEBIAN_FRONTEND=noninteractive
            apt-get update && apt-get install -y openssh-client
          fi
        fi

        ssh-keyscan -p "$GITEA_PORT" "$GITEA_HOST" > "$SSH_TMP_DIR/known_hosts"
        export GIT_SSH_COMMAND="ssh -i $SSH_TMP_DIR/id_rsa -o UserKnownHostsFile=$SSH_TMP_DIR/known_hosts -o StrictHostKeyChecking=yes"

        echo "Initializing project repository..."
        git init
        git config --global --add safe.directory "$GITHUB_WORKSPACE"
        if git remote get-url origin >/dev/null 2>&1; then
          git remote set-url origin "ssh://git@$GITEA_HOST:$GITEA_PORT/${{ github.repository }}.git"
        else
          git remote add origin "ssh://git@$GITEA_HOST:$GITEA_PORT/${{ github.repository }}.git"
        fi
        git fetch --depth 1 origin "${{ github.sha }}"
        git checkout FETCH_HEAD

        if [ -n "$CONFIG_REPO" ]; then
          echo "Fetching optional config repository..."
          echo "Config repo: $CONFIG_REPO"
          echo "Config repo branch: $CONFIG_REPO_BRANCH"
          echo "Expected config app key: $APP_KEY"
          git clone -b "$CONFIG_REPO_BRANCH" "ssh://git@$GITEA_HOST:$GITEA_PORT/$CONFIG_REPO" configs
          
          echo "Config repo top-level entries:"
          find configs -maxdepth 2 -mindepth 1 | sort
          
          CONFIG_SOURCE_DIR="configs/${APP_KEY}"
          if [ -d "$CONFIG_SOURCE_DIR" ]; then
            echo "Applying config tree from '$CONFIG_SOURCE_DIR'..."
            cp -Rv "$CONFIG_SOURCE_DIR"/. .
            rm -rf configs
          else
            echo "Error: '$CONFIG_SOURCE_DIR' not found in config repository"
            echo "Available directories under configs/:"
            find configs -maxdepth 3 -type d | sort
            exit 1
          fi
        else
          echo "No config repository configured; skipping config injection."
        fi