name: CI/CD

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  syntax-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install ansible
        run: pip3 install ansible --quiet --break-system-packages

      - name: Write vault password
        run: |
          echo "${{ secrets.VAULT_PASSWORD }}" > ~/.vault-password-file
          chmod 600 ~/.vault-password-file

      - name: Syntax check
        run: ansible-playbook playbooks/deploy.yml --syntax-check -i inventory/

  deploy:
    needs: syntax-check
    if: github.ref == 'refs/heads/master' && github.event_name == 'push'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install dependencies
        run: |
          pip3 install ansible --quiet --break-system-packages
          ansible-galaxy collection install ansible.posix community.general community.docker --quiet

      - name: Configure SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -p 22 87.249.49.32 >> ~/.ssh/known_hosts

      - name: Write vault password
        run: |
          echo "${{ secrets.VAULT_PASSWORD }}" > ~/.vault-password-file
          chmod 600 ~/.vault-password-file

      - name: Deploy
        run: ansible-playbook playbooks/deploy.yml -i inventory/