name: Publish Rules To External Repo

on:
  workflow_dispatch:

permissions:
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest

    steps:
      - name: Validate required secrets
        id: preflight
        shell: bash
        run: |
          missing=0
          for key in GITEA_BASE_URL GITEA_TOKEN TARGET_OWNER TARGET_REPO; do
            if [ -z "${!key}" ]; then
              echo "Missing required secret: $key" >&2
              missing=1
            fi
          done
          if [ "$missing" -ne 0 ]; then
            echo "skip=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          echo "skip=false" >> "$GITHUB_OUTPUT"
        env:
          GITEA_BASE_URL: ${{ secrets.GITEA_BASE_URL }}
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          TARGET_OWNER: ${{ secrets.TARGET_OWNER }}
          TARGET_REPO: ${{ secrets.TARGET_REPO }}

      - name: Checkout generator repo
        if: steps.preflight.outputs.skip != 'true'
        uses: actions/checkout@v4
        with:
          github-server-url: https://git.halonice.com

      - name: Setup Python
        if: steps.preflight.outputs.skip != 'true'
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Sync upstream Surge source
        if: steps.preflight.outputs.skip != 'true'
        shell: bash
        run: |
          UPSTREAM_REF="${UPSTREAM_REF:-master}"
          bash scripts/sync_surge_full.sh
        env:
          UPSTREAM_REF: ${{ vars.UPSTREAM_REF }}

      - name: Generate rules
        if: steps.preflight.outputs.skip != 'true'
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
        run: |
          if [ -f config.toml ]; then
            python3 main.py --config config.toml
          else
            python3 main.py --config config.json
          fi

      - name: Publish dist to target repo branch
        if: steps.preflight.outputs.skip != 'true'
        shell: bash
        run: |
          set -euo pipefail

          target_branch="${TARGET_BRANCH:-main}"
          base="${GITEA_BASE_URL%/}"
          if [[ "$base" == https://* ]]; then
            auth_url="https://${GITEA_TOKEN}@${base#https://}"
          elif [[ "$base" == http://* ]]; then
            auth_url="http://${GITEA_TOKEN}@${base#http://}"
          else
            echo "GITEA_BASE_URL must start with http:// or https://" >&2
            exit 1
          fi
          remote_url="${auth_url}/${TARGET_OWNER}/${TARGET_REPO}.git"

          rm -rf /tmp/rules-publish
          git clone --depth=1 --branch "$target_branch" "$remote_url" /tmp/rules-publish || {
            git clone --depth=1 "$remote_url" /tmp/rules-publish
            cd /tmp/rules-publish
            git checkout -b "$target_branch"
            cd -
          }

          rsync -a --delete dist/ /tmp/rules-publish/

          cd /tmp/rules-publish
          if [ -n "$(git status --porcelain)" ]; then
            git config user.name "gitea-actions[bot]"
            git config user.email "gitea-actions@localhost"
            git add .
            git commit -m "chore: publish generated rules"
            git push origin "$target_branch"
            echo "Published to ${TARGET_OWNER}/${TARGET_REPO}@${target_branch}"
          else
            echo "No publish changes"
          fi
        env:
          GITEA_BASE_URL: ${{ secrets.GITEA_BASE_URL }}
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          TARGET_OWNER: ${{ secrets.TARGET_OWNER }}
          TARGET_REPO: ${{ secrets.TARGET_REPO }}
          TARGET_BRANCH: ${{ vars.TARGET_BRANCH }}