name: Reconcile

on:
  push:
    branches:
      - main
    paths:
      - "netbird.json"

jobs:
  reconcile:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Sync events
        run: |
          curl -sf \
            -X POST \
            -H "Authorization: Bearer ${{ secrets.RECONCILER_TOKEN }}" \
            "${{ secrets.RECONCILER_URL }}/sync-events"

      - name: Pull latest (poller may have committed)
        run: git pull --rebase

      - name: Apply reconcile
        id: reconcile
        run: |
          RESPONSE=$(curl -sf \
            -X POST \
            -H "Authorization: Bearer ${{ secrets.RECONCILER_TOKEN }}" \
            -H "Content-Type: application/json" \
            -d @netbird.json \
            "${{ secrets.RECONCILER_URL }}/reconcile")
          echo "response<<EOF" >> "$GITHUB_OUTPUT"
          echo "$RESPONSE" >> "$GITHUB_OUTPUT"
          echo "EOF" >> "$GITHUB_OUTPUT"

          STATUS=$(echo "$RESPONSE" | jq -r '.status')
          if [ "$STATUS" = "error" ]; then
            echo "Reconcile failed"
            echo "$RESPONSE" | jq .
            exit 1
          fi

      - name: Encrypt and upload setup keys
        if: success()
        run: |
          KEYS=$(echo '${{ steps.reconcile.outputs.response }}' | jq -r '.created_keys // empty')
          if [ -n "$KEYS" ] && [ "$KEYS" != "{}" ] && [ "$KEYS" != "null" ]; then
            echo "$KEYS" | age -r "${{ secrets.AGE_PUBLIC_KEY }}" -o setup-keys.age
            echo "Setup keys encrypted to setup-keys.age"
          else
            echo "No new keys created"
            exit 0
          fi

      - name: Upload artifact
        if: success()
        uses: actions/upload-artifact@v4
        with:
          name: setup-keys
          path: setup-keys.age
          if-no-files-found: ignore