household-bot/.github/workflows/cd.yml

name: CD

on:
  workflow_run:
    workflows:
      - CI
    types:
      - completed
    branches:
      - main
  workflow_dispatch:

permissions:
  contents: read
  id-token: write

concurrency:
  group: cd-main
  cancel-in-progress: false

jobs:
  check-secrets:
    name: Check deploy prerequisites
    runs-on: ubuntu-latest
    outputs:
      eligible_event: ${{ steps.check.outputs.eligible_event }}
      secrets_ok: ${{ steps.check.outputs.secrets_ok }}
      db_secret_ok: ${{ steps.check.outputs.db_secret_ok }}

    steps:
      - name: Evaluate trigger and required secrets
        id: check
        env:
          GCP_PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
          GCP_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
          GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
        run: |
          eligible_event=false
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            eligible_event=true
          elif [[ "${{ github.event_name }}" == "workflow_run" && "${{ github.event.workflow_run.conclusion }}" == "success" ]]; then
            eligible_event=true
          fi

          secrets_ok=false
          if [[ -n "$GCP_PROJECT_ID" && -n "$GCP_WORKLOAD_IDENTITY_PROVIDER" && -n "$GCP_SERVICE_ACCOUNT" ]]; then
            secrets_ok=true
          fi

          db_secret_ok=false
          if [[ -n "$DATABASE_URL" ]]; then
            db_secret_ok=true
          fi

          echo "eligible_event=$eligible_event" >> "$GITHUB_OUTPUT"
          echo "secrets_ok=$secrets_ok" >> "$GITHUB_OUTPUT"
          echo "db_secret_ok=$db_secret_ok" >> "$GITHUB_OUTPUT"

  deploy:
    name: Deploy Cloud Run
    runs-on: ubuntu-latest
    needs: check-secrets
    timeout-minutes: 30
    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok == 'true' }}
    env:
      GCP_REGION: ${{ vars.GCP_REGION || 'europe-west1' }}
      ARTIFACT_REPOSITORY: ${{ vars.ARTIFACT_REPOSITORY || 'household-bot' }}
      CLOUD_RUN_SERVICE_BOT: ${{ vars.CLOUD_RUN_SERVICE_BOT || 'household-dev-bot-api' }}
      CLOUD_RUN_SERVICE_MINI: ${{ vars.CLOUD_RUN_SERVICE_MINI || 'household-dev-mini-app' }}

    steps:
      - name: Checkout deployment ref
        uses: actions/checkout@v4
        with:
          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}

      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version-file: .bun-version

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v2
        with:
          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}

      - name: Run database migrations
        env:
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
        run: bun run db:migrate

      - name: Setup gcloud
        uses: google-github-actions/setup-gcloud@v2

      - name: Load Telegram bot token for command sync
        id: telegram-token
        env:
          TELEGRAM_BOT_TOKEN_SECRET_ID: ${{ vars.TELEGRAM_BOT_TOKEN_SECRET_ID || 'telegram-bot-token' }}
        run: |
          set +e
          token="$(gcloud secrets versions access latest \
            --secret "${TELEGRAM_BOT_TOKEN_SECRET_ID}" \
            --project "${{ secrets.GCP_PROJECT_ID }}" 2>/dev/null)"
          status=$?
          set -e

          if [[ $status -ne 0 || -z "$token" ]]; then
            echo "available=false" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          echo "::add-mask::$token"
          {
            echo "available=true"
            echo "token<<EOF"
            echo "$token"
            echo "EOF"
          } >> "$GITHUB_OUTPUT"

      - name: Configure Artifact Registry auth
        run: |
          gcloud auth configure-docker "${GCP_REGION}-docker.pkg.dev" --quiet

      - name: Resolve image tags
        id: images
        run: |
          bot_image="${GCP_REGION}-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}/bot:${GITHUB_SHA}"
          mini_image="${GCP_REGION}-docker.pkg.dev/${{ secrets.GCP_PROJECT_ID }}/${ARTIFACT_REPOSITORY}/miniapp:${GITHUB_SHA}"

          echo "bot_image=$bot_image" >> "$GITHUB_OUTPUT"
          echo "mini_image=$mini_image" >> "$GITHUB_OUTPUT"

      - name: Build and push bot image
        run: |
          docker build -f apps/bot/Dockerfile -t "${{ steps.images.outputs.bot_image }}" .
          docker push "${{ steps.images.outputs.bot_image }}"

      - name: Build and push mini app image
        run: |
          docker build -f apps/miniapp/Dockerfile -t "${{ steps.images.outputs.mini_image }}" .
          docker push "${{ steps.images.outputs.mini_image }}"

      - name: Deploy bot service
        run: |
          gcloud run deploy "${CLOUD_RUN_SERVICE_BOT}" \
            --image "${{ steps.images.outputs.bot_image }}" \
            --region "${GCP_REGION}" \
            --project "${{ secrets.GCP_PROJECT_ID }}" \
            --allow-unauthenticated \
            --quiet

      - name: Deploy mini app service
        run: |
          gcloud run deploy "${CLOUD_RUN_SERVICE_MINI}" \
            --image "${{ steps.images.outputs.mini_image }}" \
            --region "${GCP_REGION}" \
            --project "${{ secrets.GCP_PROJECT_ID }}" \
            --allow-unauthenticated \
            --quiet

      - name: Sync Telegram commands
        if: ${{ steps.telegram-token.outputs.available == 'true' }}
        env:
          TELEGRAM_BOT_TOKEN: ${{ steps.telegram-token.outputs.token }}
        run: bun run ops:telegram:commands set

      - name: Telegram command sync skipped
        if: ${{ steps.telegram-token.outputs.available != 'true' }}
        run: |
          echo "Telegram command sync skipped."
          echo "Grant the CD service account access to the bot token secret or set TELEGRAM_BOT_TOKEN_SECRET_ID."

  deploy-skipped:
    name: Deploy skipped (missing config)
    runs-on: ubuntu-latest
    needs: check-secrets
    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'false' }}

    steps:
      - name: Print configuration hint
        run: |
          echo "CD skipped: configure required GitHub secrets."
          echo "Required: GCP_PROJECT_ID, GCP_WORKLOAD_IDENTITY_PROVIDER, GCP_SERVICE_ACCOUNT, DATABASE_URL"
          echo "Optional repo/service vars: GCP_REGION, ARTIFACT_REPOSITORY, CLOUD_RUN_SERVICE_BOT, CLOUD_RUN_SERVICE_MINI"

  deploy-blocked-db:
    name: Deploy blocked (missing DATABASE_URL)
    runs-on: ubuntu-latest
    needs: check-secrets
    if: ${{ needs.check-secrets.outputs.eligible_event == 'true' && needs.check-secrets.outputs.secrets_ok == 'true' && needs.check-secrets.outputs.db_secret_ok != 'true' }}

    steps:
      - name: Fail fast on missing DATABASE_URL
        run: |
          echo "CD blocked: DATABASE_URL GitHub secret is required."
          echo "This workflow now refuses to deploy without running migrations against the target database."
          exit 1