# Gitea Actions CI/CD - build + deploy SOLUTION_ERP to IIS on same VPS.
# Trigger: push to main, or manual dispatch.
#
# Self-hosted Windows runner on VPS (shared with VIETREPORT). Runner has:
#   - git, .NET 10 SDK, Node 20, IIS
#   - Can deploy locally (no WinRM needed)
#
# Secrets required in Gitea repo settings:
#   - JWT_SECRET     (64+ chars random)
#   - DB_CONNECTION  (full connection string with vrapp password)

name: Deploy SOLUTION_ERP

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  build-deploy:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v4

      - name: Show tool versions
        shell: powershell
        run: |
          & 'C:\Program Files\dotnet\dotnet.exe' --version
          & 'C:\Program Files\nodejs\node.exe' --version
          & 'C:\Program Files\nodejs\npm.cmd' --version

      # ============== TEST GATE ==============
      # Run unit tests TRƯỚC build/publish/deploy. Test fail → exit non-zero
      # → toàn bộ job stop, KHÔNG deploy. Phase 1 chỉ Domain layer (~54 test
      # phase machine + policy registry). Mở rộng Application/Infra/Api
      # khi có nhu cầu (xem docs/changelog/migration-todos.md).
      - name: Run unit tests (Domain)
        shell: powershell
        run: |
          & 'C:\Program Files\dotnet\dotnet.exe' test tests/SolutionErp.Domain.Tests/SolutionErp.Domain.Tests.csproj `
            --configuration Release `
            --logger "trx;LogFileName=domain-tests.trx" `
            --results-directory test-results
          if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }

      - name: Upload test results
        if: always()
        continue-on-error: true   # nếu Gitea runner chưa có upload-artifact action, skip không block deploy
        uses: actions/upload-artifact@v4
        with:
          name: test-results
          path: test-results/*.trx
          retention-days: 14

      # ============== BUILD ==============
      - name: Build backend
        shell: powershell
        run: |
          & 'C:\Program Files\dotnet\dotnet.exe' restore SolutionErp.slnx
          & 'C:\Program Files\dotnet\dotnet.exe' publish src/Backend/SolutionErp.Api/SolutionErp.Api.csproj `
            --configuration Release `
            --output out/api `
            --runtime win-x64 `
            --self-contained false

      - name: Build fe-admin
        shell: powershell
        working-directory: fe-admin
        run: |
          # Vite 8 rolldown native binding must match platform; fresh resolve on Windows
          Remove-Item node_modules, package-lock.json -Recurse -Force -ErrorAction SilentlyContinue
          & 'C:\Program Files\nodejs\npm.cmd' install --no-audit --no-fund
          & 'C:\Program Files\nodejs\npm.cmd' run build

      - name: Build fe-user
        shell: powershell
        working-directory: fe-user
        run: |
          Remove-Item node_modules, package-lock.json -Recurse -Force -ErrorAction SilentlyContinue
          & 'C:\Program Files\nodejs\npm.cmd' install --no-audit --no-fund
          & 'C:\Program Files\nodejs\npm.cmd' run build

      - name: Deploy to IIS (local)
        if: github.ref == 'refs/heads/main'
        shell: powershell
        env:
          JWT_SECRET: ${{ secrets.JWT_SECRET }}
          DB_CONNECTION: ${{ secrets.DB_CONNECTION }}
        run: |
          Import-Module WebAdministration

          # Stop app pool (if running) so DLLs are writable
          $poolState = (Get-WebAppPoolState -Name SolutionErp-Api -ErrorAction SilentlyContinue).Value
          if ($poolState -eq 'Started') {
              Stop-WebAppPool -Name SolutionErp-Api
              Start-Sleep -Seconds 3
          }

          # Deploy API
          Remove-Item -Path 'C:\inetpub\solution-erp\api\*' -Recurse -Force -Exclude 'appsettings.Production.json','logs','uploads','wwwroot' -ErrorAction SilentlyContinue
          Copy-Item -Path 'out\api\*' -Destination 'C:\inetpub\solution-erp\api\' -Recurse -Force

          # Write appsettings.Production.json from source template + secrets.
          # Template is in source workspace (not in publish output - dotnet publish
          # doesn't copy .example files).
          $example = 'src\Backend\SolutionErp.Api\appsettings.Production.json.example'
          $prod    = 'C:\inetpub\solution-erp\api\appsettings.Production.json'
          $settings = Get-Content $example -Raw | ConvertFrom-Json
          $settings.ConnectionStrings.Default = $env:DB_CONNECTION
          $settings.Jwt.Secret = $env:JWT_SECRET
          $settings | ConvertTo-Json -Depth 10 | Set-Content -Path $prod -Encoding UTF8
          Write-Host "Wrote appsettings.Production.json"

          # Restrict ACL
          icacls $prod /inheritance:r | Out-Null
          icacls $prod /grant:r 'Administrators:(R,W)' 'IIS AppPool\SolutionErp-Api:(R)' | Out-Null

          # Deploy fe-admin
          Remove-Item -Path 'C:\inetpub\solution-erp\fe-admin\*' -Recurse -Force -Exclude 'web.config' -ErrorAction SilentlyContinue
          Copy-Item -Path 'fe-admin\dist\*' -Destination 'C:\inetpub\solution-erp\fe-admin\' -Recurse -Force

          # Deploy fe-user
          Remove-Item -Path 'C:\inetpub\solution-erp\fe-user\*' -Recurse -Force -Exclude 'web.config' -ErrorAction SilentlyContinue
          Copy-Item -Path 'fe-user\dist\*' -Destination 'C:\inetpub\solution-erp\fe-user\' -Recurse -Force

          # Restart app pool
          Start-WebAppPool -Name SolutionErp-Api
          Write-Host "Deploy done. App pool started."

      - name: Smoke test
        if: github.ref == 'refs/heads/main'
        shell: powershell
        run: |
          Start-Sleep -Seconds 10
          try {
              $r = Invoke-WebRequest -Uri 'https://api.solutions.com.vn/health/live' -TimeoutSec 30 -UseBasicParsing
              Write-Host "API /health/live -> $($r.StatusCode)"
          } catch {
              Write-Warning "API smoke test: $_"
          }