# Build, publish npm packages, and push Docker images
# Runs only on main branch push/tag

variables:
  - &node_image 'node:22-alpine'
  - &enable_pnpm 'corepack enable'

when:
  - branch: [main]
    event: [push, manual, tag]

steps:
  install:
    image: *node_image
    commands:
      - corepack enable
      - pnpm install --frozen-lockfile

  build:
    image: *node_image
    commands:
      - *enable_pnpm
      - pnpm build
    depends_on:
      - install

  publish-npm:
    image: *node_image
    environment:
      NPM_TOKEN:
        from_secret: gitea_token
    commands:
      - *enable_pnpm
      # Configure auth for Gitea npm registry
      - |
        echo "//git.mosaicstack.dev/api/packages/mosaicstack/npm/:_authToken=$NPM_TOKEN" > ~/.npmrc
        echo "@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaicstack/npm/" >> ~/.npmrc
      # Publish non-private packages to Gitea.
      #
      # The only publish failure we tolerate is "version already exists" —
      # that legitimately happens when only some packages were bumped in
      # the merge. Any other failure (registry 404, auth error, network
      # error) MUST fail the pipeline loudly: the previous
      # `|| echo "... continuing"` fallback silently hid a 404 from the
      # Gitea org rename and caused every @mosaicstack/* publish to fall
      # on the floor while CI still reported green.
      - |
        set +e
        pnpm --filter "@mosaicstack/*" --filter "!@mosaicstack/web" publish --no-git-checks --access public 2>&1 | tee /tmp/publish.log
        EXIT=${PIPESTATUS[0]}
        set -e
        if [ "$EXIT" -eq 0 ]; then
          echo "[publish] all packages published successfully"
          exit 0
        fi
        # Any hard registry/auth/network error fails the pipeline.
        if grep -qE "E404|E401|ENEEDAUTH|ECONNREFUSED|ETIMEDOUT|ENOTFOUND" /tmp/publish.log; then
          echo "[publish] FATAL: registry/auth/network error detected — failing pipeline" >&2
          exit 1
        fi
        # Tolerate only the specific "version already published" case.
        if grep -qE "EPUBLISHCONFLICT|cannot publish over|previously published" /tmp/publish.log; then
          echo "[publish] some packages already at this version — continuing (non-fatal)"
          exit 0
        fi
        echo "[publish] FATAL: publish failed with unrecognized error — failing pipeline" >&2
        exit 1
    depends_on:
      - build

  # TODO: Uncomment when ready to publish to npmjs.org
  # publish-npmjs:
  #   image: *node_image
  #   environment:
  #     NPM_TOKEN:
  #       from_secret: npmjs_token
  #   commands:
  #     - *enable_pnpm
  #     - apk add --no-cache jq bash
  #     - bash scripts/publish-npmjs.sh
  #   depends_on:
  #     - build
  #   when:
  #     - event: [tag]

  build-gateway:
    image: gcr.io/kaniko-project/executor:debug
    environment:
      REGISTRY_USER:
        from_secret: gitea_username
      REGISTRY_PASS:
        from_secret: gitea_password
      CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
      CI_COMMIT_TAG: ${CI_COMMIT_TAG}
      CI_COMMIT_SHA: ${CI_COMMIT_SHA}
    commands:
      - mkdir -p /kaniko/.docker
      - echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
      - |
        DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/mosaic-stack/gateway:sha-${CI_COMMIT_SHA:0:7}"
        if [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/mosaic-stack/gateway:latest"
        fi
        if [ -n "$CI_COMMIT_TAG" ]; then
          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/mosaic-stack/gateway:$CI_COMMIT_TAG"
        fi
        /kaniko/executor --context . --dockerfile docker/gateway.Dockerfile $DESTINATIONS
    depends_on:
      - build

  build-web:
    image: gcr.io/kaniko-project/executor:debug
    environment:
      REGISTRY_USER:
        from_secret: gitea_username
      REGISTRY_PASS:
        from_secret: gitea_password
      CI_COMMIT_BRANCH: ${CI_COMMIT_BRANCH}
      CI_COMMIT_TAG: ${CI_COMMIT_TAG}
      CI_COMMIT_SHA: ${CI_COMMIT_SHA}
    commands:
      - mkdir -p /kaniko/.docker
      - echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$REGISTRY_USER\",\"password\":\"$REGISTRY_PASS\"}}}" > /kaniko/.docker/config.json
      - |
        DESTINATIONS="--destination git.mosaicstack.dev/mosaicstack/mosaic-stack/web:sha-${CI_COMMIT_SHA:0:7}"
        if [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/mosaic-stack/web:latest"
        fi
        if [ -n "$CI_COMMIT_TAG" ]; then
          DESTINATIONS="$DESTINATIONS --destination git.mosaicstack.dev/mosaicstack/mosaic-stack/web:$CI_COMMIT_TAG"
        fi
        /kaniko/executor --context . --dockerfile docker/web.Dockerfile $DESTINATIONS
    depends_on:
      - build