name: deploy-authentik

on:
  push:
    branches: [ main ]

jobs:
  #───────────────── deploy ─────────────────
  deploy:
    runs-on: docker
    steps:
      - uses: actions/checkout@v3

      - name: Ensure external docker network exists
        run: |
          docker network inspect principal >/dev/null 2>&1 || docker network create principal

      - name: Stop existing Authentik stack
        run: docker compose -f docker-compose.yml --project-name authentik down || true

      - name: Pull latest images
        run: docker compose -f docker-compose.yml pull

      - name: Start Authentik stack
        run: docker compose -f docker-compose.yml --project-name authentik up -d --remove-orphans

      - name: Wait for services to be healthy
        run: |
          echo "Waiting for PostgreSQL..."
          timeout 60 bash -c 'until docker compose -f docker-compose.yml --project-name authentik exec -T postgresql pg_isready -U authentik; do sleep 2; done' || echo "PostgreSQL health check timed out"

          echo "Waiting for Redis..."
          timeout 60 bash -c 'until docker compose -f docker-compose.yml --project-name authentik exec -T redis redis-cli ping | grep PONG; do sleep 2; done' || echo "Redis health check timed out"

      - name: Show service status
        run: docker compose -f docker-compose.yml --project-name authentik ps

      - name: Show recent logs
        run: docker compose -f docker-compose.yml --project-name authentik logs --tail=50

      - name: Inspect published ports
        run: |
          echo "=== Server container ports ==="
          CID=$(docker compose -f docker-compose.yml --project-name authentik ps -q server)
          echo "Container: $CID"
          docker inspect "$CID" --format '{{json .NetworkSettings.Ports}}' || true
          docker port "$CID" || true

      - name: Test HTTP endpoint
        run: |
          echo "Testing HTTP endpoint..."
          sleep 10
          curl -f http://localhost:9000 || echo "HTTP endpoint not ready yet"