name: Deploy Hugo site

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Install Hugo
        run: |
          set -eu
          HUGO_VERSION="0.145.0"
          install -d "$HOME/.local/bin"
          wget -q "https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz"
          tar -xzf "hugo_extended_${HUGO_VERSION}_linux-amd64.tar.gz"
          mv hugo "$HOME/.local/bin/hugo"
          export PATH="$HOME/.local/bin:$PATH"
          hugo version

      - name: Build site
        run: |
          export PATH="$HOME/.local/bin:$PATH"
          hugo --minify

      - name: Deploy locally to Nginx root
        run: |
          set -eu
          DEPLOY_TARGET="/deploy/portfolio"

          # Defense in depth: only deploy from the expected repo/branch.
          [ "${GITHUB_REPOSITORY:-}" = "ludovic/portfolio-website" ] || {
            echo "Refusing deploy: unexpected repository '${GITHUB_REPOSITORY:-}'"
            exit 1
          }
          [ "${GITHUB_REF:-}" = "refs/heads/main" ] || {
            echo "Refusing deploy: unexpected ref '${GITHUB_REF:-}'"
            exit 1
          }

          if [ ! -d "$DEPLOY_TARGET" ]; then
            echo "Deploy target '$DEPLOY_TARGET' does not exist in runner container."
            echo "Bind-mount host '/var/www/portfolio' to '$DEPLOY_TARGET' in the Gitea runner container."
            ls -la /deploy || true
            exit 1
          fi

          if [ ! -w "$DEPLOY_TARGET" ]; then
            echo "Deploy target '$DEPLOY_TARGET' is not writable by runner user."
            ls -ld "$DEPLOY_TARGET" || true
            exit 1
          fi

          rsync -az --delete public/ "$DEPLOY_TARGET/"