name: Deploy Hello Lambda CFT

on:
  workflow_dispatch:
  push:
    branches: [ main ]

jobs:
  deploy:
    runs-on: nas-safe
    env:
      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
      AWS_DEFAULT_REGION: ${{ secrets.LOWER }}

    steps:
      - name: Prepare source
        run: |
          set -e
          SRC_DIR="."
          if [ ! -f "infra/hello-lambda.yml" ]; then
            echo "Repository files not present in workspace. Cloning from Forgejo..."
            git clone --depth 1 "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" _src
            SRC_DIR="_src"
          fi
          [ -f "${SRC_DIR}/infra/hello-lambda.yml" ] || { echo "infra/hello-lambda.yml not found"; exit 1; }
          echo "SRC_DIR=${SRC_DIR}" >> "$GITHUB_ENV"
          echo "Using source directory: ${SRC_DIR}"

      - name: Ensure AWS CLI
        run: |
          if ! command -v aws >/dev/null 2>&1; then
            echo "aws CLI is not available on this runner. Install aws cli on the runner host/container and rerun."
            exit 1
          fi
          aws --version

      - name: Check required AWS secrets
        run: |
          [ -n "$AWS_ACCESS_KEY_ID" ] || { echo "Missing required secret/env: AWS_ACCESS_KEY_ID"; exit 1; }
          [ -n "$AWS_SECRET_ACCESS_KEY" ] || { echo "Missing required secret/env: AWS_SECRET_ACCESS_KEY"; exit 1; }
          [ -n "$AWS_DEFAULT_REGION" ] || { echo "Missing required secret/env: AWS_DEFAULT_REGION (mapped from secret LOWER)"; exit 1; }
          if [ -z "${AWS_SESSION_TOKEN}" ]; then
            echo "AWS_SESSION_TOKEN is empty. Proceeding with long-lived access keys."
          else
            echo "AWS_SESSION_TOKEN is set. Proceeding with STS temporary credentials."
          fi

      - name: Verify AWS identity
        run: |
          set -e
          if ! aws sts get-caller-identity; then
            echo "AWS authentication failed. If using STS creds, regenerate and update all 3 secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN."
            exit 1
          fi

      - name: Validate CFT
        run: |
          aws cloudformation validate-template \
            --template-body "file://${SRC_DIR}/infra/hello-lambda.yml"

      - name: Deploy CFT
        run: |
          aws cloudformation deploy \
            --stack-name hello-lambda-stack \
            --template-file "${SRC_DIR}/infra/hello-lambda.yml" \
            --capabilities CAPABILITY_NAMED_IAM