name: Continuous Delivery
on:
  # Used for debugging the workflow by manually calling it
  workflow_dispatch:
    inputs:
      deploy-staging:
        description: "Also deploy to staging. By default the deploy is not executed when triggering this workflow manually."
        type: boolean
        default: false
        required: false
  push:
    branches:
      - main

jobs:
  # Builds images that match what's default in docker-compose.yml for
  # local development.
  build-dev-images:
    uses: ./.github/workflows/_build_artifacts.yml
    secrets: inherit
    with:
      image_prefix: "dev"
      stage: "debug"
      profile: "debug"

  # Builds debug images with release binaries for compatibility tests in case the merge_group was skipped.
  build-test-images:
    uses: ./.github/workflows/_build_artifacts.yml
    secrets: inherit
    with:
      image_prefix: "debug"
      stage: "debug"
      profile: "release"

  # Re-run CI checks to make sure everything's green, since "Merging as administrator"
  # won't trigger these in the merge group.
  ci:
    uses: ./.github/workflows/ci.yml
    secrets: inherit
    with:
      profile: "release"
      stage: "release"

  deploy-staging:
    if: ${{ github.event_name != 'workflow_dispatch' || inputs.deploy-staging }}
    runs-on: ubuntu-22.04
    environment: gcp_staging
    permissions:
      contents: write
    # Cancel old workflow runs if new code is pushed
    concurrency:
      group: "staging-deploy-${{ github.workflow }}-${{ github.ref }}"
      cancel-in-progress: false
    needs: ci
    env:
      TF_CLOUD_ORGANIZATION: "firezone"
      TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
      TF_WORKSPACE: "staging"
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Tool Versions
        id: versions
        uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0
      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: ${{ steps.versions.outputs.terraform }}
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.workflow_run.head_branch }}
      - name: Upload Configuration
        uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
        id: apply-upload
        with:
          workspace: ${{ env.TF_WORKSPACE }}
          # Subdirectory is set in the project settings:
          # https://app.terraform.io/app/firezone/workspaces/staging/settings/general
          directory: "./"
      - name: Create Plan Run
        uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
        id: apply-run
        env:
          TF_VAR_image_tag: '"${{ github.sha }}"'
        with:
          workspace: ${{ env.TF_WORKSPACE }}
          configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
      - name: Apply
        uses: hashicorp/tfc-workflows-github/actions/apply-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
        if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
        id: apply
        with:
          run: ${{ steps.apply-run.outputs.run_id }}
          comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"