name: Deploy Fleet website

on:
  push:
    branches: [ main ]
    paths:
      - 'website/**'
      - 'docs/**'
      - 'handbook/**'
      - 'articles/**'
      - 'schema/**'

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

permissions:
  contents: read

jobs:
  build:
    if: ${{ github.repository == 'fleetdm/fleet' }}

    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [16.x]

    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
      with:
        egress-policy: audit

    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

    # Configure our access credentials for the Heroku CLI
    - uses: akhileshns/heroku-deploy@79ef2ae4ff9b897010907016b268fd0f88561820 # v3.6.8
      with:
        heroku_api_key: ${{secrets.HEROKU_API_TOKEN_FOR_BOT_USER}}
        heroku_app_name: "" # this has to be blank or it doesn't work
        heroku_email: ${{secrets.HEROKU_EMAIL_FOR_BOT_USER}}
        justlogin: true
    - run: heroku auth:whoami

    # Install the heroku-repo plugin in the Heroku CLI
    - run: heroku plugins:install heroku-repo

    # Set the Node.js version
    - name: Use Node.js ${{ matrix.node-version }}
      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
      with:
        node-version: ${{ matrix.node-version }}


    # Install the right version of Go for the Golang child process that we are currently using for CSR signing
    - name: Set up Go
      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
      with:
        go-version: ${{ vars.GO_VERSION }}

    # Download top-level dependencies and build Storybook in the website's assets/ folder
    - run: npm install --legacy-peer-deps && npm run build-storybook -- -o ./website/assets/storybook --loglevel verbose

    # Now start building!
    # > …but first, get a little crazy for a sec and delete the top-level package.json file
    # > i.e. the one used by the Fleet server.  This is because require() in node will go
    # > hunting in ancestral directories for missing dependencies, and since some of the
    # > bundled transpiler tasks sniff for package availability using require(), this trips
    # > up when it encounters another Node universe in the parent directory.
    - run: rm -rf package.json package-lock.json node_modules/
    # > Turns out there's a similar issue with how eslint plugins are looked up, so we
    # > delete the top level .eslintrc file too.
    - run: rm -f .eslintrc.js
    # > And, as a change to the top-level fleetdm/fleet .gitignore on May 2, 2022 revealed,
    # > we also need to delete the top level .gitignore file too, so that its rules don't
    # > interfere with the committing and force-pushing we're doing as part of our deploy
    # > script here.  For more info, see: https://github.com/fleetdm/fleet/pull/5549
    - run: rm -f .gitignore

    # Download dependencies (including dev deps)
    - run: cd website/ && npm install

    # Run sanity checks
    - run: cd website/ && npm test

    # Compile browser assets & markdown content into generated collateral
    - run: cd website/ && BUILD_SCRIPT_ARGS="--githubAccessToken=${{ secrets.FLEET_GITHUB_TOKEN_FOR_WEBSITE_TEST }}" npm run build-for-prod

    # Build the go binary we use to sign APNS certificates in the website/.tools/ folder.
    - run: cd ee/tools/mdm/ && GOOS=linux GOARCH=amd64 go build -o ../../../website/.tools/mdm-gen-cert .

    # Reset the Heroku app's git repo to prevent errors when pushing to the repo. (See https://github.com/fleetdm/fleet/issues/14162 for more details)
    - run: heroku repo:reset -a production-fleetdm-website

    # Commit newly-generated collateral locally so we can push them to Heroku below.
    # (This commit will never be pushed to GitHub- only to Heroku.)
    # > The local config flags make this work in GitHub's environment.
    - run: git add website/.www
    - run: git add website/.tools
    - run: git add -f website/views/partials/built-from-markdown  > /dev/null 2>&1 || echo '* * * WARNING - Silently ignoring the fact that there are no HTML partials generated from markdown to include in automated commit...'
    - run: git -c "user.name=Fleetwood" -c "user.email=github@example.com" commit -am 'AUTOMATED COMMIT - Deployed the latest, including generated collateral such as compiled documentation, modified HTML layouts, and a .sailsrc file that references minified client-side code assets.'

    # Configure the Heroku app we'll be deploying to
    - run: heroku git:remote -a production-fleetdm-website
    - run: git remote -v

    # Deploy to Heroku (by pushing)
    # > Since a shallow clone was grabbed, we have to "unshallow" it before forcepushing.
    - run: echo "Unshallowing local repository…"
    - run: git fetch --prune --unshallow
    - run: echo "Deploying branch '${GITHUB_REF##*/}' to Heroku…"
    - run: git push heroku +${GITHUB_REF##*/}:master  # note that Heroku, at least as of Jun 10 2021, still uses "master" on their end
    - name: 🌐 https://fleetdm.com
      run: echo '' && echo '--' && echo 'OK, done.  It should be live momentarily.' && echo '(if you get impatient, check the Heroku dashboard for status)' && echo && echo ' 🌐–•  https://fleetdm.com'