name: Validate RSA and Run Migrations

on:
  push:
    branches: [ dev ]
  workflow_dispatch: {}

jobs:
  migrate:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Go
        uses: actions/setup-go@v4
        with:
          go-version: '1.20'

      - name: Validate RSA_PRIVATE_KEY_BASE64 secret
        env:
          RSA_B64: ${{ secrets.RSA_PRIVATE_KEY_BASE64 }}
        run: |
          if [ -z "$RSA_B64" ]; then
            echo "RSA_PRIVATE_KEY_BASE64 secret is missing. Add it in repository secrets." >&2
            exit 1
          fi
          echo "$RSA_B64" > rsa_base64.txt
          if ! base64 -d rsa_base64.txt > /tmp/key.pem 2>/dev/null; then
            # try convert literal \n
            printf '%b' "$RSA_B64" > /tmp/key.pem || true
          fi
          if ! openssl pkey -in /tmp/key.pem -noout -text >/dev/null 2>&1; then
            echo "RSA private key is invalid" >&2
            exit 1
          fi

      - name: Validate DATABASE_URL secret
        if: ${{ always() }}
        run: |
          if [ -z "${{ secrets.DATABASE_URL }}" ]; then
            echo "DATABASE_URL secret is missing. Set up your DB connection string in secrets." >&2
            exit 1
          fi

      - name: Run migrations
        env:
          DATABASE_URL: ${{ secrets.DATABASE_URL }}
        run: |
          cd backend
          go run ./cmd/manual_migrate