bootstrap/.gitea/workflows/build.yml

name: Build Bootstrap Bundle

on:
  push:
    branches: [main]
    paths:
      - 'bootstrap.yml'
      - 'roles/**'
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    container:
      image: python:3.12-slim
    steps:
      - name: Install system dependencies
        run: apt-get update && apt-get install -y --no-install-recommends git curl

      - name: Checkout
        run: |
          git config --global credential.helper '!f() { echo "username=token"; echo "password=${{ secrets.DEPLOY_TOKEN }}"; }; f'
          git clone --depth 1 --branch "${{ github.ref_name }}" "${{ github.server_url }}/${{ github.repository }}.git" .
          git checkout "${{ github.sha }}"

      - name: Install Python dependencies
        run: pip install ansible ansible-bundler

      - name: Verify playbook syntax
        run: |
          ansible-playbook --syntax-check bootstrap.yml -e 'user_pubkey="test"'

      - name: Build bundle
        run: |
          bundle-playbook bootstrap.yml -o bootstrap.run

      - name: Generate checksums
        run: |
          sha256sum bootstrap.run > bootstrap.run.sha256
          md5sum bootstrap.run > bootstrap.run.md5

      - name: Upload to release storage
        run: |
          # Option 1: Upload to Gitea generic packages
          curl -X PUT \
            -H "Authorization: token ${{ secrets.DEPLOY_TOKEN }}" \
            -T bootstrap.run \
            "${{ github.server_url }}/api/packages/${{ github.repository_owner }}/generic/bootstrap/latest/bootstrap.run"

          curl -X PUT \
            -H "Authorization: token ${{ secrets.DEPLOY_TOKEN }}" \
            -T bootstrap.run.sha256 \
            "${{ github.server_url }}/api/packages/${{ github.repository_owner }}/generic/bootstrap/latest/bootstrap.run.sha256"

      # Note: actions/upload-artifact requires Node.js, which isn't in python:3.12-slim.
      # Artifacts are already uploaded to Gitea packages above.