name: Sync public mirror
on:
  push:
    branches: [ main ]

jobs:
  sync:
    runs-on: ubuntu-latest
    container: node:20-alpine

    steps:
      - name: Install tools
        run: apk add --no-cache git rsync openssh-client bash

      - name: Checkout private repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Prepare SSH
        env:
          SSH_KEY: ${{ secrets.PUBLIC_REPO_SSH_KEY }}
        run: |
          set -euo pipefail
          mkdir -p ~/.ssh
          echo "$SSH_KEY" > ~/.ssh/id_sync
          chmod 600 ~/.ssh/id_sync
          printf 'Host 192.168.1.15\n  HostName 192.168.1.15\n  Port 22\n  User git\n  IdentityFile ~/.ssh/id_sync\n  IdentitiesOnly yes\n' >> ~/.ssh/config
          ssh-keyscan -p 22 192.168.1.15 >> ~/.ssh/known_hosts

      - name: Clone public repo
        run: git clone --depth 1 ssh://git@192.168.1.15:22/Bausager/Flux-openbuild.git /tmp/public

      - name: Sync files using .gitea/workflows/oss-keep.txt (debug)
        run: |
          set -euo pipefail
          set -x

          KEEP_FILE=".gitea/workflows/openbuild-keep.txt"   # <- change if you use another name
          INCLUDE_FILE="$(pwd)/.oss-include.rsync"

          # Show what exists in the source
          echo "== Source tree (top) =="
          ls -la
          echo "== Source include/* (2 levels) =="
          find include -maxdepth 2 -type f -print 2>/dev/null || true

          # Build rsync include file
          : > "$INCLUDE_FILE"
          echo "## Generated from $KEEP_FILE" >> "$INCLUDE_FILE"
          echo "+ */" >> "$INCLUDE_FILE"        # allow directory descent
          # Always include the directory entry itself when using /** patterns
          echo "+ include/" >> "$INCLUDE_FILE"  # safe even if not present

          while IFS= read -r line; do
            line="${line%%#*}"
            line="$(echo "$line" | xargs || true)"
            [ -z "$line" ] && continue
            case "$line" in
              !*) echo "- ${line#!}" >> "$INCLUDE_FILE" ;;
              *)  echo "+ $line"      >> "$INCLUDE_FILE" ;;
            esac
          done < "$KEEP_FILE"

          echo "- *" >> "$INCLUDE_FILE"   # exclude everything else

          echo "== Rsync include rules =="
          cat "$INCLUDE_FILE"

          rsync -av --delete --prune-empty-dirs \
            --exclude '.git/' \
            --include-from="$INCLUDE_FILE" \
            ./ /tmp/public/

          cd /tmp/public
          git config user.name  "Gitea CI"
          git config user.email "ci@bausager.org"
          git add -A
          if git diff --cached --quiet; then
            echo "No public-eligible changes to push."
          else
            git commit -m "Sync public subset from Flux (private)"
            git push origin HEAD:main
          fi