name: Sync public mirror
on:
  push:
    branches: [ main ]   # change if your default branch is different

jobs:
  sync:
    runs-on: ubuntu-latest
    container: alpine:3.20   # small & fast container; reduces system load

    steps:
      - name: Install tools (bash, rsync, git, openssh)
        run: |
          apk add --no-cache bash rsync git openssh-client

      - name: Checkout private repo
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Prepare SSH
        env:
          SSH_KEY: ${{ secrets.PUBLIC_REPO_SSH_KEY }}
        run: |
          set -euo pipefail
          mkdir -p ~/.ssh
          echo "$SSH_KEY" > ~/.ssh/id_sync
          chmod 600 ~/.ssh/id_sync
          printf 'Host 192.168.1.15\n  HostName 192.168.1.15\n  Port 22\n  User git\n  IdentityFile ~/.ssh/id_sync\n  IdentitiesOnly yes\n' >> ~/.ssh/config
          ssh-keyscan -p 22 192.168.1.15 >> ~/.ssh/known_hosts

      - name: Clone public repo
        run: |
          git clone --depth 1 ssh://git@192.168.1.15:22/Bausager/Flux-oss.git /tmp/public

      - name: Sync files (snapshot, safe)
        run: |
          # Copy into public working tree and delete removed files
          rsync -a --delete \
            --exclude '.git' \
            --exclude '.gitea' \
            ./ /tmp/public/

          cd /tmp/public
          git config user.name  "Gitea CI"
          git config user.email "ci@bausager.org"

          if ! git diff --quiet; then
            git add -A
            git commit -m "Sync from Flux (private)"
            git push origin HEAD:main
          else
            echo "No changes to push."
          fi