name: Deploy Vault Stack to Production

on:
  push:
    branches:
      - prod-env

concurrency:
  group: vault-prod-deploy
  cancel-in-progress: false

jobs:
  deploy:
    runs-on: prod-runner
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Connect Runner to Overlay Network
        run: docker network connect iklimco-net $(hostname) || true

      - name: Deploy Vault Stack
        run: |
          docker stack deploy \
            --with-registry-auth \
            -c docker-stack-vault.yml \
            iklimco

      - name: Run Bootstrap
        env:
          SKIP_DEPLOY: "true"
        run: bash vault-bootstrap.sh

      - name: Verify Vault Cluster Health
        run: |
          SEALED=$(docker run --rm --network iklimco-net hashicorp/vault:2.0.1 \
            sh -c "VAULT_ADDR=https://vault.iklim.co:8200 VAULT_SKIP_VERIFY=true vault status 2>/dev/null" \
            | awk '/^Sealed/{print $2}' || echo "true")
          if [ "$SEALED" = "false" ]; then
            echo "Vault cluster is unsealed and healthy"
          else
            echo "ERROR: Vault cluster is sealed or unreachable"
            exit 1
          fi