name: Generate Docs

on:
  workflow_dispatch:
  schedule:
    - cron: "0 */6 * * *"

jobs:
  generate:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install docker CLI
        run: |
          apt-get update
          apt-get install -y docker.io docker-compose

      - name: Generate docs
        run: |
          scripts/docs/generate-all.sh

      - name: Validate generated docs
        run: |
          set -e

          test -s docs/generated/docker-compose.resolved.yml
          test -s docs/generated/host-topology.md
          test -s docs/public/physical-topology.svg
          test -s docs/public/docker-traefik-dynu.svg

          ! grep -R "Host inventory JSON not found" docs/public docs/diagrams
          ! grep -R "Generate terraform inventory" docs/public docs/diagrams

          # Ensure no obvious secrets leaked
          ! grep -R -E -i "password|token|api[_-]?key|secret" docs/public \
            || (echo "Secret-like string detected"; exit 1)

      - name: Commit changes
        run: |
          git config user.name "docs-bot"
          git config user.email "docs-bot@local"

          git add docs/generated docs/diagrams docs/public data/terraform/proxmox-inventory.json || true

          if git diff --cached --quiet; then
            echo "No changes to commit"
            exit 0
          fi

          git commit -m "docs: regenerate documentation artifacts"

      - name: Push to Gitea
        run: |
          git push origin HEAD:main

      - name: Push to GitHub mirror
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_PUSH_TOKEN }}
          GITHUB_MIRROR_REPO: ${{ vars.GITHUB_MIRROR_REPO }}
        run: |
          test -n "$GITHUB_TOKEN"
          test -n "$GITHUB_MIRROR_REPO"
          git remote add github "https://$GITHUB_TOKEN@github.com/$GITHUB_MIRROR_REPO.git" || true
          git push github HEAD:main