name: Obfuscate Main Build

on:
  push:
    branches:
      - main
  workflow_dispatch:

env:
  GITEA_HOST: git.hexahost.dev
  REPO_PATH: smueller/HexaHost-Frontend

jobs:
  obfuscate:
    # Kein erneuter Lauf nach dem Bot-Commit
    if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          # Gitea liefert intern oft eine IP; Zertifikat gilt für git.hexahost.dev
          repository-url: https://git.hexahost.dev/smueller/HexaHost-Frontend

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Run release obfuscation
        run: python scripts/obfuscate_release.py --root . --hash-assets

      - name: Commit obfuscated build
        env:
          GITEA_TOKEN: ${{ github.token }}
        run: |
          git config user.name "gitea-actions"
          git config user.email "actions@local"
          git remote set-url origin "https://oauth2:${GITEA_TOKEN}@${GITEA_HOST}/${REPO_PATH}.git"
          git add -A
          if git diff --cached --quiet; then
            echo "No build changes to commit."
            exit 0
          fi
          git commit -m "chore(release): obfuscate and hash production assets [skip ci]"
          git push origin HEAD:main