name: promote canary -> main

on:
  workflow_dispatch:
    inputs:
      dry_run:
        type: boolean
        default: false
        description: "Show what would change, but don't push"
      src:
        type: string
        default: canary
        description: 'Source branch'
      dst:
        type: string
        default: main
        description: 'Destination branch'

concurrency:
  group: promote-${{ inputs.dst }}
  cancel-in-progress: false

permissions:
  contents: read

jobs:
  promote:
    runs-on: blacksmith-2vcpu-ubuntu-2404
    timeout-minutes: 10

    steps:
      - name: Create GitHub App token
        id: app-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: ${{ secrets.PROMOTE_APP_ID }}
          private-key: ${{ secrets.PROMOTE_APP_PRIVATE_KEY }}

      - name: Checkout source
        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.src }}
          fetch-depth: 0
          token: ${{ steps.app-token.outputs.token }}

      - name: Verify ff-only + summarize
        id: verify
        run: |
          set -euo pipefail
          src="${{ inputs.src }}"
          dst="${{ inputs.dst }}"

          git fetch origin "${dst}" "${src}" --prune

          # Ensure HEAD is exactly origin/src
          git reset --hard "origin/${src}"

          # FF-only requirement: dst must be an ancestor of src
          if ! git merge-base --is-ancestor "origin/${dst}" "origin/${src}"; then
            echo "::error::Cannot fast-forward: origin/${dst} is not an ancestor of origin/${src} (branches diverged)."
            exit 1
          fi

          ahead="$(git rev-list --count "origin/${dst}..origin/${src}")"
          echo "ahead=$ahead" >> "$GITHUB_OUTPUT"

          {
            echo "## Promote \`${src}\` → \`${dst}\` (ff-only)"
            echo ""
            echo "- \`${dst}\`: \`$(git rev-parse "origin/${dst}")\`"
            echo "- \`${src}\`: \`$(git rev-parse "origin/${src}")\`"
            echo "- Commits to promote: **${ahead}**"
            echo ""
            echo "### Commits"
            if [ "$ahead" -eq 0 ]; then
              echo "_Nothing to promote._"
            else
              git log --oneline --decorate "origin/${dst}..origin/${src}"
            fi
          } >> "$GITHUB_STEP_SUMMARY"

      - name: Push fast-forward
        if: ${{ steps.verify.outputs.ahead != '0' && inputs.dry_run != true }}
        run: |
          set -euo pipefail
          dst="${{ inputs.dst }}"
          # Push src HEAD to dst (no merge commit, same SHAs)
          git push origin "HEAD:refs/heads/${dst}"

      - name: Dry run / no-op
        if: ${{ steps.verify.outputs.ahead == '0' || inputs.dry_run == true }}
        run: |
          echo "No push performed (dry_run=${{ inputs.dry_run }}, ahead=${{ steps.verify.outputs.ahead }})."