name: Mark stable commit

on:
  workflow_run:
    workflows:
      - Test Units
      - Test Code Integration
      - Test OS Containers
      - Test End-To-End
      - Test Virgin User
      - Test Virgin Root
    types:
      - completed

jobs:
  mark-stable:
    # Only run if the triggering workflow succeeded AND it ran on main
    if: >
      github.event.workflow_run.conclusion == 'success' &&
      github.event.workflow_run.head_branch == 'main'
    runs-on: ubuntu-latest

    permissions:
      contents: write   # required to push tags
      actions: read     # required to query workflow runs via API

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0  # needed for tag operations

      - name: Install jq and gh (if needed)
        run: |
          sudo apt-get update -y
          sudo apt-get install -y jq gh || true

      - name: Check all required workflow results for this commit
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SHA: ${{ github.event.workflow_run.head_sha }}
          REPO: ${{ github.event.workflow_run.repository.full_name }}
        run: |
          set -euo pipefail

          echo "Checking workflow results for commit: $SHA"
          echo "Repository: $REPO"

          required_workflows=(
            "Test Units"
            "Test Code Integration"
            "Test OS Containers"
            "Test End-To-End"
            "Test Virgin User"
            "Test Virgin Root"
          )

          echo "Fetching workflow runs via GitHub API…"

          # FIXED: correct absolute API path
          json=$(gh api \
            /repos/"$REPO"/actions/runs \
            -F head_sha="$SHA" \
            -F per_page=100)

          for wf in "${required_workflows[@]}"; do
            conclusion=$(printf '%s\n' "$json" | jq -r --arg name "$wf" '
              .workflow_runs[]
              | select(.name == $name)
              | .conclusion
            ' | head -n1)

            if [[ -z "$conclusion" || "$conclusion" == "null" ]]; then
              echo "❌ Workflow '$wf' has no run for this commit yet. Not tagging."
              exit 0
            fi

            if [[ "$conclusion" != "success" ]]; then
              echo "❌ Workflow '$wf' did not succeed (status: $conclusion). Not tagging."
              exit 0
            fi

            echo "✔ Workflow '$wf' succeeded."
          done

          echo "🎉 All required workflows succeeded for commit $SHA — marking as stable."

      - name: Move 'stable' tag to this commit
        env:
          SHA: ${{ github.event.workflow_run.head_sha }}
        run: |
          set -euo pipefail

          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

          echo "Updating 'stable' tag → commit $SHA"

          # remove old tag locally
          if git rev-parse stable >/dev/null 2>&1; then
            git tag -d stable || true
          fi

          # delete remote tag if exists
          git push origin :refs/tags/stable || true

          # create new tag
          git tag stable "$SHA"
          git push origin stable

          echo "✅ Stable tag updated successfully."