name: release-verify

# Workflow C: run after Jenkins has finished building (operator triggers manually).
# Smoke-checks that http://flights-ui.devwebzavod.ru is alive and that its /api
# wiring responds — the e2e suite is intentionally NOT run here (parity gaps
# against the customer build are tracked separately).

on:
  workflow_dispatch:

jobs:
  verify:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    env:
      TELEGRAM_BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
      TELEGRAM_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Notify start
        if: ${{ env.TELEGRAM_BOT_TOKEN != '' }}
        run: scripts/ci/notify-telegram.sh start release-verify

      - name: Add hosts entry for customer URL
        # `flights-ui.devwebzavod.ru` has no public DNS — operator hosts
        # resolve it via local /etc/hosts to 46.235.186.67 (the customer's
        # web ingress IP). Mirror that override on the runner so curl can
        # reach the host. Without this, every probe fails with
        # `Could not resolve host`.
        run: echo "46.235.186.67 flights-ui.devwebzavod.ru" | sudo tee -a /etc/hosts

      - name: Set up gost proxy with TIM VPN routing
        # The customer URL (flights-ui.devwebzavod.ru) is only accessible
        # through the TIM VPN tunnel via webzavod (Ubuntu jump host).
        # Set up gost with conditional routing: TIM domains → SSH SOCKS to webzavod.
        env:
          SSH_PRIVATE_KEY: ${{ secrets.WEBZAVOD_SSH_KEY }}
        run: |
          # Install gost if not present
           if ! command -v gost &> /dev/null; then
             echo "Installing gost..."
             curl -fsSL https://github.com/ginuerzh/gost/releases/download/v2.12.0/gost-linux-amd64-v2.12.0.tar.gz | tar -xz -C /tmp
             sudo mv /tmp/gost-linux-amd64-v2.12.0/gost /usr/local/bin/
             sudo chmod +x /usr/local/bin/gost
           fi
          echo "gost version: $(gost -V)"

          # Set up SSH SOCKS tunnel to webzavod (TIM jump host)
          # Use the SSH private key from secrets
          echo "$SSH_PRIVATE_KEY" | base64 -d > /tmp/webzavod_key
          chmod 600 /tmp/webzavod_key
          ssh -Nf -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
            -i /tmp/webzavod_key \
            -D 127.0.0.1:1180 gnezim@192.168.88.58
          echo "SSH SOCKS tunnel established on port 1180"

          # Copy gost config from repo
          cp .gitea/workflows/gost.yaml /tmp/gost.yaml
          echo "gost config copied to /tmp/gost.yaml"

          # Start gost with the config
          gost -C /tmp/gost.yaml -L :8888 &
          GOST_PID=$!
          echo "gost started with PID $GOST_PID"

          # Wait for gost to be ready
          for i in {1..30}; do
            if curl -s -x http://127.0.0.1:8888 http://127.0.0.1:8888 > /dev/null 2>&1; then
              echo "gost is ready"
              break
            fi
            sleep 1
          done

          # Export proxy environment variables
          echo "HTTP_PROXY=http://127.0.0.1:8888" >> $GITHUB_ENV
          echo "ALL_PROXY=socks5h://127.0.0.1:1081" >> $GITHUB_ENV
          echo "API_BASE_URL=https://flights.test.aeroflot.ru/api" >> $GITHUB_ENV
          echo "Exported HTTP_PROXY, ALL_PROXY, and API_BASE_URL"

      - name: Wait for customer URL
        id: wait_customer
        run: scripts/ci/wait-for-url.sh http://flights-ui.devwebzavod.ru/ru-ru/onlineboard 60 5

      - name: Diagnose customer URL reachability
        id: customer_diag
        # Mirrors ci-deploy's tunnel-reachability probe but against the
        # customer URL — proves /api wiring is intact post-Jenkins. The
        # upstream WAF blocks the default curl UA, so every probe needs a
        # browser-like User-Agent.
        run: |
          UA='Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120 Safari/537.36'
          echo "--- /api/health ---"
          curl -sSI -A "$UA" --max-time 10 http://flights-ui.devwebzavod.ru/api/health | head -10 || true
          echo "--- /api/dictionary/1/world_regions (expect JSON, ~5KB) ---"
          curl -sS -A "$UA" --max-time 10 \
            -w "\n[size=%{size_download} time=%{time_total}s code=%{http_code}]\n" \
            http://flights-ui.devwebzavod.ru/api/dictionary/1/world_regions | head -c 400; echo
          echo "--- second hit on the same dict (expect HIT if nginx caches) ---"
          curl -sSI -A "$UA" --max-time 10 \
            http://flights-ui.devwebzavod.ru/api/dictionary/1/world_regions | grep -iE "^HTTP|x-cache|x-envoy" || true
          echo "--- Full response from /ru-ru/onlineboard (for debugging 503) ---"
          curl -s -A "$UA" --max-time 10 http://flights-ui.devwebzavod.ru/ru-ru/onlineboard | head -30 || true

      - name: Notify (success)
        if: success() && env.TELEGRAM_BOT_TOKEN != ''
        run: scripts/ci/notify-telegram.sh ok release-verify "customer URL reachable + /api responsive"

      - name: Notify (failure)
        if: failure() && env.TELEGRAM_BOT_TOKEN != ''
        run: scripts/ci/notify-telegram.sh fail release-verify "customer URL probe failed — see Gitea run"