deploy-staging.yml

name: Deploy to Staging

on:
  push:
    branches: [main]
  workflow_dispatch:

concurrency:
  group: deploy-staging
  cancel-in-progress: false

env:
  AZURE_RESOURCE_GROUP: rg-lendq-staging
  ACR_NAME: lendqacr
  API_APP_NAME: lendq-api-staging
  WORKER_APP_NAME: lendq-worker-staging
  BEAT_APP_NAME: lendq-beat-staging
  MIGRATION_JOB_NAME: lendq-migrate-staging
  SWA_NAME: swa-lendq-staging
  IMAGE_NAME: lendq-api

jobs:
  # ──────────────────────────────────────────────────
  # Backend: build image, push to ACR, run migrations,
  # update Container Apps
  # ──────────────────────────────────────────────────
  deploy-api:
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@v4

      - name: Azure login
        uses: azure/login@v2
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

      - name: Log in to ACR
        run: az acr login --name $ACR_NAME

      - name: Build and push backend image
        run: |
          IMAGE_TAG="${{ github.sha }}"
          ACR_LOGIN_SERVER=$(az acr show --name $ACR_NAME --query loginServer -o tsv)
          docker build -t $ACR_LOGIN_SERVER/$IMAGE_NAME:$IMAGE_TAG \
                       -t $ACR_LOGIN_SERVER/$IMAGE_NAME:latest \
                       backend/
          docker push $ACR_LOGIN_SERVER/$IMAGE_NAME:$IMAGE_TAG
          docker push $ACR_LOGIN_SERVER/$IMAGE_NAME:latest
          echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
          echo "ACR_LOGIN_SERVER=$ACR_LOGIN_SERVER" >> $GITHUB_ENV

      - name: Update container app images
        run: |
          FULL_IMAGE="$ACR_LOGIN_SERVER/$IMAGE_NAME:$IMAGE_TAG"
          echo "Updating apps to image: $FULL_IMAGE"

          az containerapp update \
            --name $API_APP_NAME \
            --resource-group $AZURE_RESOURCE_GROUP \
            --image "$FULL_IMAGE"

          az containerapp update \
            --name $WORKER_APP_NAME \
            --resource-group $AZURE_RESOURCE_GROUP \
            --image "$FULL_IMAGE"

          az containerapp update \
            --name $BEAT_APP_NAME \
            --resource-group $AZURE_RESOURCE_GROUP \
            --image "$FULL_IMAGE"

      - name: Run database migrations
        continue-on-error: true
        run: |
          az containerapp job start \
            --name $MIGRATION_JOB_NAME \
            --resource-group $AZURE_RESOURCE_GROUP

          # Wait for migration job to complete (image already cached from update)
          for i in $(seq 1 60); do
            STATUS=$(az containerapp job execution list \
              --name $MIGRATION_JOB_NAME \
              --resource-group $AZURE_RESOURCE_GROUP \
              --query "[0].properties.status" -o tsv)
            echo "Migration status: $STATUS (attempt $i/60)"
            if [ "$STATUS" = "Succeeded" ]; then
              echo "Migration completed successfully"
              exit 0
            elif [ "$STATUS" = "Failed" ]; then
              echo "Migration failed — fetching logs"
              EXECUTION=$(az containerapp job execution list \
                --name $MIGRATION_JOB_NAME \
                --resource-group $AZURE_RESOURCE_GROUP \
                --query "[0].name" -o tsv)
              az containerapp job execution show \
                --name $MIGRATION_JOB_NAME \
                --resource-group $AZURE_RESOURCE_GROUP \
                --job-execution-name "$EXECUTION" 2>&1 || true
              exit 1
            fi
            sleep 10
          done
          echo "Migration timed out"
          exit 1

      - name: Verify API health
        run: |
          API_FQDN=$(az containerapp show \
            --name $API_APP_NAME \
            --resource-group $AZURE_RESOURCE_GROUP \
            --query "properties.configuration.ingress.fqdn" -o tsv)
          echo "Waiting for API at https://$API_FQDN ..."
          for i in $(seq 1 30); do
            if curl -fsS "https://$API_FQDN/api/v1/health/ready" > /dev/null 2>&1; then
              echo "API is healthy"
              exit 0
            fi
            sleep 5
          done
          echo "API health check timed out"
          exit 1

      - name: Ensure seed env var on staging API
        continue-on-error: true
        run: |
          az containerapp update \
            --name $API_APP_NAME \
            --resource-group $AZURE_RESOURCE_GROUP \
            --set-env-vars "SEED_ON_STARTUP=demo" 2>&1 || true

  # ──────────────────────────────────────────────────
  # Frontend: build SPA and deploy to Static Web App
  # ──────────────────────────────────────────────────
  deploy-frontend:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
          cache-dependency-path: frontend/package-lock.json

      - name: Install dependencies
        run: npm ci
        working-directory: frontend

      - name: Build frontend
        run: npm run build
        working-directory: frontend
        env:
          VITE_API_BASE_URL: https://lendq-api-staging.wittyglacier-a7ff8abf.eastus2.azurecontainerapps.io/api/v1

      - name: Deploy to Azure Static Web App
        uses: Azure/static-web-apps-deploy@v1
        with:
          azure_static_web_apps_api_token: ${{ secrets.SWA_DEPLOYMENT_TOKEN_STAGING }}
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          action: upload
          app_location: frontend/dist
          skip_app_build: true
          skip_api_build: true