name: evidence-locker
on:
  workflow_dispatch:
    inputs:
      retention_target:
        description: "Retention days target"
        required: false
        default: "180"

jobs:
  check-evidence-locker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh

      - name: Emit retention summary
        env:
          RETENTION_TARGET: ${{ github.event.inputs.retention_target }}
        run: |
          echo "target_retention_days=${RETENTION_TARGET}" > out/evidence-locker/summary.txt

      - name: Upload evidence locker summary
        uses: actions/upload-artifact@v4
        with:
          name: evidence-locker
          path: out/evidence-locker/**

  push-zastava-evidence:
    runs-on: ubuntu-latest
    needs: check-evidence-locker
    env:
      STAGED_DIR: evidence-locker/zastava/2025-12-02
      MODULE_ROOT: docs/modules/zastava
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Task Pack offline bundle fixtures
        run: python3 scripts/packs/run-fixtures-check.sh

      - name: Package staged Zastava artefacts
        run: |
          test -d "$MODULE_ROOT" || { echo "missing $MODULE_ROOT" >&2; exit 1; }
          tmpdir=$(mktemp -d)
          rsync -a --relative \
            "$MODULE_ROOT/SHA256SUMS" \
            "$MODULE_ROOT/schemas/" \
            "$MODULE_ROOT/exports/" \
            "$MODULE_ROOT/thresholds.yaml" \
            "$MODULE_ROOT/thresholds.yaml.dsse" \
            "$MODULE_ROOT/kit/verify.sh" \
            "$MODULE_ROOT/kit/README.md" \
            "$MODULE_ROOT/kit/ed25519.pub" \
            "$MODULE_ROOT/kit/zastava-kit.tzst" \
            "$MODULE_ROOT/kit/zastava-kit.tzst.dsse" \
            "$MODULE_ROOT/evidence/README.md" \
            "$tmpdir/"
          (cd "$tmpdir/docs/modules/zastava" && sha256sum --check SHA256SUMS)
          tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
            -cf /tmp/zastava-evidence.tar -C "$tmpdir/docs/modules/zastava" .
          sha256sum /tmp/zastava-evidence.tar

      - name: Upload staged artefacts (fallback)
        uses: actions/upload-artifact@v4
        with:
          name: zastava-evidence-locker-2025-12-02
          path: /tmp/zastava-evidence.tar

      - name: Push to Evidence Locker
        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
          TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
          curl -f -X PUT "$URL/zastava/2025-12-02/zastava-evidence.tar" \
            -H "Authorization: Bearer $TOKEN" \
            --data-binary @/tmp/zastava-evidence.tar

      - name: Skip push (missing secret or URL)
        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2