#!/usr/bin/env bash
set -euo pipefail

if [[ -z "${EVIDENCE_LOCKER_URL:-}" || -z "${CI_EVIDENCE_LOCKER_TOKEN:-}" ]]; then
  echo "EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN are required" >&2
  exit 1
fi

STAGED_DIR="evidence-locker/zastava/2025-12-02"
TAR_OUT="/tmp/zastava-evidence.tar"
MODULE_ROOT="docs/modules/zastava"

test -d "$MODULE_ROOT" || { echo "missing module root $MODULE_ROOT" >&2; exit 1; }
mkdir -p "$STAGED_DIR"

tmpdir=$(mktemp -d)
trap 'rm -rf "$tmpdir"' EXIT

rsync -a --relative \
  "$MODULE_ROOT/SHA256SUMS" \
  "$MODULE_ROOT/schemas/" \
  "$MODULE_ROOT/exports/" \
  "$MODULE_ROOT/thresholds.yaml" \
  "$MODULE_ROOT/thresholds.yaml.dsse" \
  "$MODULE_ROOT/kit/verify.sh" \
  "$MODULE_ROOT/kit/README.md" \
  "$MODULE_ROOT/kit/ed25519.pub" \
  "$MODULE_ROOT/kit/zastava-kit.tzst" \
  "$MODULE_ROOT/kit/zastava-kit.tzst.dsse" \
  "$MODULE_ROOT/evidence/README.md" \
  "$tmpdir/"

pushd "$tmpdir/docs/modules/zastava" >/dev/null
sha256sum --check SHA256SUMS

# Build deterministic tarball for reproducibility (payloads + DSSE)
tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
  -cf "$TAR_OUT" .
popd >/dev/null

sha256sum "$TAR_OUT"

curl --retry 3 --retry-delay 2 --fail \
  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
  -X PUT "$EVIDENCE_LOCKER_URL/zastava/2025-12-02/zastava-evidence.tar" \
  --data-binary "@$TAR_OUT"

echo "Uploaded $TAR_OUT to $EVIDENCE_LOCKER_URL/zastava/2025-12-02/"