# .github/workflows/examples/example-verification-gate.yml
# Example: Verification gate before deployment
#
# This example shows how to:
# 1. Verify all required attestations exist
# 2. Validate identity constraints
# 3. Block deployment on verification failure
#
# Use this pattern for:
# - Production deployment gates
# - Promotion between environments
# - Audit compliance checkpoints

name: Deployment Verification Gate

on:
  workflow_dispatch:
    inputs:
      image:
        description: 'Container image to deploy (with digest)'
        required: true
        type: string
      environment:
        description: 'Target environment'
        required: true
        type: choice
        options:
          - staging
          - production
      require-sbom:
        description: 'Require SBOM attestation'
        required: false
        default: true
        type: boolean
      require-verdict:
        description: 'Require passing policy verdict'
        required: false
        default: true
        type: boolean

env:
  # Identity patterns for trusted signers
  TRUSTED_IDENTITY_STAGING: 'repo:${{ github.repository }}:ref:refs/heads/.*'
  TRUSTED_IDENTITY_PRODUCTION: 'repo:${{ github.repository }}:ref:refs/heads/main|repo:${{ github.repository }}:ref:refs/tags/v.*'
  TRUSTED_ISSUER: 'https://token.actions.githubusercontent.com'

jobs:
  pre-flight:
    runs-on: ubuntu-latest
    outputs:
      identity-pattern: ${{ steps.config.outputs.identity-pattern }}

    steps:
      - name: Configure Identity Constraints
        id: config
        run: |
          ENV="${{ github.event.inputs.environment }}"

          if [[ "$ENV" == "production" ]]; then
            echo "identity-pattern=${TRUSTED_IDENTITY_PRODUCTION}" >> $GITHUB_OUTPUT
            echo "Using production identity constraints"
          else
            echo "identity-pattern=${TRUSTED_IDENTITY_STAGING}" >> $GITHUB_OUTPUT
            echo "Using staging identity constraints"
          fi

  verify-signature:
    needs: pre-flight
    uses: ./.github/workflows/examples/stellaops-verify.yml
    with:
      artifact-digest: ${{ github.event.inputs.image }}
      certificate-identity: ${{ needs.pre-flight.outputs.identity-pattern }}
      certificate-oidc-issuer: 'https://token.actions.githubusercontent.com'
      require-rekor: true
      require-sbom: ${{ github.event.inputs.require-sbom == 'true' }}
      require-verdict: ${{ github.event.inputs.require-verdict == 'true' }}
      strict: true
    permissions:
      contents: read
      packages: read

  verify-provenance:
    needs: pre-flight
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: read

    outputs:
      provenance-valid: ${{ steps.verify.outputs.valid }}

    steps:
      - name: Install StellaOps CLI
        uses: stella-ops/setup-cli@v1

      - name: Verify Build Provenance
        id: verify
        env:
          STELLAOPS_URL: 'https://api.stella-ops.org'
        run: |
          set -euo pipefail

          IMAGE="${{ github.event.inputs.image }}"

          echo "::group::Verifying build provenance"
          RESULT=$(stella provenance verify \
            --artifact "${IMAGE}" \
            --require-source-repo "${{ github.repository }}" \
            --output json)
          echo "$RESULT" | jq .
          echo "::endgroup::"

          VALID=$(echo "$RESULT" | jq -r '.valid')
          echo "valid=${VALID}" >> $GITHUB_OUTPUT

          if [[ "$VALID" != "true" ]]; then
            echo "::error::Provenance verification failed"
            exit 1
          fi

  audit-log:
    needs: [verify-signature, verify-provenance]
    runs-on: ubuntu-latest

    steps:
      - name: Install StellaOps CLI
        uses: stella-ops/setup-cli@v1

      - name: Create Audit Entry
        env:
          STELLAOPS_URL: 'https://api.stella-ops.org'
        run: |
          stella audit log \
            --event "deployment-gate" \
            --artifact "${{ github.event.inputs.image }}" \
            --environment "${{ github.event.inputs.environment }}" \
            --verified true \
            --attestations "${{ needs.verify-signature.outputs.attestation-count }}" \
            --actor "${{ github.actor }}" \
            --workflow "${{ github.workflow }}" \
            --run-id "${{ github.run_id }}"

  deploy:
    needs: [verify-signature, verify-provenance, audit-log]
    runs-on: ubuntu-latest
    environment: ${{ github.event.inputs.environment }}

    steps:
      - name: Deployment Approved
        run: |
          echo "All verifications passed"
          echo "Image: ${{ github.event.inputs.image }}"
          echo "Environment: ${{ github.event.inputs.environment }}"
          echo ""
          echo "Proceeding with deployment..."

      # Add your deployment steps here
      # - name: Deploy to Kubernetes
      #   run: kubectl set image deployment/app app=${{ github.event.inputs.image }}

      - name: Summary
        run: |
          cat >> $GITHUB_STEP_SUMMARY << EOF
          ## Deployment Completed

          | Field | Value |
          |-------|-------|
          | **Image** | \`${{ github.event.inputs.image }}\` |
          | **Environment** | \`${{ github.event.inputs.environment }}\` |
          | **Signature Verified** | ${{ needs.verify-signature.outputs.verified }} |
          | **Provenance Verified** | ${{ needs.verify-provenance.outputs.provenance-valid }} |
          | **Attestations** | ${{ needs.verify-signature.outputs.attestation-count }} |
          | **Deployed By** | @${{ github.actor }} |
          | **Workflow Run** | [#${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |
          EOF