name: evidence-locker
on:
  workflow_dispatch:
    inputs:
      retention_target:
        description: "Retention days target"
        required: false
        default: "180"

jobs:
  check-evidence-locker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Emit retention summary
        env:
          RETENTION_TARGET: ${{ github.event.inputs.retention_target }}
        run: |
          echo "target_retention_days=${RETENTION_TARGET}" > out/evidence-locker/summary.txt

      - name: Upload evidence locker summary
        uses: actions/upload-artifact@v4
        with:
          name: evidence-locker
          path: out/evidence-locker/**

  push-zastava-evidence:
    runs-on: ubuntu-latest
    needs: check-evidence-locker
    env:
      STAGED_DIR: evidence-locker/zastava/2025-12-02
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Package staged Zastava artefacts
        run: |
          test -d "$STAGED_DIR" || { echo "missing $STAGED_DIR" >&2; exit 1; }
          tar -cf /tmp/zastava-evidence.tar -C "$STAGED_DIR" .

      - name: Upload staged artefacts (fallback)
        uses: actions/upload-artifact@v4
        with:
          name: zastava-evidence-locker-2025-12-02
          path: /tmp/zastava-evidence.tar

      - name: Push to Evidence Locker
        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN != '' && env.EVIDENCE_LOCKER_URL != '' }}
        env:
          TOKEN: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN }}
          URL: ${{ env.EVIDENCE_LOCKER_URL }}
        run: |
          curl -f -X PUT "$URL/zastava/2025-12-02/zastava-evidence.tar" \
            -H "Authorization: Bearer $TOKEN" \
            --data-binary @/tmp/zastava-evidence.tar

      - name: Skip push (missing secret or URL)
        if: ${{ secrets.CI_EVIDENCE_LOCKER_TOKEN == '' || env.EVIDENCE_LOCKER_URL == '' }}
        run: |
          echo "Locker push skipped: set CI_EVIDENCE_LOCKER_TOKEN and EVIDENCE_LOCKER_URL to enable." >&2