#!/usr/bin/env sh
set -eu

fail_if_contains() {
  file="$1"
  pattern="$2"
  if grep -Fq "$pattern" "$file"; then
    echo "forbidden pattern in $file: $pattern" >&2
    exit 1
  fi
}

assert_contains() {
  file="$1"
  pattern="$2"
  if ! grep -Fq "$pattern" "$file"; then
    echo "missing pattern in $file: $pattern" >&2
    exit 1
  fi
}

staging_workflows="
.gitea/workflows/staging_code_pull.yml
.gitea/workflows/staging_release.yml
.gitea/workflows/staging_image_deploy.yml
"

production_workflows="
.gitea/workflows/production_release.yml
.gitea/workflows/production_image_deploy.yml
"

for workflow in $staging_workflows; do
  assert_contains "$workflow" "vars.STG_"
  assert_contains "$workflow" "secrets.STG_"
  fail_if_contains "$workflow" "vars.STAGE_"
  fail_if_contains "$workflow" "secrets.STAGE_"
  for name in \
    USERFRONT_URL ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL VITE_OIDC_AUTHORITY \
    BACKEND_URL BACKEND_LOG_LEVEL CLIENT_LOG_DEBUG PROFILE_CACHE_TTL CORS_ALLOWED_ORIGINS \
    WORKS_ADMIN_API_BASE_URL WORKS_ADMIN_OAUTH_TOKEN_URL NAVER_CLOUD_ACCESS_KEY \
    NAVER_CLOUD_SERVICE_ID NAVER_SENDER_PHONE_NUMBER AWS_REGION AWS_ACCESS_KEY_ID \
    AWS_SES_SENDER CLICKHOUSE_HOST CLICKHOUSE_USER DB_PORT DB_USER DB_NAME REDIS_ADDR
  do
    fail_if_contains "$workflow" "vars.$name"
  done
  for name in AWS_SECRET_ACCESS_KEY NAVER_CLOUD_SECRET_KEY CLICKHOUSE_PASSWORD STAGE_SSH_PRIVATE_KEY; do
    fail_if_contains "$workflow" "secrets.$name"
  done
done

for workflow in $production_workflows; do
  assert_contains "$workflow" "vars.PROD_"
  assert_contains "$workflow" "secrets.PROD_"
  for name in \
    ADMINFRONT_URL DEVFRONT_URL ORGFRONT_URL VITE_OIDC_AUTHORITY BACKEND_LOG_LEVEL \
    CLIENT_LOG_DEBUG PROFILE_CACHE_TTL CORS_ALLOWED_ORIGINS WORKS_ADMIN_API_BASE_URL \
    WORKS_ADMIN_OAUTH_TOKEN_URL NAVER_CLOUD_ACCESS_KEY NAVER_CLOUD_SERVICE_ID \
    NAVER_SENDER_PHONE_NUMBER AWS_REGION AWS_ACCESS_KEY_ID AWS_SES_SENDER \
    CLICKHOUSE_HOST CLICKHOUSE_USER ADMINFRONT_PORT DEVFRONT_PORT ORGFRONT_PORT
  do
    fail_if_contains "$workflow" "vars.$name"
  done
  for name in AWS_SECRET_ACCESS_KEY NAVER_CLOUD_SECRET_KEY CLICKHOUSE_PASSWORD; do
    fail_if_contains "$workflow" "secrets.$name"
  done
done

echo "deploy workflow env prefix checks passed"