apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: git-gitops-sync
  annotations:
    tekton.dev/pipelines.minVersion: "0.19.0"
    tekton.dev/categories: GitOps
    tekton.dev/tags: git, helm, devops
    tekton.dev/displayName: "Update image tag in Helm values.yaml"
    tekton.dev/platforms: "linux/amd64"
spec:
  description: |
    Updates the image.tag field in a Helm values.yaml file and commits the change
    to the corresponding GitOps repository derived from the application source repo.

  params:
    - name: repositoryUrl
      type: string
      description: Source repository URL (used to derive GitOps repo)

    - name: branch
      type: string
      default: main
      description: Git branch to push to

    - name: imageUrl
      type: string
      description: Full image URL (e.g. registry/app:v0.2.0)

    - name: valuesPath
      type: string
      description: Path to Helm values file (e.g. overlays/staging/values-staging.yaml)

    - name: commitMessage
      type: string
      default: "chore(gitops): update image tag"
      description: Commit message

  workspaces:
    - name: ssh-directory
      optional: true
      description: SSH credentials (private key, known_hosts)

    - name: basic-auth
      optional: true
      description: .gitconfig and .git-credentials

    - name: ssl-ca-directory
      optional: true
      description: Custom CA certificates (optional)

  steps:
    - name: update-and-push
      image: alpine:3.19
      workingDir: /workspace
      script: |
        #!/bin/sh
        set -e

        echo "🔐 Preparing Git authentication..."
        mkdir -p /root/.ssh
        if [ -d /workspace/ssh-directory ]; then
          cp -R /workspace/ssh-directory/* /root/.ssh/
          chmod 700 /root/.ssh
        fi
        if [ -d /workspace/basic-auth ]; then
          cp /workspace/basic-auth/.gitconfig /root/.gitconfig || true
          cp /workspace/basic-auth/.git-credentials /root/.git-credentials || true
        fi
        if [ -d /workspace/ssl-ca-directory ]; then
          export GIT_SSL_CAINFO="/workspace/ssl-ca-directory/ca.crt"
        fi

        echo "📦 Installing Git + yq..."
        apk add --no-cache git yq openssh

        REPO_URL="$(params.repositoryUrl)"
        GITOPS_REPO=$(echo "$REPO_URL" | sed 's/\.git$/-ops.git/')
        BRANCH="$(params.branch)"
        VALUES_PATH="$(params.valuesPath)"
        IMAGE="$(params.imageUrl)"
        TAG=$(echo "$IMAGE" | cut -d: -f2)

        echo "📥 Cloning $GITOPS_REPO..."
        TMP_DIR=$(mktemp -d)
        git clone --branch "$BRANCH" "$GITOPS_REPO" "$TMP_DIR"
        cd "$TMP_DIR"

        echo "🛠 Updating image.tag in $VALUES_PATH to $TAG"
        yq e ".image.tag = \"$TAG\"" -i "$VALUES_PATH"

        git config user.name "tekton-ci"
        git config user.email "ci@example.com"
        git add "$VALUES_PATH"
        git commit -m "$(params.commitMessage)" || echo "No changes to commit."
        git push origin "$BRANCH"

        echo "🧹 Cleaning up..."
        rm -rf "$TMP_DIR"