name: Deploy

# Fast-path publish: on push to main, SSH to the tutorials LXC and trigger the
# host-side oneshot deploy.service. The SSH key is restricted by a forced
# command in ~deploy/.ssh/authorized_keys, so even a leaked key can only
# redeploy public content. The host's 5-min poll-fallback timer covers any
# missed delivery, so this job is a latency optimization, not the only path.

on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger tutorials redeploy over SSH
        env:
          DEPLOY_KEY: ${{ secrets.TUTORIALS_DEPLOY_KEY }}
          # Host address kept out of this public repo — set as an Actions secret.
          DEPLOY_HOST: ${{ secrets.TUTORIALS_DEPLOY_HOST }}
          DEPLOY_USER: deploy
          # Pinned host public key (a known_hosts line), also via secret.
          KNOWN_HOSTS: ${{ secrets.TUTORIALS_KNOWN_HOSTS }}
        run: |
          set -eu
          # Ensure an SSH client is available on the runner image.
          if ! command -v ssh >/dev/null 2>&1; then
            (apt-get update && apt-get install -y openssh-client) >/dev/null
          fi
          install -d -m 700 ~/.ssh
          printf '%s\n' "$DEPLOY_KEY" > ~/.ssh/deploy_key
          chmod 600 ~/.ssh/deploy_key
          # Pin the target's host key (supplied via secret) instead of trusting
          # it on first connect — closes the first-connection MITM window that
          # StrictHostKeyChecking=accept-new (trust-on-first-use) leaves open.
          printf '%s\n' "$KNOWN_HOSTS" > ~/.ssh/known_hosts
          chmod 600 ~/.ssh/known_hosts
          # Forced command runs regardless of the remote command; harmless placeholder.
          ssh -o StrictHostKeyChecking=yes \
              -o UserKnownHostsFile="$HOME/.ssh/known_hosts" \
              -o BatchMode=yes \
              -i ~/.ssh/deploy_key \
              "${DEPLOY_USER}@${DEPLOY_HOST}" deploy