name: Tests

permissions:
  id-token: write
  contents: write

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  bicep-pre-check:
    name: Bicep Pre-check
    environment: bicep
    runs-on: ubuntu-latest
    outputs:
      deployed_tag_exists: ${{ steps.check_tag.outputs.DEPLOYED_TAG_EXISTS }}
      no_changes: ${{ steps.check_changes.outputs.NO_CHANGES }}
    steps:
    - uses: actions/checkout@v4
    - name: Fetch complete history
      run: |
        git fetch --prune --unshallow --tags
    - name: Check for deployed tag
      id: check_tag
      run: |
        if git rev-parse --verify deployed >/dev/null 2>&1; then
          echo "DEPLOYED_TAG_EXISTS=true" >> $GITHUB_OUTPUT
          echo "LAST_DEPLOYED_COMMIT=$(git rev-list -n 1 deployed)" >> $GITHUB_OUTPUT
        else
          echo "DEPLOYED_TAG_EXISTS=false" >> $GITHUB_OUTPUT
        fi
    - name: Check for changes in bicep folder
      id: check_changes
      if: steps.check_tag.outputs.DEPLOYED_TAG_EXISTS == 'true'
      run: |
        if git diff --quiet ${{ steps.check_tag.outputs.LAST_DEPLOYED_COMMIT }} HEAD -- bicep/ ; then
          echo "NO_CHANGES=true" >> $GITHUB_OUTPUT
        else
          echo "NO_CHANGES=false" >> $GITHUB_OUTPUT
        fi
  bicep:
    name: Deploy Azure resources
    needs: bicep-pre-check
    if: needs.bicep-pre-check.outputs.deployed_tag_exists == 'false' || needs.bicep-pre-check.outputs.no_changes == 'false'
    environment: bicep
    runs-on: ubuntu-latest
    concurrency:
      group: bicep
    env:
      LOCATION: eastus
      DEPLOYMENT_NAME: keyweave-${{ github.run_id }}
    steps:
    - uses: actions/checkout@v4
    - uses: azure/login@v2
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Deploy Bicep template
      uses: azure/arm-deploy@v2
      with:
        scope: subscription
        region: ${{ env.LOCATION }}
        template: bicep/main.bicep
        deploymentName: ${{ env.DEPLOYMENT_NAME }}
    - name: Tag Deployment
      run: |
        git config --global user.name "github-actions[bot]"
        git config --global user.email "github-actions[bot]@users.noreply.github.com"
        git tag -fa deployed -m "Deployed to Azure"
        git push origin --tags --force

  tests:
    name: Run End-to-End Tests
    needs: bicep
    if: always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled')
    strategy:
      matrix:
        include:
        - filter: no_access
          client-id-ref: AZURE_CLIENT_ID_NO_ACCESS
        - filter: only_get
          client-id-ref: AZURE_CLIENT_ID_GET
        - filter: only_list
          client-id-ref: AZURE_CLIENT_ID_LIST
        - filter: get_and_list_access
          client-id-ref: AZURE_CLIENT_ID_GET_LIST
    runs-on: ubuntu-latest
    environment: test
    steps:
    - uses: actions/checkout@v4
    - uses: dtolnay/rust-toolchain@stable
    - name: Azure Login
      uses: azure/login@v2
      with:
        client-id: ${{ secrets[matrix.client-id-ref] }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: Run ${{ matrix.filter }} tests
      run: cargo test ${{ matrix.filter }}