name: ComplianceHarbor DeployGuard Gate

on:
  push:
    branches: [main]
  workflow_dispatch:

jobs:
  deployguard-gate:
    runs-on: ubuntu-latest
    outputs:
      assessment_id: ${{ steps.gate.outputs.assessment_id }}
      decision: ${{ steps.gate.outputs.decision }}
    steps:
      - name: Run DeployGuard Risk Gate
        id: gate
        run: |
          RESPONSE=$(curl -s -w "\n%{http_code}" \
            -X POST "${{ secrets.COMPLIANCEHARBOR_API_URL }}/api/v1/deployguard/gate" \
            -H "Authorization: Bearer ${{ secrets.COMPLIANCEHARBOR_API_KEY }}" \
            -H "Content-Type: application/json" \
            -d '{
              "change_id": "${{ github.sha }}",
              "platform": "kubernetes",
              "environment": "production",
              "components": ["${{ github.repository }}"],
              "scheduled_at": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"
            }')

          HTTP_CODE=$(echo "$RESPONSE" | tail -1)
          BODY=$(echo "$RESPONSE" | sed '$d')

          if [ "$HTTP_CODE" != "200" ]; then
            echo "::error::DeployGuard gate request failed with HTTP $HTTP_CODE"
            echo "$BODY"
            exit 1
          fi

          DECISION=$(echo "$BODY" | jq -r '.decision')
          ASSESSMENT_ID=$(echo "$BODY" | jq -r '.assessment_id')
          SCORE=$(echo "$BODY" | jq -r '.composite_score')

          echo "assessment_id=$ASSESSMENT_ID" >> "$GITHUB_OUTPUT"
          echo "decision=$DECISION" >> "$GITHUB_OUTPUT"

          echo "## DeployGuard Risk Assessment" >> "$GITHUB_STEP_SUMMARY"
          echo "- **Decision**: $DECISION" >> "$GITHUB_STEP_SUMMARY"
          echo "- **Score**: $SCORE/100" >> "$GITHUB_STEP_SUMMARY"
          echo "- **Assessment ID**: $ASSESSMENT_ID" >> "$GITHUB_STEP_SUMMARY"

          if [ "$DECISION" = "HALT" ]; then
            echo "::error::Deployment halted — risk score $SCORE/100"
            echo ""
            echo "=== Halt Reason Card ==="
            echo "$BODY" | jq '.halt_reason_card'
            exit 1
          fi

          if [ "$DECISION" = "DELAY_RECOMMENDED" ]; then
            echo "::warning::Deployment delay recommended — risk score $SCORE/100"
            echo "$BODY" | jq '.recommended_window'
          fi

          if [ "$DECISION" = "PROCEED_WITH_CAUTION" ]; then
            echo "::warning::Proceed with caution — risk score $SCORE/100"
          fi

          echo "DeployGuard gate passed with decision: $DECISION (score: $SCORE)"

  deploy:
    needs: deployguard-gate
    if: needs.deployguard-gate.outputs.decision != 'HALT'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Deploy
        run: |
          echo "Deploying with DeployGuard assessment: ${{ needs.deployguard-gate.outputs.assessment_id }}"
          echo "Gate decision: ${{ needs.deployguard-gate.outputs.decision }}"