skins/.gitea/workflows/deploy-ci.yaml

name: Sync CI from skins-template to Every User Repository

on:
  workflow_dispatch:

jobs:
  sync-all:
    runs-on: ubuntu-latest
    container:
      image: ${{ vars.CONTAINER_REGISTRY }}/arlind/skins:latest
    env:
      GITEA_API: https://${{ vars.CONTAINER_REGISTRY }}/api/v1
      TOKEN: ${{ secrets.TOKEN }}
      TEMPLATE_PATH: .gitea/workflows/ci.yml

    steps:
      - name: Fetch CI template via Gitea API
        shell: bash
        run: |
          resp=$(curl -sSL -H "Authorization: token $TOKEN" \
            "$GITEA_API/repos/osc/skins-template/contents/$TEMPLATE_PATH?ref=main")
          template_b64=$(echo "$resp" | jq -r .content)
          echo "TEMPLATE_B64=$template_b64" >> $GITHUB_ENV

      - name: Fetch valid user repositories
        shell: bash
        run: |
          page=1
          per_page=50
          valid_repos_file=$(mktemp)
          user_count_total=$(curl -sSL -H "Authorization: token $TOKEN" \
            "$GITEA_API/admin/users" | jq 'length')
          user_counter=1

          while :; do
            users_json=$(curl -sSL -H "Authorization: token $TOKEN" \
              "$GITEA_API/admin/users?limit=$per_page&page=$page")
            users_count=$(echo "$users_json" | jq 'length')
            [ "$users_count" -eq 0 ] && break

            for i in $(seq 0 $((users_count - 1))); do
              user_login=$(echo "$users_json" | jq -r ".[$i].login")
              echo "[$user_counter/$user_count_total] Processing user: $user_login"
              repos_json=$(curl -sSL -H "Authorization: token $TOKEN" \
                "$GITEA_API/users/$user_login/repos")
              repo_count=$(echo "$repos_json" | jq 'length')

              if [ "$repo_count" -ne 0 ]; then
                repo_matched=false
                for j in $(seq 0 $((repo_count - 1))); do
                  owner=$(echo "$repos_json" | jq -r ".[$j].owner.login")
                  repo=$(echo "$repos_json" | jq -r ".[$j].name")

                  echo "DEBUG: Fetching README for $owner/$repo"
                  readme_json=$(curl -sSL -H "Authorization: token $TOKEN" \
                    "$GITEA_API/repos/$owner/$repo/contents/README.md?ref=main" || echo "{}")
                  content=$(echo "$readme_json" | jq -r .content 2>/dev/null \
                              | base64 -d 2>/dev/null || echo "")

                  # strip BOM and CRLF
                  content=$(echo "$content" \
                    | sed $'1s/^\xEF\xBB\xBF//' \
                    | sed 's/\r$//')

                  if [ "$owner" = "Zacatel" ]; then
                    echo "DEBUG: Normalized content for $owner/$repo (first 10 lines):"
                    echo "$content" | sed -n '1,10p' | sed -n l
                  fi

                  # match on presence of osuid: in the front‐matter
                  if echo "$content" | grep -q 'osuid:'; then
                    echo "DEBUG: 'osuid:' found in $owner/$repo"
                    echo "$owner/$repo" >> "$valid_repos_file"
                    echo "added $owner/$repo"
                    repo_matched=true
                  else
                    echo "DEBUG: no osuid in $owner/$repo"
                  fi
                done

                [ "$repo_matched" = false ] && echo "no matching repos for $user_login"
              else
                echo "no repos for $user_login"
              fi

              user_counter=$((user_counter + 1))
            done

            page=$((page + 1))
          done

          echo "VALID_REPOS_FILE=$valid_repos_file" >> $GITHUB_ENV

      - name: Update CI via Gitea API
        shell: bash
        run: |
          set -eo pipefail
          mapfile -t repos < "$VALID_REPOS_FILE"
          for repo_full in "${repos[@]}"; do
            owner=${repo_full%%/*}
            repo=${repo_full##*/}
            api="$GITEA_API/repos/$owner/$repo"
            default_branch=$(curl -sSL --fail -H "Authorization: token $TOKEN" \
                              "$api" | jq -r '.default_branch')
            latest_tag=$(curl -sSL --fail -H "Authorization: token $TOKEN" \
                         "$api/tags" | jq -r '.[0].name // empty')
            if [[ -n "$latest_tag" && "$latest_tag" != "v1.0.0" ]]; then
              curl -sSL -X DELETE -H "Authorization: token $TOKEN" \
                   "$api/git/refs/tags/$latest_tag" || true
            fi
            url="$api/contents/$TEMPLATE_PATH"
            sha=$(curl -sSL -H "Authorization: token $TOKEN" "$url" \
                  | jq -r 'select(.sha != null).sha // empty' || true)
            if [[ -z "$sha" ]]; then
              action="Add"
              msg="Add CI from skins-template"
              payload=$(jq -nc --arg message "$msg" --arg content "$TEMPLATE_B64" --arg branch "$default_branch" '{message: $message, content: $content, branch: $branch}')
            else
              action="Update"
              msg="Update CI from skins-template"
              payload=$(jq -nc --arg message "$msg" --arg content "$TEMPLATE_B64" --arg sha "$sha" --arg branch "$default_branch" '{message: $message, content: $content, sha: $sha, branch: $branch}')
            fi
            if curl -sSL --fail -X PUT -H "Authorization: token $TOKEN" -H "Content-Type: application/json" -d "$payload" "$url" >/dev/null; then
              echo "✅ $action $owner/$repo on branch $default_branch"
            else
              echo "❌ $action failed for $owner/$repo → $url" >&2
            fi
          done

      - name: Cleanup
        shell: bash
        run: rm -f "$VALID_REPOS_FILE"