admin/scripts/deploy.sh

#!/usr/bin/env bash
# scripts/deploy.sh — Azaion Admin API deployment orchestrator.
#
# Usage:
#   ENV=staging   ./scripts/deploy.sh <sha-tag>
#   ENV=production ./scripts/deploy.sh <sha-tag>
#   ./scripts/deploy.sh --rollback           # uses the SHA from previous_tags.env
#   ./scripts/deploy.sh --help
#
# This is the single entry point; do not call the per-step scripts (pull/stop/
# start/health) directly except from this file.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"

# shellcheck source=./_lib.sh
. "$SCRIPT_DIR/_lib.sh"

usage() {
    cat <<'EOF'
Usage:
  ENV=staging|production ./scripts/deploy.sh <sha-tag>
  ./scripts/deploy.sh --rollback
  ./scripts/deploy.sh --help

Environment:
  ENV                   Required. "staging" or "production". Selects which
                        secrets/<env>.env (sops-encrypted) is decrypted.
  REGISTRY_HOST,
  REGISTRY_IMAGE        Registry hostname and image path; loaded from
                        secrets/<env>.public.env unless already set.
  DEPLOY_*              See .env.example.

Notes:
  - Run this on the deploy target host (it does not SSH for you in cycle 1).
  - Requires: docker, sops, age, curl, jq.
EOF
}

ROLLBACK=0
SHA_TAG=""
for arg in "$@"; do
    case "$arg" in
        --help|-h) usage; exit 0 ;;
        --rollback) ROLLBACK=1 ;;
        -*) die "Unknown flag: $arg (use --help)" ;;
        *) SHA_TAG="$arg" ;;
    esac
done

require_env ENV
require_cmd docker sops age curl jq

load_env_overlay "$ENV"

if [[ "$ROLLBACK" -eq 1 ]]; then
    PREV_FILE="$REPO_ROOT/scripts/.previous_tags.env"
    [[ -f "$PREV_FILE" ]] || die "No $PREV_FILE — cannot determine rollback target"
    # shellcheck disable=SC1090
    . "$PREV_FILE"
    [[ -n "${PREVIOUS_SHA_TAG:-}" ]] || die "PREVIOUS_SHA_TAG missing in $PREV_FILE"
    SHA_TAG="$PREVIOUS_SHA_TAG"
    log_warn "ROLLBACK requested → redeploying $SHA_TAG"
fi

[[ -n "$SHA_TAG" ]] || die "Missing <sha-tag>. Pass the immutable SHA-tag (e.g. a1b2c3d4e5f6-arm) or use --rollback."

export REGISTRY_TAG="$SHA_TAG"

log_info "Deploy plan"
log_info "  ENV=$ENV"
log_info "  REGISTRY_HOST=$REGISTRY_HOST"
log_info "  REGISTRY_IMAGE=$REGISTRY_IMAGE"
log_info "  REGISTRY_TAG=$REGISTRY_TAG"
log_info "  DEPLOY_CONTAINER_NAME=$DEPLOY_CONTAINER_NAME"
log_info "  DEPLOY_HOST_PORT=$DEPLOY_HOST_PORT"

"$SCRIPT_DIR/pull-images.sh"
"$SCRIPT_DIR/stop-services.sh"
"$SCRIPT_DIR/start-services.sh"
"$SCRIPT_DIR/health-check.sh"

log_info "Deploy succeeded — $REGISTRY_HOST/$REGISTRY_IMAGE:$REGISTRY_TAG is live as $DEPLOY_CONTAINER_NAME"