.github/workflows/deploy-production.yml

name: Deploy Production

on:
  push:
    branches:
      - main

env:
  SKIP_ENV_VALIDATION: 1

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build-lint:
    uses: ./.github/workflows/job_build.yaml
    with:
      pull_secrets: true
      project_slug: unprice-zq-xm
      env_slug: prod
    secrets:
      MACHINE_IDENTITY_CLIENT_ID: ${{ secrets.MACHINE_IDENTITY_CLIENT_ID }}
      MACHINE_IDENTITY_CLIENT_SECRET: ${{ secrets.MACHINE_IDENTITY_CLIENT_SECRET }}

  deploy-prod:
    runs-on: ubuntu-latest

    needs:
      - build-lint

    permissions:
      pull-requests: write
      contents: read

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: Infisical/secrets-action@v1.0.7
        name: Pull secrets from Infisical
        with:
          client-id: ${{ secrets.MACHINE_IDENTITY_CLIENT_ID }}
          client-secret: ${{ secrets.MACHINE_IDENTITY_CLIENT_SECRET }}
          env-slug: "prod"
          project-slug: "unprice-zq-xm"
          export-type: "file"
          file-output-path: "/.env"
          secret-path: "/"
          recursive: true

      - uses: ./.github/actions/install
        with:
          ts: true

      - uses: cardinalby/export-env-action@v2
        with:
          envFile: '.env'
          export: true
          mask: true

      - name: Apply Migrations
        working-directory: internal/db
        run: |
          pnpm migrate:custom
        env:
          VERCEL_ENV: production
          NODE_ENV: production

      - name: Check for changes
        id: turbo-ignore
        continue-on-error: true
        run: npx turbo-ignore -d apps/auth-proxy

      - uses: amondnet/vercel-action@v25.2.0 #deploy
        name: Deploy Unprice auth to Vercel
        id: deploy-auth
        # if turbo-ignore fails,that means there are no changes in the auth-proxy folder
        if: steps.turbo-ignore.outcome == 'failure'
        with:
          vercel-token: ${{ env.VERCEL_TOKEN }} # Required
          vercel-org-id: ${{ env.VERCEL_ORG_ID}}  #Required
          vercel-project-id: ${{ env.VERCEL_PROJECT_AUTH_UNPRICE_ID }} #Required
          # always prod because the auth proxy link has to be stable
          vercel-args: '--env VERCEL_ENV=production --env NODE_ENV=production --prod --build-env VERCEL_ENV=production --build-env NODE_ENV=production'
          working-directory: ./

      # deploy unprice to vercel
      - uses: amondnet/vercel-action@v25.2.0 #deploy
        name: Deploy Unprice to Vercel
        id: deploy-unprice
        with:
          vercel-token: ${{ env.VERCEL_TOKEN }} # Required
          vercel-org-id: ${{ env.VERCEL_ORG_ID}}  #Required
          vercel-project-id: ${{ env.VERCEL_PROJECT_UNPRICE_ID}} #Required
          working-directory: ./
          vercel-args: '--prod --env NEXT_PUBLIC_APP_DOMAIN=unprice.dev --env NEXT_PUBLIC_VERCEL_ENV=production --build-env NEXT_PUBLIC_APP_DOMAIN=unprice.dev --build-env NEXT_PUBLIC_VERCEL_ENV=production'
          alias-domains: |
            unprice.vercel.app

      - name: Delete Secret
        if: always()
        run: |
          rm -rf .env || true