name: 部署到生产环境

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:
    inputs:
      reason:
        description: '手动触发部署的原因'
        required: false
        default: '手动部署'

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: SSH-KEY
    steps:
    - uses: actions/checkout@v4
    
    - name: 安装依赖工具
      run: |
        # 重新安装sshpass（用于处理服务器登录密码）+ expect（处理密钥密码）
        sudo apt-get update
        sudo apt-get install -y sshpass expect
    
    - name: 配置SSH密钥并启动ssh-agent
      run: |
        # 创建SSH目录并设置严格权限（SSH要求）
        mkdir -p ~/.ssh
        chmod 700 ~/.ssh
        
        # 将GitHub Secrets中的私钥写入文件
        echo "${{ secrets.KEY }}" > ~/.ssh/id_rsa
        chmod 600 ~/.ssh/id_rsa  # 必须600权限，否则SSH拒绝使用
        
        # 启动ssh-agent并加载带密码的私钥
        eval $(ssh-agent -s)
        echo "=== 加载SSH密钥调试信息 ==="
        echo "当前ssh-agent进程ID: $SSH_AGENT_PID"
        # 使用expect自动输入密钥密码（PASSPHRASE）
        expect -c "
          set timeout 10
          spawn ssh-add ~/.ssh/id_rsa
          expect {
            \"Enter passphrase for /home/runner/.ssh/id_rsa:\" {
              send \"${{ secrets.PASSPHRASE }}\r\"
              exp_continue
            }
            \"Identity added: /home/runner/.ssh/id_rsa\" {
              puts \"密钥加载成功\"
            }
            timeout {
              puts \"密钥加载超时\"
              exit 1
            }
            eof
          }
        "
        # 查看已加载的密钥（调试用）
        ssh-add -l || echo "无已加载的SSH密钥"
        
        # 禁用主机密钥检查，避免首次连接确认
        echo "StrictHostKeyChecking no" >> ~/.ssh/config
        echo "UserKnownHostsFile /dev/null" >> ~/.ssh/config
        echo "GlobalKnownHostsFile /dev/null" >> ~/.ssh/config
        chmod 600 ~/.ssh/config
        echo "=== SSH密钥配置完成 ==="
    
    - name: 执行部署
      run: |
        # 使用sshpass传递服务器密码 + SSH密钥登录（双重认证）
        sshpass -p "${{ secrets.SERVER_PASSWORD }}" ssh -o StrictHostKeyChecking=no \
          -o IdentityFile=~/.ssh/id_rsa -p 42422 ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_ADDRESS }} '
        set -ex
        echo "=== 部署调试信息开始 ==="
        echo "测试sudo权限..."
        echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S whoami
        echo "停止服务..."
        echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S systemctl stop neobot.service
        echo "修复文件权限..."
        echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S chown -R ${{ secrets.SERVER_USER }}:${{ secrets.SERVER_USER }} /home/luoxiaolei/neobot/NeoBot
        cd /home/luoxiaolei/neobot/NeoBot
        echo "拉取最新代码（服务器本地已有GitHub密钥）..."
        git pull origin main
        echo "启动服务..."
        echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S systemctl start neobot.service
        echo "检查服务状态..."
        echo "${{ secrets.SERVER_PASSWORD }}" | sudo -S systemctl status neobot.service --no-pager
        echo "部署完成！"
        echo "=== 部署调试信息结束 ==="
        '
      continue-on-error: false
    
    - name: 检查部署状态
      if: failure()
      run: |
        echo "部署失败！请检查以下点："
        echo "1. 服务器SSH配置是否允许密钥+密码双重认证"
        echo "2. KEY/PASSPHRASE/SERVER_PASSWORD是否正确"
        echo "3. 服务器端口42422是否开放，用户名/地址是否正确"
        exit 1