name: sync-tangled
permissions:
  contents: read

on:
  push:
    branches:
      - main

jobs:
  sync:
    runs-on: ubuntu-latest
    environment: tangled-sync
    steps:
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
          ref: ${{ github.event.pull_request.head.sha }}
      - name: sync tangled
        env:
          TANGLED_SSH_PRIVATE_KEY: ${{ secrets.TANGLED_SSH_PRIVATE_KEY }}
        run: |
          set -euo pipefail
          # Turn off strict SSH key checking
          mkdir -p ~/.ssh
          echo "Host *
            StrictHostKeyChecking no
            UserKnownHostsFile=/dev/null" > ~/.ssh/config

          # Write SSH key to disk
          echo "$TANGLED_SSH_PRIVATE_KEY" > ~/.ssh/tangled_key
          chmod 600 ~/.ssh/tangled_key

          # Configure SSH to use the key for tangled.sh
          echo "Host tangled.sh
            IdentityFile ~/.ssh/tangled_key" >> ~/.ssh/config

          chmod 600 ~/.ssh/config

          # Set git user
          git config --global user.name "Frontpage Bot"
          git config --global user.email "team@frontpage.fyi"

          git remote add tangled git@tangled.sh:frontpage.fyi/frontpage
          git push -f --all tangled
          git push -f --tags tangled