ia_dev/deploy/deploy-by-script-to.sh

#!/usr/bin/env bash
# deploy-by-script-to [project_id] <target_branch>: verify .secrets/<env>, deploy target, restore branch test when needed.
# Launched from ia_dev root. Project from projects/<id>/conf.json; id from param, or MAIL_TO or AI_AGENT_TOKEN. Target: pprod | prod only.
# If deploy.host_stays_on_test is true in conf: stay on branch test; no checkout/reset of pprod|prod (deploy.sh aligns remotes / worktree).
set -euo pipefail

SCRIPT_REAL="$(readlink -f "${BASH_SOURCE[0]:-$0}" 2>/dev/null || realpath "${BASH_SOURCE[0]:-$0}" 2>/dev/null || echo "${BASH_SOURCE[0]:-$0}")"
DEPLOY_IA="$(cd "$(dirname "$SCRIPT_REAL")" && pwd)"
IA_DEV_ROOT="$(cd "$DEPLOY_IA/.." && pwd)"

# shellcheck source=../lib/smart_ide_logs.sh
source "${IA_DEV_ROOT}/lib/smart_ide_logs.sh"
smart_ide_logs_begin "$IA_DEV_ROOT" "$0" "$*"
smart_ide_logs_register_exit_trap

# Optional first arg: project id (must exist as projects/<id>/conf.json)
if [[ -n "${1:-}" && ! "$1" =~ ^(pprod|prod)$ && -f "${IA_DEV_ROOT}/projects/${1}/conf.json" ]]; then
	export IA_PROJECT_ID="$1"
	shift
fi
# shellcheck source=../lib/project_config.sh
source "${IA_DEV_ROOT}/lib/project_config.sh"
# shellcheck source=../lib/project_git_root_from_conf.sh
source "${IA_DEV_ROOT}/lib/project_git_root_from_conf.sh"
ia_dev_resolve_project_git_root
PROJECT_ROOT="${IA_PROJECT_GIT_ROOT:-}"
if [[ -z "$PROJECT_ROOT" || ! -d "$PROJECT_ROOT" ]]; then
	PROJECT_ROOT="$(cd "$DEPLOY_IA/../.." && pwd)"
fi
if [[ -n "${PROJECT_CONFIG_PATH:-}" && -f "${PROJECT_CONFIG_PATH:-}" ]] && command -v jq >/dev/null 2>&1; then
	_sp="$(jq -r '.deploy.secrets_path // empty' "$PROJECT_CONFIG_PATH" 2>/dev/null)"
	_sp="$(ia_dev_resolve_path_from_conf "$PROJECT_CONFIG_PATH" "$_sp")"
	if [[ -n "$_sp" && "$_sp" != "null" && -d "$_sp" ]]; then
		export SECRETS_BASE="$_sp"
		export LECOFFRE_SECRETS_BASE="$_sp"
	fi
fi
if [[ "$(pwd)" != "$PROJECT_ROOT" ]]; then
	# Preserve project id for re-exec so config is still resolved in child
	[[ -n "${PROJECT_ID:-}" ]] && export IA_PROJECT_ID="$PROJECT_ID"
	cd "$PROJECT_ROOT" && exec "$SCRIPT_REAL" "$@"
fi
if ! git rev-parse --is-inside-work-tree >/dev/null 2>&1; then
	echo "[deploy-by-script-to][ERROR] Not in a git repository (PROJECT_ROOT=${PROJECT_ROOT})" >&2
	exit 1
fi

TARGET_BRANCH="${1:-}"
if [[ -z "$TARGET_BRANCH" ]]; then
	echo "[deploy-by-script-to][ERROR] Missing <target_branch> argument (expected: pprod | prod)" >&2
	echo "Usage: ./deploy/deploy-by-script-to.sh [project_id] <target_branch>  (from ia_dev; pprod or prod only)" >&2
	exit 1
fi
if [[ ! "$TARGET_BRANCH" =~ ^(pprod|prod)$ ]]; then
	echo "[deploy-by-script-to][ERROR] Invalid target branch: must be pprod or prod (got: '${TARGET_BRANCH}')" >&2
	echo "Usage: ./deploy/deploy-by-script-to.sh [project_id] <pprod|prod>" >&2
	exit 1
fi

current="$(git rev-parse --abbrev-ref HEAD)"
if [[ "$current" != "test" ]]; then
	echo "[deploy-by-script-to][ERROR] Must be on branch 'test' (current: '${current}'). Run /change-to-all-branches first." >&2
	exit 1
fi

HOST_STAYS_ON_TEST=false
if [[ -n "${PROJECT_CONFIG_PATH:-}" && -f "${PROJECT_CONFIG_PATH}" ]] && command -v jq >/dev/null 2>&1; then
	_ht="$(jq -r '.deploy.host_stays_on_test // false' "$PROJECT_CONFIG_PATH" 2>/dev/null || echo false)"
	if [[ "$_ht" == "true" ]]; then
		HOST_STAYS_ON_TEST=true
	fi
fi

if [[ "$HOST_STAYS_ON_TEST" != "true" ]]; then
	echo "[deploy-by-script-to] Step 1/5: checkout ${TARGET_BRANCH}..."
	if [[ "$(git rev-parse --abbrev-ref HEAD)" != "$TARGET_BRANCH" ]]; then
		git checkout "$TARGET_BRANCH"
	fi
fi

SECRETS_PARENT="${SECRETS_BASE:-${LECOFFRE_SECRETS_BASE:-$PROJECT_ROOT/.secrets}}"
SECRETS_DIR="${SECRETS_PARENT}/${TARGET_BRANCH}"
if [[ ! -d "$SECRETS_DIR" ]]; then
	# Monorepo LeCoffre (kogus): secrets nominaux sous `.secrets/<site>/<env>/`, pas `.secrets/<env>/`.
	if [[ "${IA_PROJECT_ID:-}" == "kogus" ]]; then
		_ms_ok=true
		_expected_multisite_sites=(kogus)
		_site_codes_script="$PROJECT_ROOT/deploy/scripts_v2/remote/multisite-deployment-site-codes.sh"
		if [[ -f "$_site_codes_script" ]]; then
			# shellcheck source=/dev/null
			source "$_site_codes_script"
			if declare -p DEPLOYMENT_MULTISITE_SITE_SLUGS >/dev/null 2>&1 && [[ "${#DEPLOYMENT_MULTISITE_SITE_SLUGS[@]}" -gt 0 ]]; then
				_expected_multisite_sites+=("${DEPLOYMENT_MULTISITE_SITE_SLUGS[@]}")
			fi
		fi
		if [[ "${#_expected_multisite_sites[@]}" -eq 1 ]]; then
			echo "[deploy-by-script-to][ERROR] Missing deployment site slugs source: ${_site_codes_script} (DEPLOYMENT_MULTISITE_SITE_SLUGS is empty)." >&2
			exit 1
		fi
		for _site in "${_expected_multisite_sites[@]}"; do
			if [[ ! -d "${SECRETS_PARENT}/${_site}/${TARGET_BRANCH}" ]]; then
				_ms_ok=false
				break
			fi
		done
		if [[ "$_ms_ok" == "true" ]]; then
			SECRETS_DIR="${SECRETS_PARENT}/kogus/${TARGET_BRANCH}"
			echo "[deploy-by-script-to] secrets: nested multisite layout OK (${SECRETS_PARENT}/*/${TARGET_BRANCH})"
		else
			echo "[deploy-by-script-to][ERROR] secrets env dir missing: ${SECRETS_DIR} (flat) and incomplete nested multisite under ${SECRETS_PARENT} (need ${_expected_multisite_sites[*]} /${TARGET_BRANCH})" >&2
			exit 1
		fi
	else
		echo "[deploy-by-script-to][ERROR] secrets env dir missing: ${SECRETS_DIR} (set SECRETS_BASE or deploy.secrets_path in conf)" >&2
		exit 1
	fi
fi
if [[ "$HOST_STAYS_ON_TEST" == "true" ]]; then
	echo "[deploy-by-script-to] Step 2: secrets/${TARGET_BRANCH} OK (${SECRETS_DIR}) ; host stays on test (deploy.host_stays_on_test)"
else
	echo "[deploy-by-script-to] Step 2/5: secrets/${TARGET_BRANCH} OK (${SECRETS_DIR})"
fi

# shellcheck source=lib/deploy-conf-handling.sh
source "${DEPLOY_IA}/lib/deploy-conf-handling.sh"
if [[ -n "${PROJECT_CONFIG_PATH:-}" && -f "${PROJECT_CONFIG_PATH}" ]]; then
	ia_dev_deploy_ensure_nested_secrets_symlinks "$SECRETS_PARENT" "$TARGET_BRANCH"
fi

if [[ "$HOST_STAYS_ON_TEST" != "true" ]]; then
	echo "[deploy-by-script-to] Step 3/5: force sync local branch with origin/${TARGET_BRANCH}..."
	git fetch origin
	git reset --hard "origin/${TARGET_BRANCH}"
fi

if [[ "$HOST_STAYS_ON_TEST" == "true" ]]; then
	echo "[deploy-by-script-to] Step 3: deploy ${TARGET_BRANCH} from branch test (business flags from deploy.conf only)..."
else
	echo "[deploy-by-script-to] Step 4/5: deploy ${TARGET_BRANCH} (business flags from deploy.conf only)..."
fi
if [[ -n "${IA_PROJECT_ID:-}" && -x "${DEPLOY_IA}/orchestrator.sh" ]]; then
	"${DEPLOY_IA}/orchestrator.sh" "$TARGET_BRANCH"
else
	deploy_script="$PROJECT_ROOT/deploy/scripts_v2/deploy.sh"
	if [[ -n "${PROJECT_CONFIG_PATH:-}" && -f "${PROJECT_CONFIG_PATH:-}" ]] && command -v jq >/dev/null 2>&1; then
		_cfg_script="$(jq -r '.deploy.deploy_script_path // ""' "$PROJECT_CONFIG_PATH" 2>/dev/null)"
		_cfg_script="$(ia_dev_resolve_path_from_conf "$PROJECT_CONFIG_PATH" "$_cfg_script")"
		[[ -n "$_cfg_script" && -x "$_cfg_script" ]] && deploy_script="$_cfg_script"
	fi
	all_sites_script="$PROJECT_ROOT/deploy/scripts_v2/deploy-multisite-lines.sh"
	if [[ "${IA_PROJECT_ID:-}" == "kogus" && -f "$all_sites_script" && "$deploy_script" == *"/deploy.sh" ]]; then
		bash "$all_sites_script" "$TARGET_BRANCH"
	else
		"$deploy_script" "$TARGET_BRANCH"
	fi
fi

if [[ "$HOST_STAYS_ON_TEST" == "true" ]]; then
	echo "[deploy-by-script-to] OK: deployed to ${TARGET_BRANCH}, still on branch test"
else
	echo "[deploy-by-script-to] Step 5/5: checkout test..."
	git checkout test
	echo "[deploy-by-script-to] OK: aligned, synced, deployed to ${TARGET_BRANCH}, back on test"
fi