name: Sync Secrets to Repositories

on:
  workflow_dispatch:
    inputs:
      target_repo:
        description: 'Target repository (org/repo format)'
        required: true
        default: 'game-ci/orchestrator'
        type: choice
        options:
          - game-ci/orchestrator
          - game-ci/cli
      dry_run:
        description: 'Dry run (list secrets to sync without writing)'
        required: false
        default: false
        type: boolean

permissions:
  contents: read

jobs:
  sync-secrets:
    name: Sync secrets to ${{ inputs.target_repo }}
    runs-on: ubuntu-latest
    steps:
      - name: Sync secrets
        env:
          GH_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
          TARGET_REPO: ${{ inputs.target_repo }}
          DRY_RUN: ${{ inputs.dry_run }}
          # Secrets to sync — values come from repo + org secrets available here
          SECRET_UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
          SECRET_UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
          SECRET_UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
          SECRET_GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
          SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_EMAIL }}
          SECRET_GOOGLE_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_KEY }}
          SECRET_CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
          SECRET_UNITY_LICENSE: ${{ secrets.UNITY_LICENSE }}
          SECRET_NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          SECRETS=(
            "UNITY_EMAIL:SECRET_UNITY_EMAIL"
            "UNITY_PASSWORD:SECRET_UNITY_PASSWORD"
            "UNITY_SERIAL:SECRET_UNITY_SERIAL"
            "UNITY_LICENSE:SECRET_UNITY_LICENSE"
            "GIT_PRIVATE_TOKEN:SECRET_GIT_PRIVATE_TOKEN"
            "GOOGLE_SERVICE_ACCOUNT_EMAIL:SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL"
            "GOOGLE_SERVICE_ACCOUNT_KEY:SECRET_GOOGLE_SERVICE_ACCOUNT_KEY"
            "CODECOV_TOKEN:SECRET_CODECOV_TOKEN"
            "NPM_TOKEN:SECRET_NPM_TOKEN"
          )

          synced=0
          skipped=0

          for entry in "${SECRETS[@]}"; do
            name="${entry%%:*}"
            env_var="${entry##*:}"
            value="${!env_var}"

            if [ -z "$value" ]; then
              echo "⏭ SKIP: $name (not available in this repo's context)"
              skipped=$((skipped + 1))
              continue
            fi

            if [ "$DRY_RUN" = "true" ]; then
              echo "🔍 DRY RUN: would sync $name → $TARGET_REPO"
            else
              if echo "$value" | gh secret set "$name" -R "$TARGET_REPO" --body - 2>/dev/null; then
                echo "✅ SYNCED: $name → $TARGET_REPO"
              else
                echo "⚠️ FAILED: $name → $TARGET_REPO (continuing)"
                skipped=$((skipped + 1))
                synced=$((synced - 1))
              fi
            fi
            synced=$((synced + 1))
          done

          echo ""
          echo "=== Summary ==="
          echo "Synced: $synced"
          echo "Skipped (not available): $skipped"
          echo "Target: $TARGET_REPO"
          if [ "$DRY_RUN" = "true" ]; then
            echo "Mode: DRY RUN (no secrets were written)"
          fi