microdao-daarion/.github/workflows/phase6-smoke.yml

name: phase6-smoke

on:
  workflow_dispatch:
    inputs:
      ssh_host:
        description: "NODA1 SSH host (optional override)"
        required: false
        type: string
      ssh_user:
        description: "NODA1 SSH user (optional override, default root)"
        required: false
        type: string
  workflow_call:
    inputs:
      ssh_host:
        required: false
        type: string
      ssh_user:
        required: false
        type: string
    secrets:
      NODA1_SSH_HOST:
        required: false
      NODA1_SSH_USER:
        required: false
      NODA1_SSH_KEY:
        required: true
  workflow_run:
    workflows:
      - Deploy Node1
      - deploy-node1
      - deploy-node1-runtime
    types:
      - completed

jobs:
  phase6-smoke:
    if: >
      github.event_name == 'workflow_dispatch' ||
      github.event_name == 'workflow_call' ||
      (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
    runs-on: ubuntu-latest
    timeout-minutes: 5
    env:
      DEFAULT_SSH_HOST: ${{ secrets.NODA1_SSH_HOST }}
      DEFAULT_SSH_USER: ${{ secrets.NODA1_SSH_USER }}
    steps:
      - name: Resolve SSH target
        shell: bash
        run: |
          set -euo pipefail
          host="${DEFAULT_SSH_HOST}"
          user="${DEFAULT_SSH_USER:-root}"

          if [ "${{ github.event_name }}" = "workflow_dispatch" ] || [ "${{ github.event_name }}" = "workflow_call" ]; then
            if [ -n "${{ inputs.ssh_host }}" ]; then
              host="${{ inputs.ssh_host }}"
            fi
            if [ -n "${{ inputs.ssh_user }}" ]; then
              user="${{ inputs.ssh_user }}"
            fi
          fi

          if [ -z "${host}" ]; then
            echo "Missing SSH host (workflow input or secret NODA1_SSH_HOST)" >&2
            exit 1
          fi

          echo "SSH_HOST=${host}" >> "${GITHUB_ENV}"
          echo "SSH_USER=${user:-root}" >> "${GITHUB_ENV}"

      - name: Prepare SSH key
        shell: bash
        env:
          SSH_PRIVATE_KEY: ${{ secrets.NODA1_SSH_KEY }}
        run: |
          set -euo pipefail
          set +x
          if [ -z "${SSH_PRIVATE_KEY}" ]; then
            echo "Missing secret NODA1_SSH_KEY" >&2
            exit 1
          fi
          mkdir -p ~/.ssh
          chmod 700 ~/.ssh
          key_path=~/.ssh/noda1_ci_key
          if printf '%s' "${SSH_PRIVATE_KEY}" | grep -q 'BEGIN OPENSSH PRIVATE KEY'; then
            printf '%s\n' "${SSH_PRIVATE_KEY}" | tr -d '\r' > "${key_path}"
          else
            # Support base64-encoded key payloads in secrets as a fallback.
            printf '%s' "${SSH_PRIVATE_KEY}" | tr -d '\r' | base64 --decode > "${key_path}"
          fi
          chmod 600 "${key_path}"
          if ! ssh-keygen -y -f "${key_path}" >/dev/null 2>&1; then
            echo "Invalid SSH private key in NODA1_SSH_KEY" >&2
            exit 1
          fi
          echo "SSH_KEY_PATH=${key_path}" >> "${GITHUB_ENV}"

      - name: Run phase6 smoke (retry once)
        shell: bash
        run: |
          set -euo pipefail
          set +x
          mkdir -p artifacts
          for attempt in 1 2; do
            log="artifacts/phase6-smoke-attempt${attempt}.log"
            if ssh \
              -i "${SSH_KEY_PATH}" \
              -o BatchMode=yes \
              -o IdentitiesOnly=yes \
              -o StrictHostKeyChecking=accept-new \
              -o ConnectTimeout=10 \
              "${SSH_USER}@${SSH_HOST}" \
              "set -euo pipefail; cd /opt/microdao-daarion; git rev-parse HEAD; make phase6-smoke" \
              | tee "${log}"; then
              cp "${log}" artifacts/phase6-smoke.log
              exit 0
            fi

            if [ "${attempt}" -eq 2 ]; then
              echo "phase6 smoke failed after retry" >&2
              exit 1
            fi
            sleep 15
          done

      - name: Upload smoke logs
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: phase6-smoke-logs
          path: artifacts/
          if-no-files-found: ignore