name: Deploy to production

on:
  workflow_dispatch:
  schedule:
    - cron: '0 1,22 * * *'

jobs:
  deploy:
    runs_on: ubuntu-latest
    steps:
      - name: Deploy with SSH
        uses: appleboy/ssh-action@v1.0.0
        env:
          VAULT_PASS: ${{ secrets.ANSIBLE_VAULT_PASSWORD }}
          DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
        with:
          host: ${{ secrets.SSH_HOST }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          port: 22
          envs: VAULT_PASS,DEPLOY_PATH
          script: |
            bash -c '
              set -e
              cd "$DEPLOY_PATH"
              VAULT_FILE="$(mktemp)"
              trap "rm -f \"$VAULT_FILE\"" EXIT
              printf "%s" "$VAULT_PASS" > "$VAULT_FILE"
              chmod 600 "$VAULT_FILE"
              ansible-playbook ansible/deploy.yml -i ansible/hosts.ini --vault-password-file "$VAULT_FILE"
            '