#!/usr/bin/env bash
# Install ProxyHawk Guard GitHub Actions workflows into the current repo.
# Runner binary is downloaded at CI runtime from ProxyHawk API (not npm).
#
#   curl -fsSL https://proxyhawk.io/guard-ci/install.sh | bash
#
set -euo pipefail

BASE="${PROXYHAWK_GUARD_CI_BASE:-https://proxyhawk.io/guard-ci}"
WF=".github/workflows"

mkdir -p "$WF"

for f in deploy.yml check.yml deploy-wait.yml guard-post-backend-deploy.yml guard-deploy-pr-check.yml; do
  echo "→ $WF/$f"
  curl -fsSL "${BASE}/workflows/${f}" -o "${WF}/${f}"
done

cat <<'EOF'

✓ Installed Guard CI workflow files.

NEXT STEPS (in order):
  1. git add .github/workflows/
     git commit -m "Add ProxyHawk Guard CI workflows"
     git push

  2. Edit .github/workflows/ci.yml — add guard-checkpoint job AFTER your deploy job.
     It must call: uses: ./.github/workflows/check.yml
     Set health_path to your API (/api/health or /health).

  3. GitHub repo → Settings → Secrets and variables → Actions:
     Variable  STAGING_API_URL = https://your-api.example.com
     Secret    STAGING_DEPLOY_HOOK (if CI deploys)
     Secret    PROXYHAWK_API_EMAIL + PROXYHAWK_API_PASSWORD

  4. Mac app: Session routing = staging, Save deploy checkpoint for this repo.

Full guide: https://proxyhawk.io/docs/guard-ci-existing-pipeline.html
EOF