{{- if .Values.enabled }}
{{- if and (and .Values.provisioning.enabled .Values.persistence.enabled) .Values.persistence.mount }}
{{- $name := include "gitea.workername" (dict "global" . "worker" "actions-token-job") }}
{{- $secretName := include "gitea.workername" (dict "global" . "worker" "actions-token") }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ $name }}
  namespace: {{ .Values.namespace | default .Release.Namespace }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- with .Values.provisioning.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
    app.kubernetes.io/component: token-job
  annotations:
    {{- with .Values.provisioning.annotations }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
spec:
  ttlSecondsAfterFinished: {{ .Values.provisioning.ttlSecondsAfterFinished }}
  template:
    metadata:
      labels:
        {{- include "gitea.labels" . | nindent 8 }}
        {{- with .Values.provisioning.labels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        app.kubernetes.io/component: token-job
    spec:
      initContainers:
        - name: init-gitea
          image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}"
          command:
            - sh
            - -c
            - |
              while ! nc -z {{ include "gitea.act_runner.nc" . }}; do
                sleep 5
              done
      containers:
        - name: actions-token-create
          image: "{{ include "gitea.image" . }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          env:
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
          command:
            - sh
            - -c
            - |
              echo "Generating act_runner token via 'gitea actions generate-runner-token'..."
              mkdir -p /data/actions/
              gitea actions generate-runner-token | grep -E '^.{40}$' | tr -d '\n' > /data/actions/token
          resources:
            {{- toYaml .Values.provisioning.resources | nindent 12 }}
          volumeMounts:
            - name: data
              mountPath: /data
              {{- if .Values.persistence.subPath }}
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
        - name: actions-token-upload
          image: "{{ .Values.provisioning.publish.repository }}:{{ .Values.provisioning.publish.tag }}"
          imagePullPolicy: {{ .Values.provisioning.publish.pullPolicy }}
          env:
            - name: SECRET_NAME
              value: {{ $secretName }}
          command:
            - sh
            - -c
            - |
              printf "Checking rights to update kubernetes act_runner secret..."
              kubectl auth can-i update secret/${SECRET_NAME}
              /scripts/token.sh
          resources:
            {{- toYaml .Values.provisioning.resources | nindent 12 }}
          volumeMounts:
            - mountPath: /scripts
              name: scripts
              readOnly: true
            - mountPath: /data
              name: data
              readOnly: true
              {{- if .Values.persistence.subPath }}
              subPath: {{ .Values.persistence.subPath }}
              {{- end }}
      {{- range $key, $value := .Values.provisioning.nodeSelector }}
      nodeSelector:
        {{ $key }}: {{ $value | quote }}
      {{- end }}
      {{- with .Values.provisioning.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.provisioning.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      restartPolicy: Never
      serviceAccount: {{ $name }}
      volumes:
        - name: scripts
          configMap:
            name: {{ include "gitea.fullname" . }}-scripts
            defaultMode: 0755
        - name: data
          persistentVolumeClaim:
            claimName: {{ .Values.persistence.claimName }}
  parallelism: 1
  completions: 1
  backoffLimit: 1
{{- end }}
{{- end }}