#!/usr/bin/env bash

set -euo pipefail;

readonly REPO={{ repo | quote }};
readonly DEST={{ dest | quote }};
readonly DEST_USER={{ owner | quote }};
readonly DEST_GROUP={{ group | quote }};
readonly PREFIX={{ tag_prefix | quote }};
readonly GPG_FINGERPRINT={{ gpg_fingerprint | quote }};

cd "$DEST";

if [ ! -d .git ]; then
  git clone --recurse-submodules "$REPO" "$DEST";
fi
git remote set-url origin "$REPO";

[ -z "$GPG_FINGERPRINT" ] ||
  gpg --quiet --keyserver eu.pool.sks-keyservers.net --recv "$GPG_FINGERPRINT";

git fetch --recurse-submodules --tags > /dev/null;
TAG=$(git tag --list | grep "^$PREFIX" | sort -r | head -n 1);
if [ -z "$GPG_FINGERPRINT" ] || (git verify-tag --raw "$TAG" 2>&1 | grep --fixed-strings " VALIDSIG $GPG_FINGERPRINT ") > /dev/null; then
  git reset --quiet --hard --recurse-submodules;
  git checkout --quiet --recurse-submodules "$TAG";
  chown --recursive "$DEST_USER:$DEST_GROUP" .;
  if ! sh -c {{ reload_command | default('true') | quote }}; then
    echo "Reload command failed" >&2;
    exit 2;
  fi
else
  echo "Invalid or missing signature for $TAG" >&2;
  exit 1;
fi