name: Fetch Encrypted Secrets

on:
  workflow_call:
    inputs:
      zip_url_json:
        required: true
        type: string

jobs:
  download-zip:
    runs-on: ubuntu-latest
    steps:
      - name: Download with Retry
        shell: python
        run: |
          import requests
          import json
          import time

          input_data = json.loads('${{ inputs.zip_url_json }}')
          url = f"{input_data['url']}/get_zip?filename={input_data['file']}"
          
          for attempt in range(5):
              try:
                  print(f"Downloading (Attempt {attempt + 1})...")
                  r = requests.get(url, timeout=20)
                  r.raise_for_status()
                  with open('secrets.zip', 'wb') as f:
                      f.write(r.content)
                  break
              except Exception as e:
                  if attempt < 4:
                      time.sleep(5 * (2 ** attempt))
                  else: raise e

      - name: Upload Encrypted Artifact
        uses: actions/upload-artifact@v4
        with:
          name: encrypted-secrets-zip
          path: secrets.zip
          retention-days: 1