name: CI

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

env:
  PYTHON_VERSION: "3.12"
  AI_ENABLED: "false"
  OCR_ENABLED: "false"
  DATABASE_URL: "sqlite+aiosqlite:///./test.db"
  ADMIN_API_KEY: "ci-test-key"
  JWT_SECRET_KEY: "ci-secret"

jobs:
  lint:
    name: Lint & Format
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install dependencies
        run: |
          pip install --upgrade pip
          pip install ruff mypy types-aiofiles pydantic

      - name: Ruff check
        run: ruff check app/ tests/

      - name: Ruff format check
        run: ruff format --check app/ tests/

      - name: Mypy
        run: mypy app/ --ignore-missing-imports
        continue-on-error: true

  test:
    name: Tests
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install system deps
        run: |
          sudo apt-get update
          sudo apt-get install -y tesseract-ocr tesseract-ocr-fra

      - name: Install Python dependencies
        run: |
          pip install --upgrade pip
          pip install -r requirements.txt
          pip install pytest pytest-asyncio pytest-cov

      - name: Run tests
        run: |
          python -m pytest tests/ -v --tb=short --cov=app --cov-report=term-missing

      - name: Upload coverage
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: coverage-report
          path: htmlcov/

  security:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}

      - name: Install ruff
        run: pip install ruff

      - name: Bandit security scan via ruff
        run: ruff check app/ --select S --statistics

  docker:
    name: Docker Build
    runs-on: ubuntu-latest
    needs: test
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t shaarli-backend:ci .

      - name: Verify container starts
        run: |
          docker run -d --name ci-test \
            -e AI_ENABLED=false \
            -e OCR_ENABLED=false \
            -e DATABASE_URL=sqlite+aiosqlite:///./test.db \
            -e ADMIN_API_KEY=test \
            -e JWT_SECRET_KEY=test \
            shaarli-backend:ci
          sleep 3
          docker logs ci-test
          docker stop ci-test