# ObsiGate CI/CD Pipeline
# Runs on every push and pull request to main

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  # ── Lint ──────────────────────────────────────────────────────────
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install dependencies
        run: |
          pip install ruff mypy
          pip install -r backend/requirements.txt

      - name: Ruff (linter)
        run: ruff check backend/

      - name: Mypy (type checker)
        run: mypy backend/ --ignore-missing-imports || echo "mypy found type errors (advisory — 28 pre-existing issues)"

      - name: Frontend validation
        run: node tests/frontend/validate-imports.mjs

      - name: Frontend unit tests
        run: node tests/frontend/unit.test.mjs

  # ── Tests ─────────────────────────────────────────────────────────
  test:
    needs: lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install dependencies
        run: |
          pip install pytest pytest-cov pytest-asyncio httpx
          pip install -r backend/requirements.txt

      - name: Run tests
        run: pytest tests/ --cov=backend --cov-report=xml --cov-report=term -q

      - name: Upload coverage artifact
        uses: actions/upload-artifact@v3
        with:
          name: coverage-report
          path: coverage.xml
          retention-days: 30

  # ── Security scan ─────────────────────────────────────────────────
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"

      - name: Install dependencies
        run: |
          pip install bandit pip-audit
          pip install -r backend/requirements.txt

      - name: Bandit (SAST)
        run: bandit -r backend/ -c pyproject.toml 2>/dev/null || bandit -r backend/ --skip B101

      - name: Pip-audit (dependency vulnerabilities)
        run: pip-audit || echo "pip-audit found vulnerabilities (non-blocking)"

  # ── Docker build ──────────────────────────────────────────────────
  build:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t obsigate:ci .

      - name: Verify image
        run: docker images obsigate:ci