name: CI

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  pre-commit:
    name: Pre-commit checks
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.11'

      - name: Install tooling
        run: |
          python -m pip install --upgrade pip
          pip install pre-commit
          pip install -r backend/requirements.txt || true
          pip install pytest

      - name: Run pre-commit hooks
        run: pre-commit run --all-files

  test:
    name: Run tests
    needs: pre-commit
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.11'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt || true
          pip install pytest

      - name: Run tests
        run: |
          if [ -d backend/tests ]; then pytest -q; else echo "No tests found"; fi

  docker-lint:
    name: Docker Lint
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Run Hadolint on backend Dockerfile
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: backend/Dockerfile
          ignore: DL3045

      - name: Run Hadolint on frontend Dockerfile
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: frontend/Dockerfile
          ignore: DL3045

  build-and-scan:
    name: Build and Scan Docker Images
    needs: docker-lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build backend image
        uses: docker/build-push-action@v5
        with:
          context: ./backend
          file: ./backend/Dockerfile
          push: false
          load: true
          tags: backend:latest

      - name: Build frontend image
        uses: docker/build-push-action@v5
        with:
          context: ./frontend
          file: ./frontend/Dockerfile
          push: false
          load: true
          tags: frontend:latest

      - name: Scan backend with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: backend:latest
          format: sarif
          output: backend-trivy.sarif

      - name: Scan frontend with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: frontend:latest
          format: sarif
          output: frontend-trivy.sarif

      - name: Upload Trivy results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: backend-trivy.sarif
          category: trivy-backend

      - name: Upload frontend Trivy results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: frontend-trivy.sarif
          category: trivy-frontend

  validate-docker-compose:
    name: Validate Docker Compose
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Validate docker-compose.yml
        run: |
          docker-compose -f docker-compose.yml config > /dev/null
        continue-on-error: true