name: CI Pipeline

on:
  push:
    branches-ignore: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  lint:
    name: Lint
    runs-on: ${{ secrets.RUNNER_LABEL || 'ubuntu-latest' }}
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.24.3'
          cache-dependency-path: go.sum
      - name: Cache golangci-lint
        uses: actions/cache@v4
        with:
          path: ~/.cache/golangci-lint
          key: ${{ runner.os }}-golangci-lint-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-golangci-lint-
      - name: Lint
        uses: golangci/golangci-lint-action@v6
        with:
          version: latest
          args: --timeout=15m
          
      - name: Notify on failure
        if: failure()
        run: echo "::warning::Linting failed. Please fix code style issues."
          
  security_scan:
    name: Security Scan
    runs-on: ${{ secrets.RUNNER_LABEL || 'ubuntu-latest' }}
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.23'
          cache-dependency-path: go.sum
          
      - name: Run Go Vulnerability Check
        uses: golang/govulncheck-action@v1
        
      - name: Notify on security issues
        if: failure()
        run: echo "::error::Security vulnerabilities detected. Please review dependencies."
        
  test:
    name: Test
    runs-on: ${{ secrets.RUNNER_LABEL || 'ubuntu-latest' }}
    needs: lint
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.24.3'
          cache-dependency-path: go.sum
          
      - name: Install go-junit-report
        run: go install github.com/jstemmer/go-junit-report@latest
          
      - name: Test
        run: |
          go test -v -race -coverprofile=coverage.txt -covermode=atomic ./... | tee test-output.log
          go tool cover -func=coverage.txt
        
      - name: Generate test report
        if: always()
        run: cat test-output.log | go-junit-report > junit-report.xml
        
      - name: Upload coverage
        uses: codecov/codecov-action@v3
        
      - name: Upload test report
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: test-reports
          path: junit-report.xml
        
  build:
    name: Build
    runs-on: ${{ secrets.RUNNER_LABEL || 'ubuntu-latest' }}
    needs: [test, security_scan]
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
          go-version: '1.24.3'
          cache-dependency-path: go.sum
          
      - name: Build
        run: |
          APP_VERSION="dev-${{ gitea.sha }}"
          go build -v -ldflags="-s -w -X main.version=${APP_VERSION}" -o ./bin/app ./cmd/app
          
      - name: Upload build artifact
        uses: actions/upload-artifact@v3
        with:
          name: app-binary
          path: ./bin/api
          
      - name: Notify on success
        if: success()
        run: echo "::notice::Build successful. Ready for review and testing."

  notify:
    name: Notification
    runs-on: ${{ secrets.RUNNER_LABEL || 'ubuntu-latest' }}
    needs: [lint, test, security_scan, build]
    if: always()
    steps:
      - name: Notify result
        run: |
          if [[ "${{ needs.build.result }}" == "success" ]]; then
            echo "::notice::CI Pipeline completed successfully. Branch is ready for review."
          else
            echo "::warning::CI Pipeline failed. Please check the logs for details."
          fi