name: Build and Deploy

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

env:
  # Use environment variables for registry configuration
  REGISTRY: ${{ vars.GITEA_REGISTRY || secrets.GITEA_REGISTRY || 'ghcr.io' }}
  IMAGE_NAME: ${{ gitea.repository }}

jobs:
  build:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Container Registry
        if: gitea.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ gitea.actor }}
          password: ${{ secrets.GITEA_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,prefix={{branch}}-

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: ./docker
          platforms: linux/amd64,linux/arm64
          push: ${{ gitea.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            VITE_COUCHDB_URL=${{ vars.VITE_COUCHDB_URL || 'http://localhost:5984' }}
            VITE_COUCHDB_USER=${{ vars.VITE_COUCHDB_USER || 'admin' }}
            VITE_COUCHDB_PASSWORD=${{ secrets.VITE_COUCHDB_PASSWORD || 'change-this-secure-password' }}
            APP_BASE_URL=${{ vars.APP_BASE_URL || 'http://localhost:8080' }}
            VITE_GOOGLE_CLIENT_ID=${{ vars.VITE_GOOGLE_CLIENT_ID || '' }}
            VITE_GITHUB_CLIENT_ID=${{ vars.VITE_GITHUB_CLIENT_ID || '' }}
            NODE_ENV=production
          cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
          cache-to: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max

      - name: Build with Bake (Alternative)
        if: false # Set to true to use bake instead
        uses: docker/bake-action@v4
        with:
          workdir: ./docker
          files: docker-bake.hcl
          targets: prod
          push: ${{ gitea.event_name != 'pull_request' }}

  test:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Bun
        uses: oven-sh/setup-bun@v1
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Run linting
        run: bun run lint

      - name: Run type checking
        run: bun run type-check

      - name: Run tests
        run: bun run test

      - name: Run integration tests
        run: bun run test:integration

  security:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    if: gitea.event_name == 'pull_request'

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Run security audit
        run: |
          # Install and run security audit tools
          bun audit || true

      - name: Scan Docker image for vulnerabilities
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ gitea.sha }}'
          format: 'table'
          exit-code: '0'

  deploy:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    needs: [build, test]
    if: gitea.ref == 'refs/heads/main' && gitea.event_name == 'push'
    environment: production

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Deploy to production
        run: |
          echo "Deploying to production server..."

          # Example deployment script
          # You would typically SSH to your server and update the containers

          # Install kubectl if deploying to Kubernetes
          # curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          # chmod +x kubectl && sudo mv kubectl /usr/local/bin/

          # Or deploy via docker-compose
          # ssh user@server "cd /app && docker-compose pull && docker-compose up -d"

          echo "Deployment placeholder - configure your deployment method"

      - name: Notify deployment status
        if: always()
        run: |
          if [ "${{ job.status }}" == "success" ]; then
            echo "✅ Deployment successful"
            # Send success notification (webhook, email, etc.)
          else
            echo "❌ Deployment failed"
            # Send failure notification
          fi

  cleanup:
    runs-on: ubuntu-latest
    container:
      image: catthehacker/ubuntu:act-latest
    needs: [build, test, deploy]
    if: always() && gitea.ref == 'refs/heads/main'

    steps:
      - name: Cleanup old images
        run: |
          echo "Cleaning up old container images..."
          # Add cleanup logic for old images in registry
          # This helps manage storage costs
          echo "Cleanup placeholder - implement registry cleanup"