name: CI Pipeline

on:
  push:
    branches-ignore:
      - 'renovate/**'
  pull_request:
    branches:
      - dev
      - staging
      - main

env:
  REGISTRY_URL: ${{ vars.REGISTRY_URL }}
  IMAGE_NAME: ${{ vars.IMAGE_NAME }}

jobs:
  lint:
    name: HTML Lint
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install html-validate
        run: npm install -g html-validate

      - name: Validate HTML
        run: |
          set -euo pipefail
          html-validate src/index.html || true
          echo "::notice::HTML validation completed (non-blocking)"

  build:
    name: Build Docker Image
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Cache Docker layers
        uses: actions/cache@v4
        with:
          path: /tmp/.buildx-cache
          key: ci-buildx-${{ gitea.sha }}
          restore-keys: |
            ci-buildx-

      - name: Build image
        run: |
          set -euo pipefail
          docker buildx build \
            --cache-from=type=local,src=/tmp/.buildx-cache \
            --cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max \
            --load \
            --build-arg APP_VERSION=ci-${{ gitea.sha }} \
            --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
            --build-arg GIT_COMMIT=${{ gitea.sha }} \
            --build-arg GIT_BRANCH=${{ gitea.ref_name }} \
            -t ci-image:latest \
            .

      - name: Verify image starts
        run: |
          set -euo pipefail
          docker stop ci-test || true
          docker rm ci-test || true
          docker run -d --name ci-test \
            -e APP_ENV=ci \
            -e APP_VERSION=ci-${{ gitea.sha }} \
            -e BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
            -e GIT_COMMIT=${{ gitea.sha }} \
            -e GIT_BRANCH=${{ gitea.ref_name }} \
            -e DEPLOY_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
            -p 8080:80 \
            ci-image:latest

          for i in $(seq 1 12); do
            if curl -sf http://localhost:8080/health > /dev/null 2>&1; then
              echo "::notice::Health check passed"
              docker logs ci-test 2>&1 || true
              docker stop ci-test
              docker rm ci-test
              exit 0
            fi
            sleep 5
          done

          echo "::error::Health check failed after 60 seconds"
          docker logs ci-test 2>&1 || true
          docker stop ci-test
          docker rm ci-test
          exit 1

      - name: Move cache
        run: |
          set -euo pipefail
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ci-image:latest
          format: table
          exit-code: 1
          severity: HIGH,CRITICAL
          ignore-unfixed: true

  summary:
    name: Generate Summary
    runs-on: ubuntu-latest
    needs: [lint, build, security-scan]
    if: always()
    steps:
      - name: Create summary
        run: |
          cat << 'SUMMARY' >> $GITEA_HOME/workflow/summary
          ## CI Pipeline Results

          | Job | Status |
          |-----|--------|
          | Lint | ${{ needs.lint.result }} |
          | Build | ${{ needs.build.result }} |
          | Security Scan | ${{ needs.security-scan.result }} |

          **Commit:** ${{ gitea.sha }}
          **Branch:** ${{ gitea.ref_name }}
          SUMMARY