breakpilot-compliance/.gitea/workflows/ci.yaml

# Gitea Actions CI/CD Pipeline
# BreakPilot Compliance
#
# Services:
#   Go: ai-compliance-sdk
#   Python: backend-compliance, document-crawler, dsms-gateway
#   Node.js: admin-compliance, developer-portal
#
# Workflow:
#   Push auf main → Tests → Build → Deploy (Hetzner)
#   Pull Request → Lint + Tests (kein Deploy)

name: CI/CD

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]

jobs:
  # ========================================
  # Lint (nur bei PRs)
  # ========================================

  go-lint:
    runs-on: docker
    if: github.event_name == 'pull_request'
    container: golangci/golangci-lint:v1.62-alpine
    steps:
      - name: Checkout
        run: |
          apk add --no-cache git
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Lint ai-compliance-sdk
        run: |
          if [ -d "ai-compliance-sdk" ]; then
            cd ai-compliance-sdk && golangci-lint run --timeout 5m ./...
          fi

  python-lint:
    runs-on: docker
    if: github.event_name == 'pull_request'
    container: python:3.12-slim
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Lint Python services
        run: |
          pip install --quiet ruff
          for svc in backend-compliance document-crawler dsms-gateway; do
            if [ -d "$svc" ]; then
              echo "=== Linting $svc ==="
              ruff check "$svc/" --output-format=github || true
            fi
          done

  nodejs-lint:
    runs-on: docker
    if: github.event_name == 'pull_request'
    container: node:20-alpine
    steps:
      - name: Checkout
        run: |
          apk add --no-cache git
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Lint Node.js services
        run: |
          for svc in admin-compliance developer-portal; do
            if [ -d "$svc" ]; then
              echo "=== Linting $svc ==="
              cd "$svc"
              npm ci --silent 2>/dev/null || npm install --silent
              npx next lint || true
              cd ..
            fi
          done

  # ========================================
  # Unit Tests
  # ========================================

  test-go-ai-compliance:
    runs-on: docker
    container: golang:1.24-alpine
    env:
      CGO_ENABLED: "0"
    steps:
      - name: Checkout
        run: |
          apk add --no-cache git
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test ai-compliance-sdk
        run: |
          if [ ! -d "ai-compliance-sdk" ]; then
            echo "WARNUNG: ai-compliance-sdk nicht gefunden"
            exit 0
          fi
          cd ai-compliance-sdk
          go test -v -coverprofile=coverage.out ./... 2>&1
          COVERAGE=$(go tool cover -func=coverage.out 2>/dev/null | tail -1 | awk '{print $3}' || echo "0%")
          echo "Coverage: $COVERAGE"

  test-python-backend-compliance:
    runs-on: docker
    container: python:3.12-slim
    env:
      CI: "true"
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test backend-compliance
        run: |
          if [ ! -d "backend-compliance" ]; then
            echo "WARNUNG: backend-compliance nicht gefunden"
            exit 0
          fi
          cd backend-compliance
          export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
          pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
          pip install --quiet --no-cache-dir fastapi uvicorn pytest pytest-asyncio
          python -m pytest compliance/tests/ -v --tb=short

  test-python-document-crawler:
    runs-on: docker
    container: python:3.12-slim
    env:
      CI: "true"
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test document-crawler
        run: |
          if [ ! -d "document-crawler" ]; then
            echo "WARNUNG: document-crawler nicht gefunden"
            exit 0
          fi
          cd document-crawler
          export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
          pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
          pip install --quiet --no-cache-dir pytest pytest-asyncio
          python -m pytest tests/ -v --tb=short

  test-python-dsms-gateway:
    runs-on: docker
    container: python:3.12-slim
    env:
      CI: "true"
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Test dsms-gateway
        run: |
          if [ ! -d "dsms-gateway" ]; then
            echo "WARNUNG: dsms-gateway nicht gefunden"
            exit 0
          fi
          cd dsms-gateway
          export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
          pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
          pip install --quiet --no-cache-dir pytest pytest-asyncio
          python -m pytest test_main.py -v --tb=short

  # ========================================
  # Validate Canonical Controls
  # ========================================

  validate-canonical-controls:
    runs-on: docker
    container: python:3.12-slim
    steps:
      - name: Checkout
        run: |
          apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
          git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
      - name: Validate controls
        run: |
          python scripts/validate-controls.py

  # ========================================
  # Build & Deploy auf Hetzner (nur main, kein PR)
  # ========================================

  deploy-hetzner:
    runs-on: docker
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    needs:
      - test-go-ai-compliance
      - test-python-backend-compliance
      - test-python-document-crawler
      - test-python-dsms-gateway
      - validate-canonical-controls
    container: docker:27-cli
    steps:
      - name: Deploy
        run: |
          set -euo pipefail
          DEPLOY_DIR="/opt/breakpilot-compliance"
          COMPOSE_FILES="-f docker-compose.yml -f docker-compose.hetzner.yml"
          COMMIT_SHA="${GITHUB_SHA:-unknown}"
          SHORT_SHA="${COMMIT_SHA:0:8}"
          REPO_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"

          echo "=== BreakPilot Compliance Deploy ==="
          echo "Commit: ${SHORT_SHA}"
          echo "Deploy Dir: ${DEPLOY_DIR}"
          echo ""

          # Der Runner laeuft in einem Container mit Docker-Socket-Zugriff,
          # hat aber KEINEN direkten Zugriff auf das Host-Dateisystem.
          # Loesung: Alpine-Helper-Container mit Host-Bind-Mount fuer Git-Ops.

          # 1. Repo auf dem Host erstellen/aktualisieren via Helper-Container
          echo "=== Updating code on host ==="
          docker run --rm \
            -v "${DEPLOY_DIR}:${DEPLOY_DIR}" \
            --entrypoint sh \
            alpine/git:latest \
            -c "
              if [ ! -d '${DEPLOY_DIR}/.git' ]; then
                echo 'Erstmaliges Klonen nach ${DEPLOY_DIR}...'
                git clone '${REPO_URL}' '${DEPLOY_DIR}'
              else
                cd '${DEPLOY_DIR}'
                git fetch origin main
                git reset --hard origin/main
              fi
            "
          echo "Code aktualisiert auf ${SHORT_SHA}"

          # 2. .env sicherstellen (muss einmalig manuell angelegt werden)
          docker run --rm -v "${DEPLOY_DIR}:${DEPLOY_DIR}" alpine \
            sh -c "
              if [ ! -f '${DEPLOY_DIR}/.env' ]; then
                echo 'WARNUNG: ${DEPLOY_DIR}/.env fehlt!'
                echo 'Bitte einmalig auf dem Host anlegen.'
                echo 'Deploy wird fortgesetzt (Services starten ggf. mit Defaults).'
              else
                echo '.env vorhanden'
              fi
            "

          # 3. Build + Deploy via Helper-Container mit Docker-Socket + Deploy-Dir
          # docker compose muss die YAML-Dateien lesen koennen, daher
          # alles in einem Container mit beiden Mounts ausfuehren.
          echo ""
          echo "=== Building + Deploying ==="
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
            -v "${DEPLOY_DIR}:${DEPLOY_DIR}" \
            -w "${DEPLOY_DIR}" \
            docker:27-cli \
            sh -c "
              COMPOSE_FILES='-f docker-compose.yml -f docker-compose.hetzner.yml'

              echo '=== Building Docker Images ==='
              docker compose \${COMPOSE_FILES} build --parallel \
                admin-compliance \
                backend-compliance \
                ai-compliance-sdk \
                developer-portal

              echo ''
              echo '=== Starting containers ==='
              docker compose \${COMPOSE_FILES} up -d --remove-orphans \
                admin-compliance \
                backend-compliance \
                ai-compliance-sdk \
                developer-portal

              echo ''
              echo '=== Health Checks ==='
              sleep 10
              for svc in bp-compliance-admin bp-compliance-backend bp-compliance-ai-sdk bp-compliance-developer-portal; do
                STATUS=\$(docker inspect --format='{{.State.Status}}' \"\${svc}\" 2>/dev/null || echo 'not found')
                echo \"\${svc}: \${STATUS}\"
              done
            "

          echo ""
          echo "=== Deploy abgeschlossen: ${SHORT_SHA} ==="