# CI for TypeScript / Next.js services. Copy to .gitea/workflows/ci.yaml in the repo.
name: ci

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  shared:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }

      - name: commitlint (PR only)
        if: github.event_name == 'pull_request'
        uses: wagoid/commitlint-github-action@v6

      - name: gitleaks
        uses: gitleaks/gitleaks-action@v2

      - name: trivy fs scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          severity: HIGH,CRITICAL
          exit-code: 1

  test:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with: { version: 9 }

      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: pnpm

      - run: pnpm install --frozen-lockfile

      - run: pnpm lint
      - run: pnpm typecheck
      - run: pnpm test --coverage

      - name: coverage gate
        run: |
          node -e "const c=require('./coverage/coverage-summary.json').total.lines.pct; if (c<70) { console.error('coverage', c, '< 70%'); process.exit(1) }"

      - run: pnpm build

  e2e:
    needs: test
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
        with: { version: 9 }
      - uses: actions/setup-node@v4
        with: { node-version: '20', cache: pnpm }
      - run: pnpm install --frozen-lockfile
      - run: pnpm exec playwright install --with-deps chromium
      - name: e2e against stage
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
        run: pnpm e2e
        env:
          PLAYWRIGHT_BASE_URL: https://stage.yourplatform.com
          PLAYWRIGHT_TEST_USER: ${{ secrets.STAGE_TEST_USER }}
          PLAYWRIGHT_TEST_PASS: ${{ secrets.STAGE_TEST_PASS }}

  image:
    needs: [shared, test]
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
      - uses: docker/login-action@v3
        with:
          registry: registry.yourplatform.com
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_PASS }}
      - uses: docker/build-push-action@v6
        with:
          push: true
          tags: |
            registry.yourplatform.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
            registry.yourplatform.com/${{ github.event.repository.name }}:env-stage
      - uses: anchore/sbom-action@v0
        with:
          image: registry.yourplatform.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
      - run: orca apply --env=stage --image-tag=sha-${{ github.sha }}
        env:
          ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}