name: CI

on:
  push:
    branches:
      - "**"
  pull_request:
    branches:
      - main

env:
  CARGO_TERM_COLOR: always
  RUSTFLAGS: "-D warnings"

# Cancel in-progress runs for the same branch/PR
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  # ---------------------------------------------------------------------------
  # Stage 1: Code quality checks (run in parallel)
  # ---------------------------------------------------------------------------
  fmt:
    name: Format
    runs-on: docker
    container:
      image: rust:1.89-bookworm
    steps:
      - name: Checkout
        run: |
          git init
          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
          git fetch --depth=1 origin "${GITHUB_SHA}"
          git checkout FETCH_HEAD
      - run: rustup component add rustfmt
      - run: cargo fmt --check

  clippy:
    name: Clippy
    runs-on: docker
    container:
      image: rust:1.89-bookworm
    steps:
      - name: Checkout
        run: |
          git init
          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
          git fetch --depth=1 origin "${GITHUB_SHA}"
          git checkout FETCH_HEAD
      - run: rustup component add clippy
      # Lint both feature sets independently
      - name: Clippy (server)
        run: cargo clippy --features server --no-default-features -- -D warnings
      - name: Clippy (web)
        run: cargo clippy --features web --no-default-features -- -D warnings

  audit:
    name: Security Audit
    runs-on: docker
    if: github.ref == 'refs/heads/main'
    container:
      image: rust:1.89-bookworm
    steps:
      - name: Checkout
        run: |
          git init
          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
          git fetch --depth=1 origin "${GITHUB_SHA}"
          git checkout FETCH_HEAD
      - run: cargo install cargo-audit
      - run: cargo audit

  # ---------------------------------------------------------------------------
  # Stage 2: Tests (only after all quality checks pass)
  # ---------------------------------------------------------------------------
  test:
    name: Tests
    runs-on: docker
    needs: [fmt, clippy, audit]
    container:
      image: rust:1.89-bookworm
    steps:
      - name: Checkout
        run: |
          git init
          git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
          git fetch --depth=1 origin "${GITHUB_SHA}"
          git checkout FETCH_HEAD
      - name: Run tests (server)
        run: cargo test --features server --no-default-features
      - name: Run tests (web)
        run: cargo test --features web --no-default-features

  # ---------------------------------------------------------------------------
  # Stage 3: Deploy (only after tests pass, only on main)
  # ---------------------------------------------------------------------------
  deploy:
    name: Deploy
    runs-on: docker
    needs: [test]
    if: github.ref == 'refs/heads/main'
    container:
      image: alpine:latest
    steps:
      - name: Trigger Coolify deploy
        run: |
          apk add --no-cache curl
          curl -sf "${{ secrets.COOLIFY_WEBHOOK }}" \
            -H "Authorization: Bearer ${{ secrets.COOLIFY_TOKEN }}"