name: Quality Gate

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  workflow_dispatch:

jobs:
  # ========================================
  # WEB APP - BUILD, LINT & TEST
  # ========================================
  web:
    name: Web App
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Checkout Pezkuwi-SDK (for docs generation)
        uses: actions/checkout@v4
        with:
          repository: pezkuwichain/pezkuwi-sdk
          path: Pezkuwi-SDK

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Cache npm dependencies
        uses: actions/cache@v4
        with:
          path: web/node_modules
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-web-

      - name: Install dependencies
        working-directory: ./web
        run: npm install

      - name: Run Linter
        working-directory: ./web
        run: npm run lint

      - name: Run Tests
        working-directory: ./web
        run: npm run test

      - name: Build Project
        working-directory: ./web
        run: npm run build

  # ========================================
  # MOBILE APP - LINT & TEST
  # ========================================
  mobile:
    name: Mobile App
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Cache npm dependencies
        uses: actions/cache@v4
        with:
          path: mobile/node_modules
          key: ${{ runner.os }}-mobile-${{ hashFiles('mobile/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-mobile-

      - name: Install dependencies
        working-directory: ./mobile
        run: npm install --legacy-peer-deps

      - name: Run Linter
        working-directory: ./mobile
        run: npm run lint

      - name: Run Tests
        working-directory: ./mobile
        run: npm run test

  # ========================================
  # SDK UI - BUILD & TEST (SKIPPED - uses root workspace)
  # ========================================
  # sdk-ui:
  #   name: SDK UI
  #   runs-on: ubuntu-latest
  #   # SDK UI requires the root yarn workspace, skipping for now
  #   if: false

  # ========================================
  # SECURITY CHECKS (INFORMATIVE)
  # ========================================
  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    needs: [web, mobile]

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Web - npm audit
        working-directory: ./web
        continue-on-error: true
        run: |
          npm install
          npm audit --audit-level=high

      - name: Mobile - npm audit
        working-directory: ./mobile
        continue-on-error: true
        run: |
          npm install
          npm audit --audit-level=high

      - name: TruffleHog Secret Scan
        continue-on-error: true
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          extra_args: --only-verified