name: Quality Gate & Deploy

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  VITE_SUPABASE_URL: ${{ secrets.VITE_SUPABASE_URL }}
  VITE_SUPABASE_ANON_KEY: ${{ secrets.VITE_SUPABASE_ANON_KEY }}

jobs:
  # ========================================
  # WEB APP - LINT, TEST & BUILD
  # ========================================
  web:
    name: Web App
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Checkout Pezkuwi-SDK (for docs generation)
        uses: actions/checkout@v4
        with:
          repository: pezkuwichain/pezkuwi-sdk
          path: Pezkuwi-SDK

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Cache npm dependencies
        uses: actions/cache@v4
        with:
          path: web/node_modules
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-web-

      - name: Install dependencies
        working-directory: ./web
        run: npm install

      - name: Run Linter
        working-directory: ./web
        run: npm run lint

      - name: Run Tests
        working-directory: ./web
        run: npm run test

      - name: Build Project
        working-directory: ./web
        run: npm run build
        env:
          VITE_NETWORK: MAINNET
          VITE_WS_ENDPOINT: wss://rpc.pezkuwichain.io
          VITE_WS_ENDPOINT_FALLBACK_1: wss://mainnet.pezkuwichain.io
          VITE_ASSET_HUB_ENDPOINT: wss://asset-hub-rpc.pezkuwichain.io
          VITE_PEOPLE_CHAIN_ENDPOINT: wss://people-rpc.pezkuwichain.io
          VITE_WALLETCONNECT_PROJECT_ID: 8292a793b7640e8364c378e331e76d04

      - name: Upload build artifact
        uses: actions/upload-artifact@v4
        with:
          name: web-dist
          path: web/dist/

  # ========================================
  # MOBILE APP - LINT & TEST
  # ========================================
  mobile:
    name: Mobile App
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Cache npm dependencies
        uses: actions/cache@v4
        with:
          path: mobile/node_modules
          key: ${{ runner.os }}-mobile-${{ hashFiles('mobile/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-mobile-

      - name: Install dependencies
        working-directory: ./mobile
        run: npm install --legacy-peer-deps

      - name: Run Linter
        working-directory: ./mobile
        run: npm run lint

      - name: Run Tests
        working-directory: ./mobile
        run: npm run test

  # ========================================
  # DEPLOY WEB APP TO VPS
  # ========================================
  deploy:
    name: Deploy Web
    runs-on: ubuntu-latest
    needs: [web, security-audit]
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Configure Git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Bump version
        working-directory: ./web
        run: |
          npm version patch --no-git-tag-version
          VERSION=$(node -p "require('./package.json').version")
          echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV
          cd ..
          git add web/package.json
          git commit -m "chore(web): bump version to $VERSION [skip ci]" || echo "No version change"
          git push || echo "Nothing to push"

      - name: Download build artifact
        uses: actions/download-artifact@v4
        with:
          name: web-dist
          path: dist/

      - name: Deploy to VPS
        uses: appleboy/scp-action@v1.0.0
        with:
          host: ${{ secrets.VPS_HOST }}
          username: ${{ secrets.VPS_USER }}
          key: ${{ secrets.VPS_SSH_KEY }}
          source: 'dist/*'
          target: '/var/www/subdomains/app'
          strip_components: 1

      - name: Post-deploy notification
        run: |
          echo "✅ Deployed web app v${{ env.NEW_VERSION }} to app.pezkuwichain.io"

  # ========================================
  # SECURITY CHECKS (BLOCKING)
  # ========================================
  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    needs: [web]

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Web - npm audit (critical only)
        working-directory: ./web
        run: |
          npm install
          npm audit --audit-level=critical

      - name: TruffleHog Secret Scan
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          extra_args: --only-verified