pwap/.github/workflows/quality-gate.yml

name: Quality Gate

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main, develop ]
  workflow_dispatch:

jobs:
  # ========================================
  # BUILD, LINT & TEST (CRITICAL)
  # ========================================
  quality-gate:
    name: Build, Lint & Test
    runs-on: ubuntu-latest
    
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Cache npm dependencies
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

      - name: Install dependencies
        working-directory: ./web
        run: npm ci

      - name: Run Linter
        working-directory: ./web
        run: npm run lint

      - name: Run Tests
        working-directory: ./web
        run: npm run test

      - name: Build Project
        working-directory: ./web
        run: npm run build

  # ========================================
  # SECURITY CHECKS (INFORMATIVE)
  # ========================================
  security-audit:
    name: Security Audit
    runs-on: ubuntu-latest
    needs: quality-gate

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'

      - name: Cache npm dependencies
        uses: actions/cache@v4
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-
            
      - name: Install dependencies
        run: npm ci

      - name: Run npm audit
        continue-on-error: true
        run: npm audit --audit-level=high

      - name: TruffleHog Secret Scan
        continue-on-error: true
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          head: HEAD