# CI/CD Pipeline - NixOS VM Tests Only
# All tests run in isolated NixOS VMs with native services (no Docker)

name: CI/CD

on:
  push:
    branches: [main, develop, '001-*']
  pull_request:
    branches: [main, develop]

jobs:
  # NixOS VM integration tests (PostgreSQL + MinIO native services)
  nixos-vm-tests:
    name: VM Test - ${{ matrix.test }}
    runs-on: nix
    strategy:
      fail-fast: false
      matrix:
        test:
          - backend-integration    # Backend + PostgreSQL + MinIO
          - full-stack            # Complete API stack
          - performance           # Benchmarks
          - security              # Security suite
    
    steps:
      - name: Checkout code
        run: |
          git clone $GITHUB_SERVER_URL/$GITHUB_REPOSITORY .
          git checkout $GITHUB_SHA
      
      # Configure Attic binary cache
      - name: Configure Attic cache
        run: |
          attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
          attic use lan:webref
      
      # Run NixOS VM test
      - name: Run ${{ matrix.test }}
        run: |
          echo "🚀 Starting NixOS VM test: ${{ matrix.test }}"
          nix build .#checks.${{ matrix.test }} -L --accept-flake-config
          echo "✅ Test passed"
      
      # Push to Attic cache
      - name: Push to Attic cache
        if: success()
        run: |
          attic push lan:webref result

  # Quick checks (no VM needed)
  lint:
    name: Linting & Formatting
    runs-on: nix
    
    steps:
      - name: Checkout code
        run: |
          git clone $GITHUB_SERVER_URL/$GITHUB_REPOSITORY .
          git checkout $GITHUB_SHA
      
      # Configure Attic cache
      - name: Configure Attic cache
        run: |
          attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
          attic use lan:webref
      
      - name: Backend - Ruff check
        run: nix develop --command bash -c "cd backend && ruff check app/"
      
      - name: Backend - Ruff format check
        run: nix develop --command bash -c "cd backend && ruff format --check app/"
      
      - name: Frontend - Install deps (if needed)
        run: nix develop --command bash -c "cd frontend && [ -d node_modules ] || npm ci"
      
      - name: Frontend - ESLint
        run: nix develop --command bash -c "cd frontend && npm run lint"
      
      - name: Frontend - Prettier check
        run: nix develop --command bash -c "cd frontend && npx prettier --check ."
      
      - name: Frontend - Svelte check
        run: nix develop --command bash -c "cd frontend && npm run check"
      
      - name: Nix - Flake check
        run: nix flake check --accept-flake-config

  # Unit tests (fast, no services needed)
  unit-tests:
    name: Unit Tests
    runs-on: nix
    
    steps:
      - name: Checkout code
        run: |
          git clone $GITHUB_SERVER_URL/$GITHUB_REPOSITORY .
          git checkout $GITHUB_SHA
      
      # Configure Attic cache
      - name: Configure Attic cache
        run: |
          attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
          attic use lan:webref
      
      - name: Backend unit tests
        run: |
          nix develop --command bash -c "
            cd backend && 
            pytest tests/unit/ -v \
              --cov=app \
              --cov-report=xml \
              --cov-report=term-missing \
              --cov-fail-under=80
          "
      
      - name: Frontend - Install deps (if needed)
        run: nix develop --command bash -c "cd frontend && [ -d node_modules ] || npm ci"
      
      - name: Frontend unit tests
        run: nix develop --command bash -c "cd frontend && npm run test:coverage"

  # Verify packages build
  build:
    name: Build Packages
    runs-on: nix
    
    steps:
      - name: Checkout code
        run: |
          git clone $GITHUB_SERVER_URL/$GITHUB_REPOSITORY .
          git checkout $GITHUB_SHA
      
      # Configure Attic cache
      - name: Configure Attic cache
        run: |
          attic login lan http://127.0.0.1:2343 ${{ secrets.ATTIC_TOKEN }}
          attic use lan:webref
      
      - name: Build backend package
        run: nix build .#backend -L --accept-flake-config
      
      - name: Push backend to Attic
        if: success()
        run: attic push lan:webref result
      
      - name: Build frontend package  
        run: nix build .#frontend -L --accept-flake-config
      
      - name: Push frontend to Attic
        if: success()
        run: attic push lan:webref result

  # Summary
  summary:
    name: CI Summary
    runs-on: nix
    needs: [nixos-vm-tests, lint, unit-tests, build]
    if: always()
    
    steps:
      - name: Results
        run: |
          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
          echo "📊 CI Pipeline Results"
          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
          echo "NixOS VMs:    ${{ needs.nixos-vm-tests.result }}"
          echo "Linting:      ${{ needs.lint.result }}"
          echo "Unit Tests:   ${{ needs.unit-tests.result }}"
          echo "Build:        ${{ needs.build.result }}"
          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
          
          if [[ "${{ needs.nixos-vm-tests.result }}" != "success" ]] || \
             [[ "${{ needs.lint.result }}" != "success" ]] || \
             [[ "${{ needs.unit-tests.result }}" != "success" ]] || \
             [[ "${{ needs.build.result }}" != "success" ]]; then
            echo "❌ Pipeline Failed"
            exit 1
          fi
          
          echo "✅ All Checks Passed"