name: CI/CD Awesome Pipeline

on:
  push:
    tags:
      - 'v*.*.*'

  workflow_dispatch:

env:
  REGISTRY_URL: ${{ vars.REGISTRY_URL || 'gitea.iswearihadsomethingforthis.net' }}
  REGISTRY_USER: ${{ vars.REGISTRY_USER || 'francwa' }}

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build and run tests
        env:
          DEEPSEEK_API_KEY: ${{ secrets.DEEPSEEK_API_KEY }}
          TMDB_API_KEY: ${{ secrets.TMDB_API_KEY }}
        run: make _ci-run-tests

  build-and-push:
    name: Build & Push to Registry
    runs-on: ubuntu-latest
    needs: test

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Load config from Makefile
        id: config
        run: make -s _ci-dump-config >> $GITHUB_OUTPUT

      - name: 🏷️ Docker Metadata (Tags & Labels)
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}
          tags: |
            # Tagged (v1.2.3)
            type=semver,pattern={{ version }}
            # Latest (main)
            type=raw,value=latest,enable={{ is_default_branch }}
            # Feature branches
            type=ref,event=branch

      - name: Login to Gitea Registry
        uses: docker/login-action@v3
        with:
          registry: gitea.iswearihadsomethingforthis.net
          username: ${{ gitea.actor }}
          password: ${{ secrets.G1T34_TOKEN }}

      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./brain/Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            PYTHON_VERSION=${{ steps.config.outputs.python_version }}
            PYTHON_VERSION_SHORT=${{ steps.config.outputs.python_version_short }}
            RUNNER=${{ steps.config.outputs.runner }}

      - name: 🛡️ Run Trivy Vulnerability Scanner
        uses: docker://aquasec/trivy:latest
        env:
          TRIVY_USERNAME: ${{ gitea.actor }}
          TRIVY_PASSWORD: ${{ secrets.G1T34_TOKEN }}
          # Unset the fake GITHUB_TOKEN injected by Gitea
          GITHUB_TOKEN: ""
        with:
          args: image --format table --output trivy-report.txt --exit-code 0 --ignore-unfixed --severity CRITICAL,HIGH gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}:latest

      - name: 📤 Upload Security Report
        uses: actions/upload-artifact@v3
        with:
          name: security-report
          path: trivy-report.txt
          retention-days: 7