name: CI - Build & Test
run-name: 🔍 CI ${{ gitea.ref_name }} by @${{ gitea.actor }}

# ── Concurrency: cancel in-progress CI when new push arrives ──
concurrency:
  group: ci-${{ gitea.ref }}
  cancel-in-progress: true

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  # ─── Backend ───────────────────────────────────
  backend:
    name: Backend (.NET)
    runs-on: linux
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup .NET SDK
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.x'

      # Cache NuGet packages across runs (keyed on .csproj files)
      - name: Cache NuGet packages
        uses: actions/cache@v4
        with:
          path: ~/.nuget/packages
          key: nuget-${{ runner.os }}-${{ hashFiles('backend/*.csproj', 'backend-tests/*.csproj') }}
          restore-keys: |
            nuget-${{ runner.os }}-

      - name: Restore
        run: dotnet restore backend/Nexus.Api.csproj

      - name: Build
        run: dotnet build backend/Nexus.Api.csproj --no-restore --configuration Release

      - name: Test
        run: dotnet test backend-tests/Nexus.Api.Tests.csproj --no-build --configuration Release --verbosity normal
        continue-on-error: true

  # ─── Frontend ──────────────────────────────────
  frontend:
    name: Frontend (Vue/TS)
    runs-on: linux
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '24'

      - name: Setup pnpm
        run: |
          corepack enable
          corepack prepare pnpm@latest --activate

      # Cache pnpm store + node_modules (keyed on lockfile)
      - name: Cache pnpm store
        uses: actions/cache@v4
        with:
          path: |
            frontend/node_modules
            ~/.pnpm-store
          key: pnpm-${{ runner.os }}-${{ hashFiles('frontend/pnpm-lock.yaml') }}
          restore-keys: |
            pnpm-${{ runner.os }}-

      - name: Install dependencies
        run: pnpm install --no-frozen-lockfile
        working-directory: frontend

      - name: Type check
        run: pnpm exec vue-tsc --noEmit
        working-directory: frontend

      - name: Build
        run: pnpm build
        working-directory: frontend

  # ─── Security ──────────────────────────────────
  security:
    name: Security Check
    runs-on: linux
    if: github.ref == 'refs/heads/main'
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Check for .env leaks
        run: |
          if grep -r "API_KEY\|SECRET\|PASSWORD\|TOKEN" --include="*.cs" --include="*.ts" --include="*.vue" backend/ frontend/src/ 2>/dev/null; then
            echo "⚠️ Warning: Potential secrets in source code (review manually)"
          else
            echo "✅ No obvious secrets found"
          fi