name: CI - Build & Test
run-name: 🔍 CI ${{ gitea.ref_name }} by @${{ gitea.actor }}

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  # ─── Backend ───────────────────────────────────
  backend:
    name: Backend (.NET)
    runs-on: linux
    container:
      image: mcr.microsoft.com/dotnet/sdk:10.0
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Restore
        run: dotnet restore backend/Nexus.Api.csproj

      - name: Build
        run: dotnet build backend/Nexus.Api.csproj --no-restore --configuration Release

      - name: Test
        run: dotnet test backend-tests/Nexus.Api.Tests.csproj --no-build --configuration Release --verbosity normal
        continue-on-error: true

  # ─── Frontend ──────────────────────────────────
  frontend:
    name: Frontend (Vue/TS)
    runs-on: linux
    container:
      image: node:24-alpine
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup pnpm
        run: |
          corepack enable
          corepack prepare pnpm@latest --activate

      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        working-directory: frontend

      - name: Type check
        run: pnpm exec vue-tsc --noEmit
        working-directory: frontend

      - name: Build
        run: pnpm build
        working-directory: frontend

  # ─── Security ──────────────────────────────────
  security:
    name: Security Check
    runs-on: linux
    if: github.ref == 'refs/heads/main'
    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Check for .env leaks
        run: |
          if grep -r "API_KEY\|SECRET\|PASSWORD\|TOKEN" --include="*.cs" --include="*.ts" --include="*.vue" backend/ frontend/src/ 2>/dev/null; then
            echo "⚠️ Warning: Potential secrets in source code (review manually)"
          else
            echo "✅ No obvious secrets found"
          fi