nexus/.gitea/workflows/ci.yaml

name: CI - Build & Test
run-name: 🔍 CI ${{ gitea.ref_name }} by @${{ gitea.actor }}

# ── Concurrency: cancel in-progress CI when new push arrives ──
concurrency:
  group: ci-${{ gitea.ref }}
  cancel-in-progress: true

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  # ─── Backend ───────────────────────────────────
  backend:
    name: Backend (.NET)
    runs-on: linux
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup .NET SDK
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.x'

      - name: Restore
        run: dotnet restore backend/Nexus.Api.csproj

      - name: Build
        run: dotnet build backend/Nexus.Api.csproj --no-restore --configuration Release

      - name: Test
        run: dotnet test backend-tests/Nexus.Api.Tests.csproj --no-build --configuration Release --verbosity normal
        continue-on-error: true

  # ─── Frontend ──────────────────────────────────
  frontend:
    name: Frontend (Vue/TS)
    runs-on: linux
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '24'

      - name: Setup pnpm
        run: |
          corepack enable
          corepack prepare pnpm@latest --activate

      # --prefer-offline: use cached packages if available in the runner image
      # Lockfile IS committed — regenerated on changes via pnpm install.
      - name: Install dependencies
        run: pnpm install --no-frozen-lockfile --prefer-offline
        working-directory: frontend

      - name: Type check
        run: pnpm exec vue-tsc --noEmit
        working-directory: frontend

      - name: Build
        run: pnpm build
        working-directory: frontend

  # ─── Security ──────────────────────────────────
  security:
    name: Security Check
    runs-on: linux
    if: github.ref == 'refs/heads/main'
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Check for .env leaks
        run: |
          if grep -r "API_KEY\|SECRET\|PASSWORD\|TOKEN" --include="*.cs" --include="*.ts" --include="*.vue" backend/ frontend/src/ 2>/dev/null; then
            echo "⚠️ Warning: Potential secrets in source code (review manually)"
          else
            echo "✅ No obvious secrets found"
          fi