name: Build and Deploy Demo App

on:
  push:
    branches:
      - main

jobs:
  # ------------------ TEST ------------------
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install deps
        run: pip install -r requirements.txt

      - name: Run tests
        env:
          DB_USER: ''   # force SQLite fallback
          DB_PASS: ''
          DB_NAME: ''
        run: pytest

  # ------------------ BUILD ------------------
  build:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t demo-app:latest .

  # ------------------ SCAN ------------------
  scan:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Rebuild image in this job so it's available locally
      - name: Build Docker image for scan
        run: docker build -t demo-app:latest .

      # Use Trivy via Docker, no GitHub-specific action
      - name: Scan image with Trivy
        run: |
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
            aquasecurity/trivy:latest \
            image --exit-code 1 --severity CRITICAL,HIGH demo-app:latest

  # ------------------ DEPLOY ------------------
  deploy:
    needs: [build, scan]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Rebuild image for deployment
      - name: Build Docker image for deploy
        run: docker build -t demo-app:latest .

      - name: Save Docker image to tar
        run: docker save demo-app:latest > demo-app.tar

      - name: Set up SSH
        run: |
          apt update && apt install -y openssh-client
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          eval "$(ssh-agent -s)"
          ssh-add ~/.ssh/id_ed25519
          ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts

      - name: Copy tar to server
        run: scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} demo-app.tar ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}demo-app.tar

      - name: Deploy on server
        run: |
          ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << EOF
            cd ${{ secrets.DEPLOY_PATH }}
            # Create/update .env with secrets
            echo "DB_USER=${{ secrets.DB_USER }}" > .env
            echo "DB_PASS=${{ secrets.DB_PASS }}" >> .env
            echo "DB_NAME=${{ secrets.DB_NAME }}" >> .env
            # Load and deploy
            docker load -i demo-app.tar
            docker compose down
            docker compose --env-file .env up -d --remove-orphans
            rm demo-app.tar
          EOF