name: Build and Deploy Demo App

on:
  push:
    branches:
      - main

jobs:
  # ---------- TEST ----------
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install deps
        run: pip install -r requirements.txt

      - name: Run tests
        env:
          DB_USER: ""   # force SQLite fallback in app.py
          DB_PASS: ""
          DB_NAME: ""
        run: pytest

  # ---------- BUILD ----------
  build:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Build Docker image
        run: docker build -t demo-app:latest .

  # ---------- SCAN ----------
  scan:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Rebuild image in this job so it's available locally
      - name: Build Docker image for scan
        run: docker build -t demo-app:latest .

      # Trivy via Docker (no GitHub Action)
      - name: Scan image with Trivy
        run: |
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
            aquasec/trivy:latest \
            image --exit-code 1 --severity CRITICAL,HIGH --no-progress demo-app:latest

  # ---------- DEPLOY ----------
  deploy:
    needs: [build, scan]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Rebuild image for deployment
      - name: Build Docker image for deploy
        run: docker build -t demo-app:latest .

      - name: Save Docker image to tar
        run: docker save demo-app:latest > demo-app.tar

      - name: Set up SSH
        run: |
          apt update && apt install -y openssh-client
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          eval "$(ssh-agent -s)"
          ssh-add ~/.ssh/id_ed25519
          ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts

      - name: Copy tar to server
        run: scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} demo-app.tar ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}demo-app.tar

      - name: Deploy on server
        run: |
          ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << 'EOF'
            set -e
            cd "${DEPLOY_PATH}"

            # Create/update .env with DB secrets from CI
            echo "DB_USER=${DB_USER}" > .env
            echo "DB_PASS=${DB_PASS}" >> .env
            echo "DB_NAME=${DB_NAME}" >> .env

            # Load new image and restart stack
            docker load -i demo-app.tar
            docker compose down
            docker compose --env-file .env up -d --remove-orphans

            rm demo-app.tar
          EOF
        env:
          DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
          DB_USER: ${{ secrets.DB_USER }}
          DB_PASS: ${{ secrets.DB_PASS }}
          DB_NAME: ${{ secrets.DB_NAME }}