.github/workflows/ci-cd.yml

name: CI/CD Pipeline

on:
  push:
    branches:
      - main
      - develop
    tags:
      - "v*"
  pull_request:
    branches:
      - main
      - develop
  workflow_dispatch:

env:
  DOCKER_IMAGE: ghcr.io/${{ github.repository_owner }}/rag-terminal
  PYTHON_VERSION: "3.12"

jobs:
  # Job 1: Lint and Test
  test:
    name: Test Application
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: "pip"

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install pytest pytest-cov ruff
          pip install -r requirements.txt
          pip install torch --index-url https://download.pytorch.org/whl/cpu

      - name: Lint with ruff
        run: |
          ruff check . --output-format=github || true

      - name: Run tests (if test files exist)
        run: |
          if [ -d "tests" ]; then
            pytest tests/ --cov=. --cov-report=xml --cov-report=term
          else
            echo "No tests directory found, skipping tests"
          fi

  # Job 2: Build Docker Image
  build:
    name: Build Docker Image
    runs-on: ubuntu-latest
    needs: test
    permissions:
      contents: read
      packages: write
    outputs:
      image_ref: ${{ steps.image_ref.outputs.image_ref }}

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels)
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.DOCKER_IMAGE }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=sha,prefix={{branch}}-
            type=raw,value=latest,enable={{is_default_branch}}

      - name: Capture primary image reference
        id: image_ref
        run: |
          tags="${{ steps.meta.outputs.tags }}"
          IFS=$'\n' read -r first_tag _ <<< "$tags"
          echo "image_ref=$first_tag" >> "$GITHUB_OUTPUT"

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          platforms: linux/amd64

      - name: Image digest
        run: echo ${{ steps.meta.outputs.digest }}

  # Job 3: Security Scan
  security:
    name: Security Scan
    runs-on: ubuntu-latest
    needs: build
    if: github.event_name != 'pull_request'
    permissions:
      contents: read
      packages: read
      security-events: write

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Run Trivy vulnerability scanner
        id: trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ needs.build.outputs.image_ref }}
          format: "sarif"
          output: "trivy-results.sarif"
        continue-on-error: true

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        if: always() && hashFiles('trivy-results.sarif') != ''
        with:
          sarif_file: "trivy-results.sarif"

  # Job 4: Deploy (example for production)
  deploy:
    name: Deploy to Production
    runs-on: ubuntu-latest
    needs: [build, security]
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    environment:
      name: production
      url: https://rag-terminal.yourdomain.com

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Deploy notification
        run: |
          echo "Deploying RAG Terminal application..."
          echo "Image: ${{ env.DOCKER_IMAGE }}:latest"

      # Add your deployment steps here:
      # - SSH to server
      # - Pull latest image
      # - Restart containers
      # - Run health checks

      # Example: Deploy to a remote server via SSH
      # - name: Deploy to server
      #   uses: appleboy/ssh-action@master
      #   with:
      #     host: ${{ secrets.DEPLOY_HOST }}
      #     username: ${{ secrets.DEPLOY_USER }}
      #     key: ${{ secrets.DEPLOY_SSH_KEY }}
      #     script: |
      #       cd /opt/rag-terminal
      #       docker-compose pull
      #       docker-compose up -d
      #       docker-compose ps

      - name: Deployment success
        run: echo "✅ Deployment completed successfully!"