name: CI/CD Pipeline

on:
  push:
    branches: [main, dev, production]
  pull_request:
    branches: [main, dev, production]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  # Test Job (parallel)
  test:
    name: Run Tests
    runs-on: self-hosted  # Use your own server for speed!
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Cache dependencies
        uses: actions/cache@v4
        with:
          path: |
            ~/.npm
            node_modules
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

      - name: Install dependencies
        run: npm ci

      - name: Create test environment file
        run: |
          cat > .env <<EOF
          NODE_ENV=test
          NEXT_PUBLIC_BASE_URL=http://localhost:3000
          MY_EMAIL=test@example.com
          MY_INFO_EMAIL=test@example.com
          MY_PASSWORD=test
          MY_INFO_PASSWORD=test
          NEXT_PUBLIC_UMAMI_URL=https://analytics.dk0.dev
          NEXT_PUBLIC_UMAMI_WEBSITE_ID=b3665829-927a-4ada-b9bb-fcf24171061e
          ADMIN_BASIC_AUTH=admin:test
          LOG_LEVEL=info
          EOF

      - name: Run linting
        run: npm run lint

      - name: Run tests
        run: npm run test

      - name: Build application
        run: npm run build

  # Security scan (parallel)
  security:
    name: Security Scan
    runs-on: self-hosted  # Use your own server for speed!
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          skip-version-check: true
          scanners: 'vuln,secret,config'

      - name: Upload Trivy scan results as artifact
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: trivy-security-report
          path: trivy-results.sarif
          retention-days: 30

  # Build and push Docker image
  build:
    name: Build and Push Docker Image
    runs-on: self-hosted  # Use your own server for speed!
    needs: [test, security]  # Wait for parallel jobs to complete
    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/production')
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,prefix={{branch}}-
            type=raw,value=latest,enable={{is_default_branch}}
            type=raw,value=staging,enable={{is_default_branch==false && branch=='dev'}}
            type=raw,value=staging,enable={{is_default_branch==false && branch=='main'}}

      - name: Create production environment file
        run: |
          cat > .env <<EOF
          NODE_ENV=production
          NEXT_PUBLIC_BASE_URL=${{ vars.NEXT_PUBLIC_BASE_URL }}
          MY_EMAIL=${{ vars.MY_EMAIL }}
          MY_INFO_EMAIL=${{ vars.MY_INFO_EMAIL }}
          MY_PASSWORD=${{ secrets.MY_PASSWORD }}
          MY_INFO_PASSWORD=${{ secrets.MY_INFO_PASSWORD }}
          NEXT_PUBLIC_UMAMI_URL=${{ vars.NEXT_PUBLIC_UMAMI_URL }}
          NEXT_PUBLIC_UMAMI_WEBSITE_ID=${{ vars.NEXT_PUBLIC_UMAMI_WEBSITE_ID }}
          ADMIN_BASIC_AUTH=${{ secrets.ADMIN_BASIC_AUTH }}
          LOG_LEVEL=info
          EOF

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64  # Only AMD64 for speed
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          # Optimize for speed
          build-args: |
            BUILDKIT_INLINE_CACHE=1

  # Deploy to staging (dev/main branches)
  deploy-staging:
    name: Deploy to Staging
    runs-on: self-hosted
    needs: build
    if: github.event_name == 'push' && (github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main')
    environment: staging
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Deploy staging to server
        run: |
          # Set deployment variables
          export IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:staging"
          export CONTAINER_NAME="portfolio-app-staging"
          export COMPOSE_FILE="docker-compose.staging.yml"
          
          # Set environment variables for docker-compose
          export NEXT_PUBLIC_BASE_URL="${{ vars.NEXT_PUBLIC_BASE_URL_STAGING || vars.NEXT_PUBLIC_BASE_URL }}"
          export MY_EMAIL="${{ vars.MY_EMAIL }}"
          export MY_INFO_EMAIL="${{ vars.MY_INFO_EMAIL }}"
          export MY_PASSWORD="${{ secrets.MY_PASSWORD }}"
          export MY_INFO_PASSWORD="${{ secrets.MY_INFO_PASSWORD }}"
          export ADMIN_BASIC_AUTH="${{ secrets.ADMIN_BASIC_AUTH }}"
          
          # Pull latest staging image
          docker pull $IMAGE_NAME || docker pull "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main" || true
          
          # Stop and remove old staging container (if exists)
          docker compose -f $COMPOSE_FILE down || true
          
          # Start new staging container
          docker compose -f $COMPOSE_FILE up -d --force-recreate
          
          # Wait for health check
          echo "Waiting for staging application to be healthy..."
          for i in {1..30}; do
            if curl -f http://localhost:3001/api/health > /dev/null 2>&1; then
              echo "✅ Staging deployment successful!"
              break
            fi
            sleep 2
          done
          
          # Verify deployment
          if curl -f http://localhost:3001/api/health; then
            echo "✅ Staging deployment verified!"
          else
            echo "⚠️ Staging health check failed, but container is running"
            docker compose -f $COMPOSE_FILE logs --tail=50
          fi

  # Deploy to production
  deploy:
    name: Deploy to Production
    runs-on: self-hosted
    needs: build
    if: github.event_name == 'push' && github.ref == 'refs/heads/production'
    environment: production
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Deploy to production (zero-downtime)
        run: |
          # Set deployment variables
          export IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:production"
          export CONTAINER_NAME="portfolio-app"
          export COMPOSE_FILE="docker-compose.production.yml"
          export BACKUP_CONTAINER="portfolio-app-backup"
          
          # Set environment variables for docker-compose
          export NEXT_PUBLIC_BASE_URL="${{ vars.NEXT_PUBLIC_BASE_URL }}"
          export MY_EMAIL="${{ vars.MY_EMAIL }}"
          export MY_INFO_EMAIL="${{ vars.MY_INFO_EMAIL }}"
          export MY_PASSWORD="${{ secrets.MY_PASSWORD }}"
          export MY_INFO_PASSWORD="${{ secrets.MY_INFO_PASSWORD }}"
          export ADMIN_BASIC_AUTH="${{ secrets.ADMIN_BASIC_AUTH }}"
          
          # Pull latest production image
          echo "📦 Pulling latest production image..."
          docker pull $IMAGE_NAME
          
          # Check if production container is running
          if docker ps --format '{{.Names}}' | grep -q "^${CONTAINER_NAME}$"; then
            echo "🔄 Production container is running - performing zero-downtime deployment..."
            
            # Start new container with different name first (blue-green)
            echo "🚀 Starting new container (green)..."
            docker run -d \
              --name ${BACKUP_CONTAINER} \
              --network portfolio_net \
              -p 3002:3000 \
              -e NODE_ENV=production \
              -e DATABASE_URL=postgresql://portfolio_user:portfolio_pass@postgres:5432/portfolio_db?schema=public \
              -e REDIS_URL=redis://redis:6379 \
              -e NEXT_PUBLIC_BASE_URL="${{ vars.NEXT_PUBLIC_BASE_URL }}" \
              -e MY_EMAIL="${{ vars.MY_EMAIL }}" \
              -e MY_INFO_EMAIL="${{ vars.MY_INFO_EMAIL }}" \
              -e MY_PASSWORD="${{ secrets.MY_PASSWORD }}" \
              -e MY_INFO_PASSWORD="${{ secrets.MY_INFO_PASSWORD }}" \
              -e ADMIN_BASIC_AUTH="${{ secrets.ADMIN_BASIC_AUTH }}" \
              $IMAGE_NAME || true
            
            # Wait for new container to be healthy
            echo "⏳ Waiting for new container to be healthy..."
            for i in {1..30}; do
              if curl -f http://localhost:3002/api/health > /dev/null 2>&1; then
                echo "✅ New container is healthy!"
                break
              fi
              sleep 2
            done
            
            # Stop old container
            echo "🛑 Stopping old container..."
            docker stop ${CONTAINER_NAME} || true
            
            # Remove old container
            docker rm ${CONTAINER_NAME} || true
            
            # Rename new container to production name
            docker rename ${BACKUP_CONTAINER} ${CONTAINER_NAME}
            
            # Update port mapping (requires container restart, but it's already healthy)
            docker stop ${CONTAINER_NAME}
            docker rm ${CONTAINER_NAME}
            
            # Start with correct port using docker-compose
            docker compose -f $COMPOSE_FILE up -d --force-recreate
          else
            echo "🆕 No existing container - starting fresh deployment..."
            docker compose -f $COMPOSE_FILE up -d --force-recreate
          fi
          
          # Wait for health check
          echo "⏳ Waiting for production application to be healthy..."
          for i in {1..30}; do
            if curl -f http://localhost:3000/api/health > /dev/null 2>&1; then
              echo "✅ Production deployment successful!"
              break
            fi
            sleep 2
          done
          
          # Verify deployment
          if curl -f http://localhost:3000/api/health; then
            echo "✅ Production deployment verified!"
          else
            echo "❌ Production deployment failed!"
            docker compose -f $COMPOSE_FILE logs --tail=100
            exit 1
          fi
          
          # Cleanup backup container if it exists
          docker rm -f ${BACKUP_CONTAINER} 2>/dev/null || true

      - name: Cleanup old images
        run: |
          # Remove unused images older than 7 days
          docker image prune -f --filter "until=168h"
          
          # Remove unused containers
          docker container prune -f