name: CI

on:
  push:
    branches: [main, dev]
  pull_request:
    branches: [main, dev]

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: 9

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: 'pnpm'

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Lint
        run: pnpm lint

      - name: Build
        run: pnpm build

  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

  deploy-dev:
    if: github.ref == 'refs/heads/dev'
    needs: lint
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to Coolify (Dev)
        run: |
          curl -X POST "${{ secrets.COOLIFY_DEV_WEBHOOK }}"

  deploy-prod:
    if: github.ref == 'refs/heads/main'
    needs: lint
    runs-on: ubuntu-latest
    steps:
      - name: Deploy to Coolify (Prod)
        run: |
          curl -X POST "${{ secrets.COOLIFY_PROD_WEBHOOK }}"