name: CI

on:
  push:
    branches: [dev, testing]
    paths-ignore:
      - "**/*.md"
      - "docs/**"

jobs:
  lint:
    name: Lint (ruff)
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/dev'
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install ruff
      - run: ruff check decnet/

  bandit:
    name: SAST (bandit)
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/dev'
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install bandit
      - run: bandit -r decnet/ -ll -x decnet/services/registry.py -x decnet/templates/

  pip-audit:
    name: Dependency audit (pip-audit)
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/dev'
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - run: pip install pip-audit
      - run: pip install -e .[dev]
      - run: pip-audit --skip-editable --ignore-vuln CVE-2025-65896 --ignore-vuln CVE-2026-3219

  merge-to-testing:
    name: Merge dev → testing
    runs-on: ubuntu-latest
    needs: [lint, bandit, pip-audit]
    if: github.ref == 'refs/heads/dev'
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.DECNET_PR_TOKEN }}
      - name: Configure git
        run: |
          git config user.name "DECNET CI"
          git config user.email "ci@decnet.local"
      - name: Merge dev into testing
        run: |
          git fetch origin testing
          git checkout testing
          git merge origin/dev --no-ff -m "ci: auto-merge dev → testing"
          git push origin testing

  test-standard:
    name: Test (Standard)
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/testing'
    strategy:
      matrix:
        python-version: ["3.11"]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
      - run: pip install -e .[dev]
      - run: pytest

  test-live:
    name: Test (Live)
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/testing'
    needs: [test-standard]
    services:
      mysql:
        image: mysql:8.0
        env:
          MYSQL_ROOT_PASSWORD: root
          MYSQL_DATABASE: decnet_test
        ports:
          - 3307:3306
        options: >-
          --health-cmd="mysqladmin ping -h 127.0.0.1"
          --health-interval=10s
          --health-timeout=5s
          --health-retries=5
    strategy:
      matrix:
        python-version: ["3.11"]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
      - run: pip install -e .[dev]
      - run: pytest -m live
        env:
          DECNET_MYSQL_HOST: 127.0.0.1
          DECNET_MYSQL_PORT: 3307
          DECNET_MYSQL_USER: root
          DECNET_MYSQL_PASSWORD: root
          DECNET_MYSQL_DATABASE: decnet_test

  merge-to-main:
    name: Merge testing → main
    runs-on: ubuntu-latest
    needs: [test-standard, test-live]
    if: github.ref == 'refs/heads/testing'
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.DECNET_PR_TOKEN }}
      - name: Configure git
        run: |
          git config user.name "DECNET CI"
          git config user.email "ci@decnet.local"
      - name: Merge testing into main
        run: |
          git fetch origin main
          git checkout main
          git merge origin/testing --no-ff -m "ci: auto-merge testing → main" || {
            echo "CONFLICT: testing and main have diverged — manual resolution required"
            exit 1
          }
          git push origin main