name: CI

on:
  pull_request:
  push:
    branches: [master]
  # Allow maintainers to manually kick CI when GitHub doesn't create a run for a new head SHA.
  workflow_dispatch:

concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  check:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.12"

      - name: Install uv
        run: python -m pip install --upgrade pip uv

      - name: Cache uv
        uses: actions/cache@v4
        with:
          path: |
            ~/.cache/uv
            backend/.venv
          key: uv-${{ runner.os }}-${{ hashFiles('backend/uv.lock') }}

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
          cache-dependency-path: frontend/package-lock.json

      - name: Install backend dependencies
        run: make backend-sync

      - name: Install frontend dependencies
        run: make frontend-sync

      - name: Run backend checks
        env:
          # Keep CI builds deterministic and secretless.
          NEXT_TELEMETRY_DISABLED: "1"
        run: |
          make backend-lint
          make backend-typecheck
          make backend-coverage

      - name: Run frontend checks
        env:
          # Keep CI builds deterministic.
          NEXT_TELEMETRY_DISABLED: "1"
          # Clerk env (wired from repo settings; values are not printed).
          CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ vars.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
          CLERK_JWKS_URL: ${{ vars.CLERK_JWKS_URL }}
        run: |
          make frontend-lint
          make frontend-typecheck
          make frontend-test
          make frontend-build

      - name: Upload coverage artifacts
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: coverage
          if-no-files-found: ignore
          path: |
            backend/coverage.xml
            frontend/coverage/**

  e2e:
    runs-on: ubuntu-latest
    needs: [check]

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: "20"
          cache: npm
          cache-dependency-path: frontend/package-lock.json

      - name: Install frontend dependencies
        run: make frontend-sync

      - name: Start frontend (dev server)
        env:
          NEXT_TELEMETRY_DISABLED: "1"
          CLERK_SECRET_KEY: ${{ secrets.CLERK_SECRET_KEY }}
          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ vars.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
          CLERK_JWKS_URL: ${{ vars.CLERK_JWKS_URL }}
        run: |
          cd frontend
          npm run dev -- --port 3000 &
          for i in {1..60}; do
            if curl -sf http://localhost:3000/ > /dev/null; then exit 0; fi
            sleep 2
          done
          echo "Frontend did not start"
          exit 1

      - name: Run Cypress E2E
        env:
          NEXT_TELEMETRY_DISABLED: "1"
          # Cypress exposes env vars prefixed with CYPRESS_ via Cypress.env().
          CYPRESS_NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ vars.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
          # Also set for the app itself.
          NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ vars.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY }}
        run: |
          cd frontend
          npm run e2e