name: build-and-push

on:
  push:
    branches:
      - main
      - dev

env:
  IMAGE_TAG: ${{ github.ref == 'refs/heads/dev' && 'dev' || 'latest' }}

jobs:
  lint:
    runs-on: self-hosted
    container:
      image: node:20-alpine
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install dependencies
        run: npm ci

      - name: Run ESLint
        run: npm run lint

  sonar:
    needs: lint
    runs-on: self-hosted
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install Node.js
        run: |
          apt-get update
          apt-get install -y curl
          curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
          apt-get install -y nodejs
      - name: Install Sonar Scanner (npm)
        run: npm install -g sonarqube-scanner
      - name: SonarQube Scan
        env:
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_PROJECT_KEY: ${{ secrets.SONAR_PROJECT_KEY }}
        run: |
          WORKDIR=${GITHUB_WORKSPACE:-$PWD}
          HOST_URL=${SONAR_HOST_URL:?SONAR_HOST_URL secret not set}
          BRANCH_NAME=${GITHUB_REF#refs/heads/}
          PROJECT_KEY=${SONAR_PROJECT_KEY:-}
          if [ -z "$PROJECT_KEY" ] && [ -f sonar-project.properties ]; then
            PROJECT_KEY=$(grep -E '^sonar.projectKey=' sonar-project.properties | cut -d= -f2 | tr -d '\r')
          fi
          if [ -z "$PROJECT_KEY" ]; then
            echo "SONAR_PROJECT_KEY secret not set and no sonar-project.properties entry found" >&2
            exit 1
          fi
          echo "Sonar project key: $PROJECT_KEY"
          echo "Listing workspace:"
          ls -la
          echo "Sample files:"
          find . -maxdepth 2 -type f | head -n 20
          echo "Running local sonar-scanner..."
          set -- \
            -Dsonar.host.url="$HOST_URL" \
            -Dsonar.token="$SONAR_TOKEN" \
            -Dsonar.projectKey="$PROJECT_KEY" \
            -Dsonar.sources=. \
            -Dsonar.scm.disabled=true \
            -Dsonar.projectBaseDir="$WORKDIR"

          if [ "${SONAR_ENABLE_BRANCH:-}" = "true" ]; then
            set -- "$@" -Dsonar.branch.name="$BRANCH_NAME"
          else
            echo "Branch analysis disabled (requires SonarQube Developer Edition)"
          fi

          sonar-scanner "$@"

  docker:
    needs: [lint, sonar]
    runs-on: self-hosted
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Checkout
        uses: actions/checkout@v4

      - name: Login to registry

        run: echo "${{ secrets.REG_TOKEN }}" | docker login "${{ secrets.REGISTRY }}" -u "${{ secrets.REG_USER }}" --password-stdin


























































      - name: Build image
        run: |

          docker buildx build --load \
            -t "${{ secrets.REGISTRY_IMAGE }}:${{ env.IMAGE_TAG }}" .


      - name: Push image
        run: |
          docker push "${{ secrets.REGISTRY_IMAGE }}:${{ env.IMAGE_TAG }}"