when:
  - branch: main
    event: push

steps:

  - name: security-check
    image: alpine:3.20
    commands:
      - |
        if [ -f .env ]; then
          echo "ERREUR: .env ne doit pas etre commite dans le depot"
          exit 1
        fi
      - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
      - echo "Security check OK"

  - name: validate
    image: docker:27-cli
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      APP_DOMAIN: validate.example.com
      SECRET_KEY: placeholder
    commands:
      - |
        export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
        docker compose -f docker/docker-compose.yml config --quiet
      - echo "docker-compose.yml valide"

  - name: test-backend
    image: python:3.11-slim
    commands:
      - pip install -r backend/requirements.txt
      - cd backend && python -m pytest tests/ -v --tb=short -k "not (test_saou_data_loaded or test_p0 or test_full_tariff or test_linear_p0)"

  # NOTE: volumes + pas de from_secret : compatible
  - name: build-backend
    image: docker:27-cli
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    commands:
      - docker build -t sejeteralo-backend:latest -f docker/backend.Dockerfile --target production .
      - echo "Image backend construite"

  # NOTE: volumes + pas de from_secret : compatible
  - name: build-frontend
    image: docker:27-cli
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    commands:
      - docker build -t sejeteralo-frontend:latest -f docker/frontend.Dockerfile --target production .
      - echo "Image frontend construite"

  # NOTE: volumes + pas de from_secret : compatible
  - name: sbom-generate
    image: alpine:3.20
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    commands:
      - apk add --no-cache curl
      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
      - mkdir -p .reports
      - syft sejeteralo-backend:latest -o cyclonedx-json --file .reports/sbom-backend.cyclonedx.json
      - syft sejeteralo-frontend:latest -o cyclonedx-json --file .reports/sbom-frontend.cyclonedx.json
      - echo "SBOM generes"

  # NOTE: volumes + pas de from_secret : compatible
  - name: sbom-scan
    image: aquasec/trivy:latest
    volumes:
      - /home/syoul/trivy-cache:/root/.cache/trivy
    commands:
      - trivy sbom --format json --output .reports/trivy-backend.json .reports/sbom-backend.cyclonedx.json
      - trivy sbom --format json --output .reports/trivy-frontend.json .reports/sbom-frontend.cyclonedx.json
      - echo "Scan CVE termine"

  # NOTE: from_secret + pas de volumes : compatible
  - name: sbom-publish
    image: alpine/curl:latest
    environment:
      DTRACK_TOKEN:
        from_secret: dependency_track_token
      DTRACK_DOMAIN:
        from_secret: dtrack_domain
    commands:
      - |
        VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
        for COMPONENT in backend frontend; do
          HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \
            -H "X-Api-Key: $DTRACK_TOKEN" \
            -F "autoCreate=true" \
            -F "projectName=sejeteralo-$COMPONENT" \
            -F "projectVersion=$VERSION" \
            -F "bom=@.reports/sbom-$COMPONENT.cyclonedx.json")
          echo "HTTP $HTTP sejeteralo-$COMPONENT : $(cat /tmp/dtrack-resp.txt)"
          [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
        done

  # NOTE: from_secret + pas de volumes : compatible
  - name: write-env
    image: alpine:3.20
    environment:
      APP_DOMAIN:
        from_secret: app_domain
      SECRET_KEY:
        from_secret: secret_key
    commands:
      - env | grep -E "^(APP_DOMAIN|SECRET_KEY)=" > .env.deploy
      - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
      - echo ".env.deploy cree ($(wc -c < .env.deploy) octets)"

  - name: test-env
    image: alpine:3.20
    commands:
      - |
        [ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; }
        echo "PASS: .env.deploy present"
      - |
        VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
        [ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1
        echo "PASS: COMPOSE_PROJECT_NAME = $VAL"
      - |
        VAL=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
        [ -z "$VAL" ] && echo "FAIL: APP_DOMAIN vide" && exit 1
        echo "PASS: APP_DOMAIN = $VAL"

  # NOTE: volumes + pas de from_secret : compatible
  # Routing Fabio gere automatiquement par Registrator via labels SERVICE_* du compose
  - name: deploy
    image: docker:27-cli
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/sejeteralo:/opt/sejeteralo
    commands:
      - cp .env.deploy /opt/sejeteralo/.env
      - chmod 600 /opt/sejeteralo/.env
      - cp docker/docker-compose.yml /opt/sejeteralo/docker-compose.yml
      # Arreter avant le challenge ACME : libere le webroot pour sonic-acme-1
      - cd /opt/sejeteralo && docker compose stop
      - |
        DOMAIN=$(grep '^APP_DOMAIN=' /opt/sejeteralo/.env | cut -d= -f2)
        ACME_EXIT=0
        docker exec sonic-acme-1 /app/acme.sh \
          --home /etc/acme.sh \
          --issue -d "$DOMAIN" \
          --webroot /usr/share/nginx/html \
          --server letsencrypt \
          --accountemail support+acme@asycn.io || ACME_EXIT=$?
        if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
          echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
          exit 1
        fi
        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
        echo "TLS OK (acme exit $ACME_EXIT)"
      # Images construites localement dans la pipeline : pas de docker compose pull
      - cd /opt/sejeteralo && docker compose up -d --remove-orphans
      - cd /opt/sejeteralo && docker compose ps

  # NOTE: volumes + pas de from_secret : compatible
  - name: test-deploy
    image: docker:27-cli
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/sejeteralo:/opt/sejeteralo
    commands:
      - |
        PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/sejeteralo/.env | cut -d= -f2)
        for SVC in backend frontend; do
          STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-$SVC" 2>/dev/null || echo "absent")
          echo "$PROJECT-$SVC : $STATUS"
          [ "$STATUS" = "running" ] || { echo "FAIL: $PROJECT-$SVC non running"; exit 1; }
        done
        echo "PASS: tous les containers running"

  - name: healthcheck
    image: alpine:3.20
    commands:
      - apk add --no-cache --quiet curl
      - |
        SITE=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
        TARGET="https://$SITE"
        echo "Healthcheck $TARGET..."
        MAX=60
        i=0
        until [ $i -ge $MAX ]; do
          CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
          echo "Tentative $((i+1))/$MAX - HTTP $CODE"
          if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
            echo "PASS: app repond sur $TARGET"
            exit 0
          fi
          i=$((i+1))
          sleep 10
        done
        echo "FAIL: app ne repond pas apres 10 minutes"
        exit 1

  - name: notify-failure
    image: alpine:3.20
    commands:
      - 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"'
    when:
      - status: failure