name: CI
# CI Wakdo - Forgejo Actions (runner stark-wakdo, label `docker`).
# Strategie solo dev : PR obligatoire + auto-merge sur CI verte (voir SECURITY.md).
#
# Etat des jobs selon la phase projet :
#   - secret-scan : fonctionnel des maintenant (gitleaks scanne tout le depot)
#   - php-lint    : fonctionnel sur les fichiers PHP presents (stubs P1, code P2+)
#   - static-tests: PHPStan + PHPUnit GARDES - s'activent quand P2 ajoute
#                   composer.json / phpstan.neon / tests + phpunit.xml

on:
  pull_request:
    branches: [dev, main]
    # `labeled` : permet au job auto-merge de s'evaluer quand on pose le label.
    types: [opened, synchronize, reopened, labeled]
  push:
    # dev/main : porte de merge. feat|fix|ci|refactor : feedback avant la PR.
    branches: [dev, main, 'feat/**', 'fix/**', 'ci/**', 'refactor/**']

jobs:
  secret-scan:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install tools
        run: |
          apt-get update -qq
          apt-get install -y -qq curl ca-certificates tar >/dev/null
      - name: Install gitleaks
        run: |
          VER=8.21.2
          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_x64.tar.gz" -o /tmp/gl.tgz
          tar -xzf /tmp/gl.tgz -C /usr/local/bin gitleaks
          gitleaks version
      - name: Scan for secrets
        run: gitleaks detect --config .gitleaks.toml --redact --no-banner --verbose

  php-lint:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
      - name: Install PHP CLI
        run: |
          apt-get update -qq
          apt-get install -y -qq php-cli >/dev/null
          php --version
      - name: Lint all PHP files
        run: |
          set -eu
          files=$(find . -path ./node_modules -prune -o -name '*.php' -print)
          if [ -z "$files" ]; then echo "No PHP files yet - skip"; exit 0; fi
          echo "$files" | while IFS= read -r f; do
            [ -z "$f" ] && continue
            php -l "$f"
          done

  static-tests:
    runs-on: docker
    # COMPOSER-LESS (decision 4 / 5, PROJECT_CONTEXT.md) : PHPStan et PHPUnit
    # tournent depuis leur .phar autonome telecharge ici, jamais via Composer.
    # Versions epinglees pour des CI reproductibles (pas de "latest").
    env:
      PHPUNIT_VERSION: "11.5.2"
      PHPSTAN_VERSION: "1.12.27"
    steps:
      - uses: actions/checkout@v4
      - name: PHPStan (guarded)
        run: |
          set -eu
          if [ ! -f phpstan.neon ]; then
            echo "PHPStan skipped: no phpstan.neon yet (activates in P2)"
            exit 0
          fi
          echo "phpstan.neon detected - running PHPStan ${PHPSTAN_VERSION} via .phar"
          apt-get update -qq && apt-get install -y -qq php-cli php-xml php-mbstring curl ca-certificates >/dev/null
          # PHPUnit phar present pour que phpstan.neon (scanDirectories phar://phpunit.phar)
          # resolve les symboles PHPUnit\Framework\* utilises sous tests/.
          curl -sSL "https://phar.phpunit.de/phpunit-${PHPUNIT_VERSION}.phar" -o phpunit.phar
          curl -sSL "https://github.com/phpstan/phpstan/releases/download/${PHPSTAN_VERSION}/phpstan.phar" -o phpstan.phar
          php phpstan.phar --version
          # memory_limit=-1 : l'analyse parallele depasse les 128M par defaut du php-cli.
          php -d memory_limit=-1 phpstan.phar analyse --no-progress --error-format=raw
      - name: PHPUnit (guarded)
        run: |
          set -eu
          if [ ! -d tests ] || [ ! -f phpunit.xml ]; then
            echo "PHPUnit skipped: no tests/ + phpunit.xml yet (activates in P2)"
            exit 0
          fi
          echo "phpunit.xml + tests/ detected - running PHPUnit ${PHPUNIT_VERSION} via .phar"
          apt-get update -qq && apt-get install -y -qq php-cli php-xml php-mbstring curl ca-certificates >/dev/null
          curl -sSL "https://phar.phpunit.de/phpunit-${PHPUNIT_VERSION}.phar" -o phpunit.phar
          php phpunit.phar --version
          php phpunit.phar -c phpunit.xml

  auto-merge:
    # Fusion automatique OPT-IN : poser le label `auto-merge` sur la PR.
    # Ne s'execute que si les 3 checks passent (needs).
    # IMPORTANT : le filtrage par label se fait DANS le step via l'API, pas dans
    # `if:` — l'expression contains(github.event.pull_request.labels.*.name, ...)
    # de Forgejo n'est pas fiable (elle s'evalue a vrai meme sans label, ce qui
    # fusionnait toute PR verte). La verification shell sur l'API est le vrai gate.
    needs: [secret-scan, php-lint, static-tests]
    if: github.event_name == 'pull_request'
    runs-on: docker
    steps:
      - name: Install curl
        run: apt-get update -qq && apt-get install -y -qq curl ca-certificates >/dev/null
      - name: Merge PR (squash) si label auto-merge present et CI verte
        run: |
          API="${{ github.server_url }}/api/v1/repos/${{ github.repository }}"
          PR="${{ github.event.pull_request.number }}"
          TOKEN="${{ secrets.FORGEJO_TOKEN }}"
          labels=$(curl -s -H "Authorization: token $TOKEN" "$API/issues/$PR/labels")
          if ! printf '%s' "$labels" | grep -q '"name"[[:space:]]*:[[:space:]]*"auto-merge"'; then
            echo "Pas de label 'auto-merge' sur la PR #$PR -> relecture manuelle, pas de fusion auto."
            exit 0
          fi
          echo "Label 'auto-merge' present + CI verte -> fusion de la PR #$PR"
          code=$(curl -s -o /tmp/resp -w "%{http_code}" -X POST \
            -H "Authorization: token $TOKEN" \
            -H "Content-Type: application/json" \
            -d '{"Do":"squash","delete_branch_after_merge":true}' \
            "$API/pulls/$PR/merge")
          echo "merge HTTP $code"; cat /tmp/resp || true; echo
          [ "$code" = "200" ] || { echo "auto-merge failed (HTTP $code)"; exit 1; }
          echo "PR #$PR mergee."