name: CI
# CI Wakdo - Forgejo Actions (runner stark-wakdo, label `docker`).
# Strategie solo dev : PR obligatoire + auto-merge sur CI verte (voir SECURITY.md).
#
# Etat des jobs selon la phase projet :
#   - secret-scan : fonctionnel des maintenant (gitleaks scanne tout le depot)
#   - php-lint    : fonctionnel sur les fichiers PHP presents (stubs P1, code P2+)
#   - static-tests: PHPStan + PHPUnit GARDES - s'activent quand P2 ajoute
#                   composer.json / phpstan.neon / tests + phpunit.xml

on:
  pull_request:
    branches: [dev, main]
  push:
    # dev/main : porte de merge. feat|fix|ci|refactor : feedback avant la PR.
    branches: [dev, main, 'feat/**', 'fix/**', 'ci/**', 'refactor/**']

jobs:
  secret-scan:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install tools
        run: |
          apt-get update -qq
          apt-get install -y -qq curl ca-certificates tar >/dev/null
      - name: Install gitleaks
        run: |
          VER=8.21.2
          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_x64.tar.gz" -o /tmp/gl.tgz
          tar -xzf /tmp/gl.tgz -C /usr/local/bin gitleaks
          gitleaks version
      - name: Scan for secrets
        run: gitleaks detect --config .gitleaks.toml --redact --no-banner --verbose

  php-lint:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
      - name: Install PHP CLI
        run: |
          apt-get update -qq
          apt-get install -y -qq php-cli >/dev/null
          php --version
      - name: Lint all PHP files
        run: |
          set -eu
          files=$(find . -path ./node_modules -prune -o -name '*.php' -print)
          if [ -z "$files" ]; then echo "No PHP files yet - skip"; exit 0; fi
          echo "$files" | while IFS= read -r f; do
            [ -z "$f" ] && continue
            php -l "$f"
          done

  static-tests:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
      - name: PHPStan (guarded)
        run: |
          if [ -f composer.json ] && [ -f phpstan.neon ]; then
            echo "phpstan config detected - running"
            apt-get update -qq && apt-get install -y -qq php-cli unzip git >/dev/null
            curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer
            composer install --no-interaction --no-progress
            vendor/bin/phpstan analyse --no-progress
          else
            echo "PHPStan skipped: no composer.json/phpstan.neon yet (activates in P2)"
          fi
      - name: PHPUnit (guarded)
        run: |
          if [ -d tests ] && [ -f phpunit.xml ]; then
            echo "phpunit config detected - running"
            apt-get update -qq && apt-get install -y -qq php-cli >/dev/null
            if [ -f vendor/bin/phpunit ]; then vendor/bin/phpunit; \
            elif [ -f phpunit.phar ]; then php phpunit.phar; \
            else echo "phpunit binary missing despite config" && exit 1; fi
          else
            echo "PHPUnit skipped: no tests/ + phpunit.xml yet (activates in P2)"
          fi