localgreenchain/.github/workflows/ci.yml

# LocalGreenChain CI Pipeline
# Combined: Agent 4 (Production Deployment) + Agent 5 (Testing)
#
# Runs on every push and pull request:
# - Linting, formatting, and type checking
# - Unit and integration tests
# - E2E tests with Cypress
# - Build verification
# - Docker build (main branch only)
# - Security scanning

name: CI

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  NODE_ENV: test
  NODE_VERSION: '18'

jobs:
  # ==========================================================================
  # Lint and Type Check
  # ==========================================================================
  lint:
    name: Lint & Format
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v1
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Run ESLint
        run: bun run lint

      - name: Check formatting
        run: bun run format:check

  type-check:
    name: Type Check
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v1
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Run TypeScript type checking
        run: bun run type-check

  # ==========================================================================
  # Unit Tests
  # ==========================================================================
  test:
    name: Unit & Integration Tests
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v1
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Run tests with coverage
        run: bun run test:ci

      - name: Upload test results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: test-results
          path: |
            coverage/
            junit.xml            
          retention-days: 30

  # ==========================================================================
  # Build
  # ==========================================================================
  build:
    name: Build
    runs-on: ubuntu-latest
    timeout-minutes: 15
    needs: [lint, type-check, test]
    steps:
      - uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v1
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Build application
        run: bun run build
        env:
          NEXT_TELEMETRY_DISABLED: 1

      - name: Upload build artifacts
        uses: actions/upload-artifact@v4
        with:
          name: build-output
          path: .next/
          retention-days: 7

  # ==========================================================================
  # E2E Tests
  # ==========================================================================
  e2e:
    name: E2E Tests
    runs-on: ubuntu-latest
    timeout-minutes: 20
    needs: build
    steps:
      - uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v1
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Download build artifacts
        uses: actions/download-artifact@v4
        with:
          name: build-output
          path: .next/

      - name: Run Cypress tests
        uses: cypress-io/github-action@v6
        with:
          start: bun run start
          wait-on: 'http://localhost:3001'
          wait-on-timeout: 120
          browser: chrome
          record: false

      - name: Upload Cypress screenshots
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: cypress-screenshots
          path: cypress/screenshots
          retention-days: 7

      - name: Upload Cypress videos
        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: cypress-videos
          path: cypress/videos
          retention-days: 7

  # ==========================================================================
  # Docker Build (only on main branch)
  # ==========================================================================
  docker:
    name: Docker Build
    runs-on: ubuntu-latest
    timeout-minutes: 20
    needs: [build]
    if: github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: false
          tags: localgreenchain:${{ github.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

  # ==========================================================================
  # Security Scan
  # ==========================================================================
  security:
    name: Security Scan
    runs-on: ubuntu-latest
    timeout-minutes: 10
    needs: [lint]
    steps:
      - uses: actions/checkout@v4

      - name: Setup Bun
        uses: oven-sh/setup-bun@v1
        with:
          bun-version: latest

      - name: Install dependencies
        run: bun install --frozen-lockfile

      - name: Run security audit
        run: bun pm audit || true
        continue-on-error: true

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          severity: 'CRITICAL,HIGH'
          exit-code: '0'