POTE/.github/workflows/ci.yml

---
name: CI

on:
  push:
    branches: [main, master]
  pull_request:

jobs:
  lint-and-test:
    runs-on: ubuntu-latest
    container:
      image: python:3.11-bullseye
    
    services:
      postgres:
        image: postgres:15
        env:
          POSTGRES_USER: poteuser
          POSTGRES_PASSWORD: ${{ secrets.DB_PASSWORD || 'testpass123' }}
          POSTGRES_DB: potedb_test
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5

    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Install system dependencies
        run: |
          apt-get update
          apt-get install -y postgresql-client

      - name: Install Python dependencies
        run: |
          pip install --upgrade pip
          pip install -e ".[dev]"

      - name: Run linters
        run: |
          echo "Running ruff..."
          ruff check src/ tests/ || true
          echo "Running black check..."
          black --check src/ tests/ || true
          echo "Running mypy..."
          mypy src/ --install-types --non-interactive || true

      - name: Run tests with coverage
        env:
          DATABASE_URL: postgresql://poteuser:${{ secrets.DB_PASSWORD || 'testpass123' }}@postgres:5432/potedb_test
          SMTP_HOST: ${{ secrets.SMTP_HOST || 'localhost' }}
          SMTP_PORT: 587
          SMTP_USER: ${{ secrets.SMTP_USER || 'test@example.com' }}
          SMTP_PASSWORD: ${{ secrets.SMTP_PASSWORD || 'dummy' }}
          FROM_EMAIL: ${{ secrets.FROM_EMAIL || 'test@example.com' }}
        run: |
          pytest tests/ -v --cov=src/pote --cov-report=term --cov-report=xml

      - name: Test scripts
        env:
          DATABASE_URL: postgresql://poteuser:${{ secrets.DB_PASSWORD || 'testpass123' }}@postgres:5432/potedb_test
        run: |
          echo "Testing database migrations..."
          alembic upgrade head
          echo "Testing price loader..."
          python scripts/fetch_sample_prices.py || true

  security-scan:
    runs-on: ubuntu-latest
    container:
      image: python:3.11-bullseye
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Install dependencies
        run: |
          pip install --upgrade pip
          pip install safety bandit

      - name: Run safety check
        run: |
          pip install -e .
          safety check --json || true
        continue-on-error: true

      - name: Run bandit security scan
        run: |
          bandit -r src/ -f json -o bandit-report.json || true
          bandit -r src/ -f screen
        continue-on-error: true

  dependency-scan:
    runs-on: ubuntu-latest
    container:
      image: aquasec/trivy:latest
    steps:
      - name: Install Node.js for checkout action
        run: |
          apk add --no-cache nodejs npm curl

      - name: Check out code
        uses: actions/checkout@v4

      - name: Scan dependencies
        run: trivy fs --scanners vuln --exit-code 0 .

  docker-build-test:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: false
          tags: pote:test
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Test Docker image
        run: |
          docker run --rm pote:test python -c "import pote; print('POTE import successful')"

  workflow-summary:
    runs-on: ubuntu-latest
    needs: [lint-and-test, security-scan, dependency-scan, docker-build-test]
    if: always()
    steps:
      - name: Generate workflow summary
        run: |
          echo "## 🔍 CI Workflow Summary" >> $GITHUB_STEP_SUMMARY || true
          echo "" >> $GITHUB_STEP_SUMMARY || true
          echo "### Job Results" >> $GITHUB_STEP_SUMMARY || true
          echo "" >> $GITHUB_STEP_SUMMARY || true
          echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY || true
          echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY || true
          echo "| 🧪 Lint & Test | ${{ needs.lint-and-test.result }} |" >> $GITHUB_STEP_SUMMARY || true
          echo "| 🔒 Security Scan | ${{ needs.security-scan.result }} |" >> $GITHUB_STEP_SUMMARY || true
          echo "| 📦 Dependency Scan | ${{ needs.dependency-scan.result }} |" >> $GITHUB_STEP_SUMMARY || true
          echo "| 🐳 Docker Build | ${{ needs.docker-build-test.result }} |" >> $GITHUB_STEP_SUMMARY || true
          echo "" >> $GITHUB_STEP_SUMMARY || true
          echo "### 📊 Summary" >> $GITHUB_STEP_SUMMARY || true
          echo "" >> $GITHUB_STEP_SUMMARY || true
          echo "All checks have completed. Review individual job logs for details." >> $GITHUB_STEP_SUMMARY || true