name: CI

on:
  push:
    branches: [lotus]
  pull_request:
    branches: [lotus]

jobs:
  build:
    name: Build & Quality Checks
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version-file: '.node-version'
          cache: npm

      - name: Install dependencies
        run: npm ci

      # ── Critical gate — if this fails, nothing deploys ──────────────────
      - name: Build
        run: npm run build
        env:
          NODE_OPTIONS: '--max_old_space_size=4096'
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          VITE_APP_VERSION: ${{ github.sha }}

      # ── Quality checks (informational — pre-existing issues exist) ───────
      - name: TypeScript
        run: npm run typecheck
        continue-on-error: true

      - name: ESLint
        run: npm run check:eslint
        continue-on-error: true

      - name: Prettier
        run: npm run check:prettier
        continue-on-error: true

      # ── Security ─────────────────────────────────────────────────────────
      - name: Audit (high/critical)
        run: npm audit --audit-level=high --omit=dev
        continue-on-error: true

      # ── Bundle size report ───────────────────────────────────────────────
      - name: Report bundle sizes
        run: |
          echo "### Bundle sizes" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| File | Size | Gzip |" >> $GITHUB_STEP_SUMMARY
          echo "|------|------|------|" >> $GITHUB_STEP_SUMMARY
          find dist/assets -name "*.js" -not -name "*.map" | sort | while read f; do
            name=$(basename "$f")
            size=$(du -sh "$f" | cut -f1)
            gzip_size=$(gzip -c "$f" | wc -c | awk '{printf "%.1f kB", $1/1024}')
            echo "| $name | $size | $gzip_size |" >> $GITHUB_STEP_SUMMARY
          done

  # ── Desktop build trigger ──────────────────────────────────────────────
  # Gated on `build` succeeding so a broken push (e.g. failing `npm ci` or
  # `npm run build`) never bumps the cinny-desktop submodule and kicks off the
  # slow Tauri release builds, which would only error out downstream. Only
  # runs on a real push to lotus — not on pull_request CI runs.
  trigger-desktop:
    name: Trigger Desktop Build
    needs: build
    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/lotus' }}
    runs-on: ubuntu-latest
    steps:
      - name: Bump cinny submodule
        env:
          TOKEN: ${{ secrets.RELEASE_TOKEN }}
        run: |
          CINNY_SHA="${{ github.sha }}"
          git clone "https://x-access-token:$TOKEN@code.lotusguild.org/LotusGuild/cinny-desktop.git" desktop
          cd desktop
          git config user.email "ci@lotusguild.org"
          git config user.name "Lotus CI"
          git submodule update --init cinny
          git -C cinny fetch origin
          git -C cinny checkout "$CINNY_SHA"
          git add cinny
          if git diff --cached --quiet; then
            echo "Submodule already at $CINNY_SHA, nothing to do"
          else
            git commit -m "chore: bump cinny submodule to ${CINNY_SHA:0:8}"
            git push origin main
            echo "Pushed — cinny-desktop release.yml will start via on:push trigger"
          fi