name: Release and Docker Deploy

on:
  push:
    branches:
      - "main"
  pull_request:
  workflow_dispatch:
  schedule:
    - cron: "0 3 1 * *"  # Monthly rebuild at 03:00 UTC on the 1st

permissions:
  contents: write
  issues: write
  pull-requests: write
  packages: write
  security-events: write
  id-token: write  # for cosign signing

jobs:
  lint:
    name: Lint (ruff/black/mypy)
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        python-version: ['3.12', '3.13', '3.14']
    steps:
      - uses: actions/checkout@v5

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}

      - name: Set up uv
        uses: astral-sh/setup-uv@v3
        with:
          version: "latest"

      # If your dev tools (ruff/black/rst-lint/rich/etc.) are in optional-dependencies
      # like [project.optional-dependencies.dev], this installs them.
      - name: Install project (dev)
        run: uv sync --all-extras --dev

      - name: Ruff
        run: uv run ruff check src

      - name: Black
        run: |
          uv run black --version
          uv run black --check --color --diff .

      - name: Mypy
        run: |
          uv run mypy .

  release:
    name: Semantic Release
    runs-on: ubuntu-latest
    needs: [lint]
    outputs:
      published: ${{ steps.semrel.outputs.new_release_published }}
      version: ${{ steps.semrel.outputs.new_release_version }}
      tag: ${{ steps.semrel.outputs.new_release_git_tag }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - name: Setup Node
        uses: actions/setup-node@v6
        with:
          node-version: 20

      - name: Install dependencies
        run: npm ci

      - name: Run semantic-release
        id: semrel
        uses: cycjimmy/semantic-release-action@v4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          extra_plugins: |
            @semantic-release/changelog
            @semantic-release/git
            @semantic-release/npm

      - name: Update VERSION file in repo
        if: steps.semrel.outputs.new_release_published == 'true'
        run: |
          echo "v${{ steps.semrel.outputs.new_release_version }}" > VERSION
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add VERSION
          git diff --cached --quiet || git commit -m "chore: update VERSION to v${{ steps.semrel.outputs.new_release_version }}"
          git push

  docker:
    name: Build and Push Docker Image
    needs: [release]
    if: needs.release.result == 'success'
    runs-on: ubuntu-latest
    env:
      RELEASE_VERSION: ${{ needs.release.outputs.version }}
      RELEASE_TAG: ${{ needs.release.outputs.tag }}

    steps:
      - name: Checkout code
        uses: actions/checkout@v5

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PAT }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: graystorm/amcrest2mqtt
          tags: |
            type=raw,value=${{ env.RELEASE_TAG }}
            type=raw,value=latest
          labels: |
            org.opencontainers.image.title=amcrest2mqtt
            org.opencontainers.image.description=Publishes Amcrest device data to MQTT for Home Assistant
            org.opencontainers.image.url=https://www.graystorm.com
            org.opencontainers.image.documentation=https://github.com/${{ github.repository }}#readme
            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Fetch tags
        run: git fetch --tags --force

      - name: Ensure VERSION is set
        id: version-fallback
        run: |
          if [ -z "${{ needs.release.outputs.version }}" ]; then
            TAG=$(git tag --sort=-creatordate | head -n 1)
            if [ -z "$TAG" ]; then
              echo "No tags found — defaulting to 0.0.0"
              TAG="0.0.0"
            fi
            echo "Using existing tag: $TAG"
            echo "VERSION=$TAG" >> $GITHUB_ENV
          else
            echo "VERSION=${{ needs.release.outputs.version }}" >> $GITHUB_ENV
          fi

      - name: Build and push
        id: build-and-push
        uses: docker/build-push-action@v6
        with:
          context: .
          pull: true
          push: true
          build-args: |
            VERSION=${{ env.VERSION }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/arm64,linux/amd64
          cache-from: type=gha
          cache-to: type=gha,mode=max
          sbom: true
          provenance: true

      - name: Install Cosign
        uses: sigstore/cosign-installer@v3

      - name: Sign the image
        env:
          DIGEST: ${{ steps.build-and-push.outputs.digest }}
        run: |
          cosign sign --yes graystorm/amcrest2mqtt@${DIGEST}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: graystorm/amcrest2mqtt@${{ steps.build-and-push.outputs.digest }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'