name: CI

on:
  push:
  pull_request:

jobs:
  backend:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.12"
      - name: Install backend
        run: |
          cd backend
          python -m pip install --upgrade pip
          pip install ".[dev]"
      - name: Lint
        run: cd backend && ruff check app
      - name: Test
        run: cd backend && pytest
      - name: Audit
        run: cd backend && pip-audit
      - name: Bandit
        run: cd backend && bandit -q -r app -x app/tests

  frontend:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "22"
          cache: npm
          cache-dependency-path: frontend/package-lock.json
      - name: Install frontend
        run: cd frontend && npm ci
      - name: Lint
        run: cd frontend && npm run lint
      - name: Typecheck
        run: cd frontend && npm run typecheck
      - name: Test
        run: cd frontend && npm test -- --run
      - name: Audit
        run: cd frontend && npm audit --audit-level=moderate

  docker:
    runs-on: ubuntu-latest
    needs: [backend, frontend]
    steps:
      - uses: actions/checkout@v4
      - name: Build images
        run: docker compose build
      - name: Trivy filesystem scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scan-ref: .
          severity: CRITICAL,HIGH
          exit-code: "0"