include:
    - project: 'esv/bsf/pypi/prosper'
      ref: v0.64.1
      file: '/prosper/templates/projects/docker.yml'

variables:
# renovate: datasource=gitlab-tags depName=esv/bsf/pypi/prosper versioning=semver registryUrl=https://gitlab.global.bsf.tools
  PROSPER_VERSION: v0.64.1

kics:
  allow_failure: true

hadolint:
  allow_failure: true

# secrets job is a blocking check - real credential leaks should fail the pipeline

# Run Python backend tests
python_tests:
  stage: test
  image: deps.global.bsf.tools/docker/python:3.12-slim
  before_script:
    - pip install -r backend/requirements.txt
    - pip install pytest pytest-asyncio httpx
  script:
    - cd backend
    - python -m pytest -v

# Run frontend tests
frontend_tests:
  stage: test
  image: deps.global.bsf.tools/docker/node:20-alpine
  before_script:
    - cd frontend
    - npm ci
  script:
    - npm run test -- --run
  rules:
    - exists:
        - frontend/package.json

# Shared deploy configuration
.deploy_template: &deploy_template
  stage: deploy
  needs: [build_image]
  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12

.helm_setup: &helm_setup
  - helm version
  - helm repo add stable https://charts.helm.sh/stable
  - helm repo add bitnami https://charts.bitnami.com/bitnami
  - cd helm/orchard
  - helm dependency update
  - helm repo update

.verify_deployment: &verify_deployment |
  echo "=== Waiting for health endpoint (certs may take a few minutes) ==="
  for i in $(seq 1 30); do
    if curl -sf --max-time 10 "$BASE_URL/health" > /dev/null 2>&1; then
      echo "Health check passed!"
      break
    fi
    echo "Attempt $i/30 - waiting 10s..."
    sleep 10
  done

  # Verify health endpoint
  echo ""
  echo "=== Health Check ==="
  curl -sf "$BASE_URL/health" || { echo "Health check failed"; exit 1; }
  echo ""

  # Verify API is responding
  echo ""
  echo "=== API Check (GET /api/v1/projects) ==="
  HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" "$BASE_URL/api/v1/projects")
  if [ "$HTTP_CODE" = "200" ]; then
    echo "API responding: HTTP $HTTP_CODE"
  else
    echo "API check failed: HTTP $HTTP_CODE"
    exit 1
  fi

  # Verify frontend is served
  echo ""
  echo "=== Frontend Check ==="
  if curl -sf "$BASE_URL/" | grep -q "</html>"; then
    echo "Frontend is being served"
  else
    echo "Frontend check failed"
    exit 1
  fi

  echo ""
  echo "=== All checks passed! ==="
  echo "Deployment URL: $BASE_URL"

# Deploy to stage (main branch)
deploy_stage:
  <<: *deploy_template
  variables:
    NAMESPACE: orch-stage-namespace
    VALUES_FILE: helm/orchard/values-stage.yaml
    BASE_URL: https://orchard-stage.common.global.bsf.tools
  before_script:
    - kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-stage
    - *helm_setup
  script:
    - echo "Deploying to stage environment"
    - cd $CI_PROJECT_DIR
    - |
      helm upgrade --install orchard-stage ./helm/orchard \
        --namespace $NAMESPACE \
        -f $VALUES_FILE \
        --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
        --wait \
        --timeout 5m
    - kubectl rollout status deployment/orchard-stage -n $NAMESPACE --timeout=5m
    - *verify_deployment
  environment:
    name: stage
    url: https://orchard-stage.common.global.bsf.tools
    kubernetes:
      agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-stage
  rules:
    - if: '$CI_COMMIT_BRANCH == "main"'
      when: always

# Deploy feature branch to dev namespace
deploy_feature:
  <<: *deploy_template
  variables:
    NAMESPACE: orch-dev-namespace
    VALUES_FILE: helm/orchard/values-dev.yaml
  before_script:
    - kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
    - *helm_setup
  script:
    - echo "Deploying feature branch $CI_COMMIT_REF_SLUG"
    - cd $CI_PROJECT_DIR
    - |
      helm upgrade --install orchard-$CI_COMMIT_REF_SLUG ./helm/orchard \
        --namespace $NAMESPACE \
        -f $VALUES_FILE \
        --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
        --set ingress.hosts[0].host=orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
        --set ingress.tls[0].hosts[0]=orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
        --set ingress.tls[0].secretName=orchard-$CI_COMMIT_REF_SLUG-tls \
        --set minioIngress.host=minio-$CI_COMMIT_REF_SLUG.common.global.bsf.tools \
        --set minioIngress.tls.secretName=minio-$CI_COMMIT_REF_SLUG-tls \
        --wait \
        --timeout 5m
    - kubectl rollout status deployment/orchard-$CI_COMMIT_REF_SLUG -n $NAMESPACE --timeout=5m
    - export BASE_URL="https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools"
    - *verify_deployment
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    url: https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools
    on_stop: cleanup_feature
    kubernetes:
      agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
  rules:
    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
      when: always

# Cleanup feature branch deployment
cleanup_feature:
  <<: *deploy_template
  needs: []
  variables:
    NAMESPACE: orch-dev-namespace
  before_script:
    - kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
  script:
    - echo "Cleaning up feature deployment orchard-$CI_COMMIT_REF_SLUG"
    - helm uninstall orchard-$CI_COMMIT_REF_SLUG --namespace $NAMESPACE || true
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    action: stop
    kubernetes:
      agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
  rules:
    - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
      when: manual
  allow_failure: true