name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  rust-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
        with:
          workspaces: ". -> target"
      - run: cargo fmt --check --all
      - run: cargo clippy -- -D warnings

  rust-test:
    runs-on: ubuntu-latest
    services:
      postgres:
        image: postgres:16
        env:
          POSTGRES_DB: erp_test
          POSTGRES_USER: test
          POSTGRES_PASSWORD: test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
        with:
          workspaces: ". -> target"
      - run: cargo test --workspace
        env:
          ERP__DATABASE__URL: postgres://test:test@localhost:5432/erp_test
          ERP__JWT__SECRET: ci-test-secret
          ERP__AUTH__SUPER_ADMIN_PASSWORD: CI_Test_Pass_2026

  # PP-10: 覆盖率 baseline（软门禁阶段）
  # 当前 continue-on-error=true，先让覆盖率可见、生成报告 artifact。
  # 后续根据 baseline 真实数据提高 fail-under 阈值（目标 service 层 ≥60%）并去掉
  # continue-on-error 硬化门禁。见 docs/discussions/2026-06-25-analysis/ PP-10。
  coverage:
    runs-on: ubuntu-latest
    continue-on-error: true
    services:
      postgres:
        image: postgres:16
        env:
          POSTGRES_DB: erp_test
          POSTGRES_USER: test
          POSTGRES_PASSWORD: test
        ports:
          - 5432:5432
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - uses: Swatinem/rust-cache@v2
        with:
          workspaces: ". -> target"
      - name: Install cargo-tarpaulin
        run: cargo install cargo-tarpaulin --locked
      - name: Run coverage (fail-under 20% baseline)
        run: cargo tarpaulin --workspace --out Xml --output-dir coverage --fail-under 20 -- --test-threads=2
        env:
          ERP__DATABASE__URL: postgres://test:test@localhost:5432/erp_test
          ERP__JWT__SECRET: ci-test-secret
          ERP__AUTH__SUPER_ADMIN_PASSWORD: CI_Test_Pass_2026
      - uses: actions/upload-artifact@v4
        with:
          name: coverage-report
          path: coverage/
          if-no-files-found: warn

  frontend-build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - run: cd apps/web && corepack enable && pnpm install --frozen-lockfile
      - run: cd apps/web && pnpm build

  security-audit:
    runs-on: ubuntu-latest
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - uses: dtolnay/rust-toolchain@stable
      - run: cargo install cargo-audit && cargo audit
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - run: cd apps/web && corepack enable && pnpm install --frozen-lockfile && pnpm audit

  miniprogram-test:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: apps/miniprogram
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: "20"
      - run: corepack enable && pnpm install --frozen-lockfile
      - name: TypeScript check
        run: npx tsc --noEmit
      - name: Run tests
        run: npx vitest run