app/.github/workflows/ci.yml

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  lint-typecheck:
    name: Lint & Typecheck
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Typecheck
        run: pnpm typecheck

      - name: Lint
        run: pnpm lint

  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Run tests
        run: pnpm test

  e2e:
    name: E2E Tests
    runs-on: ubuntu-latest
    needs: [lint-typecheck, test]
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Install Playwright browsers
        run: pnpm --filter @groombook/e2e exec playwright install --with-deps chromium

      - name: Start Docker Compose stack
        run: docker compose up -d --wait
        timeout-minutes: 5

      - name: Run E2E tests
        run: pnpm --filter @groombook/e2e test

      - name: Upload Playwright report
        if: failure()
        uses: actions/upload-artifact@v4
        with:
          name: playwright-report
          path: apps/e2e/playwright-report/
          retention-days: 7

      - name: Stop Docker Compose stack
        if: always()
        run: docker compose down

  build:
    name: Build
    runs-on: ubuntu-latest
    needs: [lint-typecheck, test]
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: pnpm

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Build all packages
        run: pnpm build

  docker:
    name: Build & Push Docker Images
    runs-on: ubuntu-latest
    needs: [build, e2e]
    outputs:
      tag: ${{ steps.version.outputs.tag }}
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v4

      - name: Generate image tag
        id: version
        run: |
          if [ "${{ github.event_name }}" = "pull_request" ]; then
            TAG="pr-${{ github.event.pull_request.number }}"
          else
            TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
          fi
          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
          echo "Image tag: $TAG"

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build and push API image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/api/Dockerfile
          target: runner
          push: true
          tags: |
            ghcr.io/groombook/api:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/api:latest' || '' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Build and push Migrate image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/api/Dockerfile
          target: migrate
          push: true
          tags: |
            ghcr.io/groombook/migrate:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/migrate:latest' || '' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Build and push Seed image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/api/Dockerfile
          target: seed
          push: true
          tags: |
            ghcr.io/groombook/seed:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/seed:latest' || '' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Build and push Web image
        uses: docker/build-push-action@v6
        with:
          context: .
          file: apps/web/Dockerfile
          push: true
          tags: |
            ghcr.io/groombook/web:${{ steps.version.outputs.tag }}
            ${{ github.ref == 'refs/heads/main' && 'ghcr.io/groombook/web:latest' || '' }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

  deploy-dev:
    name: Deploy PR to groombook-dev
    runs-on: runners-groombook
    needs: [docker]
    if: github.event_name == 'pull_request'
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Install kubectl
        run: |
          curl -sLO "https://dl.k8s.io/release/$(curl -sL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          chmod +x kubectl
          sudo mv kubectl /usr/local/bin/
          kubectl version --client

      - name: Deploy to groombook-dev
        env:
          TAG: pr-${{ github.event.pull_request.number }}
          PR_NUM: ${{ github.event.pull_request.number }}
        run: |
          echo "Deploying images tagged $TAG to groombook-dev..."

          # Run migration with PR image
          kubectl delete job migrate-schema -n groombook-dev --ignore-not-found
          kubectl delete job "migrate-pr-$PR_NUM" -n groombook-dev --ignore-not-found
          cat <<EOF | kubectl apply -n groombook-dev -f -
          apiVersion: batch/v1
          kind: Job
          metadata:
            name: migrate-pr-$PR_NUM
          spec:
            ttlSecondsAfterFinished: 3600
            backoffLimit: 2
            template:
              spec:
                restartPolicy: Never
                containers:
                - name: migrate
                  image: ghcr.io/groombook/migrate:$TAG
                  env:
                  - name: DATABASE_URL
                    valueFrom:
                      secretKeyRef:
                        name: groombook-postgres-credentials-dev
                        key: uri
          EOF
          kubectl wait --for=condition=complete "job/migrate-pr-$PR_NUM" \
            -n groombook-dev --timeout=120s

          # Update deployments
          kubectl set image deployment/api api=ghcr.io/groombook/api:$TAG -n groombook-dev
          kubectl set image deployment/web web=ghcr.io/groombook/web:$TAG -n groombook-dev

          # Wait for rollout
          kubectl rollout status deployment/api -n groombook-dev --timeout=120s
          kubectl rollout status deployment/web -n groombook-dev --timeout=120s

          echo "Deployment complete."

      - name: Comment on PR
        uses: actions/github-script@v7
        with:
          script: |
            const pr = context.issue.number;
            const tag = `pr-${pr}`;
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: pr,
              body: [
                '## Deployed to groombook-dev',
                '',
                `**Images:** \`${tag}\``,
                '**URL:** https://dev.groombook.farh.net',
                '',
                'Ready for UAT validation.'
              ].join('\n')
            });

  cd:
    name: Update Infra Image Tags
    runs-on: ubuntu-latest
    needs: [docker]
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Generate infra repo token
        id: infra-token
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ vars.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}

      - name: Clone groombook/infra
        run: |
          git clone https://x-access-token:${{ steps.infra-token.outputs.token }}@github.com/groombook/infra.git /tmp/infra

      - name: Update image tags
        env:
          TAG: ${{ needs.docker.outputs.tag }}
        run: |
          if [ -z "$TAG" ]; then
            TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
          fi
          echo "Updating image tags to: $TAG"

          cd /tmp/infra

          # Update api.yaml
          sed -i "s|ghcr.io/groombook/api:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/api:${TAG}|g" apps/groombook/base/api.yaml
          sed -i "s|groombook.dev/image-version: \"[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*\"|groombook.dev/image-version: \"${TAG}\"|g" apps/groombook/base/api.yaml

          # Update web.yaml
          sed -i "s|ghcr.io/groombook/web:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/web:${TAG}|g" apps/groombook/base/web.yaml
          sed -i "s|groombook.dev/image-version: \"[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*\"|groombook.dev/image-version: \"${TAG}\"|g" apps/groombook/base/web.yaml

          # Update migrate-job.yaml
          sed -i "s|ghcr.io/groombook/migrate:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/migrate:${TAG}|g" apps/groombook/base/migrate-job.yaml
          sed -i "s|groombook.app/deploy-version: \"[a-zA-Z0-9-]*\"|groombook.app/deploy-version: \"${TAG}\"|g" apps/groombook/base/migrate-job.yaml

          # Update seed-job.yaml
          sed -i "s|ghcr.io/groombook/seed:[0-9][0-9][0-9][0-9].[0-9][0-9].[0-9][0-9]-[a-f0-9]*|ghcr.io/groombook/seed:${TAG}|g" apps/groombook/base/seed-job.yaml
          sed -i "s|groombook.app/deploy-version: \"[a-zA-Z0-9-]*\"|groombook.app/deploy-version: \"${TAG}\"|g" apps/groombook/base/seed-job.yaml

          git -C /tmp/infra diff --stat

      - name: Create PR on groombook/infra
        env:
          TAG: ${{ needs.docker.outputs.tag }}
          GH_TOKEN: ${{ steps.infra-token.outputs.token }}
        run: |
          if [ -z "$TAG" ]; then
            TAG="$(date -u +%Y.%m.%d)-${GITHUB_SHA::7}"
          fi

          cd /tmp/infra
          git config user.name "groombook-engineer[bot]"
          git config user.email "3141748+groombook-engineer[bot]@users.noreply.github.com"
          git checkout -b "chore/update-image-tags-${TAG}"
          git add apps/groombook/base/
          git commit -m "chore: update image tags to ${TAG}"

          git push -u origin "chore/update-image-tags-${TAG}"

          # Create PR with auto-merge
          PR_URL=$(gh pr create \
            --repo groombook/infra \
            --base main \
            --head "chore/update-image-tags-${TAG}" \
            --title "chore: update image tags to ${TAG}" \
            --body "[GRO-178](/GRO/issues/GRO-178) — automated image tag update from main merge")
          gh pr merge "$PR_URL" --auto --merge