Tracearr/.github/workflows/ci.yml

name: CI

on:
  push:
    branches: [main]
  pull_request:
    types: [opened, synchronize]

jobs:
  # ---------------------------------
  # Lint & Typecheck
  # ---------------------------------
  lint-and-typecheck:
    name: Lint & Typecheck
    runs-on: ubuntu-latest
    container:
      image: node:22-bookworm
    timeout-minutes: 10
    env:
      TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
      TURBO_TEAM: ${{ vars.TURBO_TEAM }}
    steps:
      - uses: actions/checkout@v4
      - name: Enable pnpm
        run: corepack enable
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: Lint
        run: pnpm lint
      - name: Typecheck
        run: pnpm typecheck

  # ---------------------------------
  # Unit / Service / Route / Security Tests
  # ---------------------------------
  test:
    name: Test (${{ matrix.group }})
    runs-on: ubuntu-latest
    container:
      image: node:22-bookworm
    timeout-minutes: 15
    env:
      TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
      TURBO_TEAM: ${{ vars.TURBO_TEAM }}
    strategy:
      fail-fast: false
      matrix:
        group: [unit, services, routes, security]
    steps:
      - uses: actions/checkout@v4
      - name: Enable pnpm
        run: corepack enable
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: Build dependencies (shared, test-utils)
        run: pnpm turbo run build --filter=@tracearr/shared --filter=@tracearr/test-utils
      - name: Run ${{ matrix.group }} tests
        run: pnpm --filter @tracearr/server test:${{ matrix.group }}

  # ---------------------------------
  # Integration Tests (TimescaleDB + Redis)
  # ---------------------------------
  test-integration:
    name: Test (integration)
    runs-on: ubuntu-latest
    container:
      image: node:22-bookworm
    timeout-minutes: 15
    env:
      TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
      TURBO_TEAM: ${{ vars.TURBO_TEAM }}
      TEST_DATABASE_URL: postgresql://test:test@timescale:5432/tracearr_test
      TEST_REDIS_URL: redis://redis:6379
    services:
      timescale:
        image: timescale/timescaledb:latest-pg15
        env:
          POSTGRES_USER: test
          POSTGRES_PASSWORD: test
          POSTGRES_DB: tracearr_test
        options: >-
          --health-cmd "pg_isready -U test -d tracearr_test"
          --health-interval 5s
          --health-timeout 3s
          --health-retries 10
      redis:
        image: redis:7-alpine
        options: >-
          --health-cmd "redis-cli ping"
          --health-interval 5s
          --health-timeout 3s
          --health-retries 5
    steps:
      - uses: actions/checkout@v4
      - name: Enable pnpm
        run: corepack enable
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: Build dependencies (shared, test-utils)
        run: pnpm turbo run build --filter=@tracearr/shared --filter=@tracearr/test-utils
      - name: Run integration tests
        run: pnpm --filter @tracearr/server test:integration

  # ---------------------------------
  # Test Coverage
  # ---------------------------------
  test-coverage:
    name: Test Coverage
    runs-on: ubuntu-latest
    container:
      image: node:22-bookworm
    timeout-minutes: 15
    env:
      TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
      TURBO_TEAM: ${{ vars.TURBO_TEAM }}
    steps:
      - uses: actions/checkout@v4
      - name: Enable pnpm
        run: corepack enable
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: Build dependencies (shared, test-utils)
        run: pnpm turbo run build --filter=@tracearr/shared --filter=@tracearr/test-utils
      - name: Run tests with coverage
        run: pnpm test:coverage
      - name: Upload coverage reports
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: coverage-report
          path: apps/server/coverage/
          retention-days: 7
          if-no-files-found: warn

  # ---------------------------------
  # Build App
  # ---------------------------------
  build:
    name: Build
    runs-on: ubuntu-latest
    container:
      image: node:22-bookworm
    timeout-minutes: 15
    needs:
      - lint-and-typecheck
      - test
      - test-integration
      - test-coverage
    env:
      TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
      TURBO_TEAM: ${{ vars.TURBO_TEAM }}
    steps:
      - uses: actions/checkout@v4
      - name: Enable pnpm
        run: corepack enable
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: Build
        run: pnpm build

  # ---------------------------------
  # Deploy to Docker
  # ---------------------------------
  deploy:
    name: Deploy Tracearr
    runs-on: ubuntu-latest
    container:
      image: docker:26-cli
    needs: build
    if: github.ref == 'refs/heads/main'
    env:
      REGISTRY: gitea.yourdomain.co.nz
      IMAGE_NAME: tracearr
      IMAGE_TAG: latest
      REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
      REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
    steps:
      - uses: actions/checkout@v4
      - name: Login to Gitea registry
        run: |
          echo "${REGISTRY_TOKEN}" | docker login $REGISTRY \
            -u "${REGISTRY_USER}" --password-stdin
      - name: Build Docker image
        run: |
          docker build \
            -t $REGISTRY/$REGISTRY_USER/$IMAGE_NAME:$IMAGE_TAG \
            -f docker/Dockerfile .
      - name: Push Docker image
        run: |
          docker push $REGISTRY/$REGISTRY_USER/$IMAGE_NAME:$IMAGE_TAG
      - name: Deploy via docker compose
        run: |
          docker compose -f docker/docker-compose.yml pull
          docker compose -f docker/docker-compose.yml up -d