OmniRoute/.github/workflows/ci.yml

name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npm run lint
      - run: npm run check:cycles
      - run: npm run check:route-validation:t06
      - run: npm run check:any-budget:t11
      - run: npm run check:docs-sync
      - run: npm run typecheck:core
      - run: npm run typecheck:noimplicit:core

  i18n:
    name: i18n Validation
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        lang: ${{ fromJson(needs.i18n-matrix.outputs.langs) }}
    needs: i18n-matrix
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'
      - name: Validate ${{ matrix.lang }}
        run: |
          echo "Validating language: ${{ matrix.lang }}"
          python3 scripts/validate_translation.py quick -l '${{ matrix.lang }}'
      - name: Report to summary
        if: always()
        run: |
          echo "### ${{ matrix.lang }} Translation Report" >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
          python3 scripts/validate_translation.py quick -l '${{ matrix.lang }}' >> $GITHUB_STEP_SUMMARY 2>&1
          echo '```' >> $GITHUB_STEP_SUMMARY

  i18n-matrix:
    name: Build language matrix
    runs-on: ubuntu-latest
    outputs:
      langs: ${{ steps.langs.outputs.langs }}
    steps:
      - uses: actions/checkout@v4
      - name: Generate language list
        id: langs
        run: |
          LANG_DIR="src/i18n/messages"
          LANGS=$(ls "$LANG_DIR"/*.json | xargs -n1 basename | sed 's/.json$//' | grep -v '^en$' | jq -R . | jq -s . | jq -c .)
          echo "langs=${LANGS}" >> $GITHUB_OUTPUT

  security:
    name: Security Audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - name: Dependency audit
        run: npm audit --audit-level=high --omit=dev
      - name: Check for known vulnerabilities
        run: npx is-my-node-vulnerable
        continue-on-error: true

  build:
    name: Build
    runs-on: ubuntu-latest
    strategy:
      matrix:
        node-version: [20, 22]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
          cache: npm
      - run: npm ci
      - run: npm run build

  test-unit:
    name: Unit Tests
    runs-on: ubuntu-latest
    needs: build
    strategy:
      matrix:
        node-version: [20, 22]
    env:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ matrix.node-version }}
          cache: npm
      - run: npm ci
      - run: npm run test:unit

  test-coverage:
    name: Coverage
    runs-on: ubuntu-latest
    needs: build
    env:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npm run test:coverage
      - name: Check coverage threshold
        run: |
          echo "Coverage report generated. Check output for threshold compliance."

  test-e2e:
    name: E2E Tests
    runs-on: ubuntu-latest
    needs: build
    env:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npx playwright install --with-deps chromium
      - run: npm run build
      - run: npm run test:e2e

  test-integration:
    name: Integration Tests
    runs-on: ubuntu-latest
    needs: build
    env:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
      INITIAL_PASSWORD: ci-test-password-for-integration
      DATA_DIR: /tmp/omniroute-ci
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npm run test:integration

  test-security:
    name: Security Tests
    runs-on: ubuntu-latest
    needs: build
    env:
      JWT_SECRET: ci-test-secret-with-sufficient-length-for-validation
      API_KEY_SECRET: ci-test-api-key-secret-long
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npm run test:security