name: CI
on:
  push:
    branches: [main]
  pull_request:

permissions: {}

jobs:
  check:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      postgres:
        image: postgres:17-alpine
        env:
          POSTGRES_USER: sifa
          POSTGRES_PASSWORD: sifa
          POSTGRES_DB: sifa_test
        ports: ['5432:5432']
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
      valkey:
        image: valkey/valkey:8-alpine
        ports: ['6379:6379']

    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: 25
          cache: npm

      - run: npm ci
      - name: Security Audit
        run: npm audit --audit-level=high
      - name: Lint
        run: npm run lint
      - name: Type Check
        run: npm run typecheck
      - name: Format Check
        run: npm run format:check
      - name: Run Migrations
        run: npm run db:migrate
        env:
          DATABASE_URL: postgresql://sifa:sifa@localhost:5432/sifa_test
      - name: Test
        run: npm test
        env:
          DATABASE_URL: postgresql://sifa:sifa@localhost:5432/sifa_test
          VALKEY_URL: redis://localhost:6379

  security:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
      - uses: github/codeql-action/init@820e3160e279568db735cee8ed8f8e77a6da7818 # v3
        with:
          languages: javascript-typescript
      - uses: github/codeql-action/analyze@820e3160e279568db735cee8ed8f8e77a6da7818 # v3