name: CI/CD Pipeline with Direct Podman Access

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  REGISTRY: ${{ secrets.REGISTRY_HOST }}
  APP_NAME: ${{ secrets.APP_NAME }}
  IMAGE_TAG: ${{ github.sha }}
  RUN_ID: ${{ github.run_id }}
  RUST_IMG_DIGEST: ${{ secrets.RUST_IMG_DIGEST }}
  NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }}
  POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }}

jobs:
  test-backend:
    runs-on: [ci]
    container:
      image: git.gcdo.org/devteam/sharenet/ci-node-podman@sha256:eb0d942bd9a8cc69c63eb9ccf3877703898d676d0268cf379defdcda7e55f37f
    steps:
      - uses: actions/checkout@v4

      - name: Verify podman socket
        run: |
          echo "DOCKER_HOST=$DOCKER_HOST"
          test -S /tmp/podman/podman.sock || { echo "missing /tmp/podman/podman.sock"; exit 1; }
          mkdir -p "${XDG_CONFIG_HOME:-/tmp/.config}/containers"
          # Prefer explicit remote; fallback to podman-remote if that's what's installed
          (podman --remote info || podman-remote info) | sed -n '1,80p'

      - name: Verify pinned digests
        run: |
          set -euo pipefail
          for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST; do
            [ -n "${!v}" ] || { echo "Missing $v"; exit 1; }
            echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; }
          done

      - name: Create internal network
        run: podman --remote network create --internal integ-${{ env.RUN_ID }}

      - name: Start PostgreSQL
        run: |  
          podman --remote run -d \
            --name test-postgres-${{ env.RUN_ID }} \
            --network integ-${{ env.RUN_ID }} \
            -e POSTGRES_PASSWORD=password \
            -e POSTGRES_USER=postgres \
            -e POSTGRES_DB=sharenet_test \
            "$POSTGRES_IMG_DIGEST"

      - name: Wait for PostgreSQL
        run: |
          timeout 60 bash -euc '
            until podman --remote exec test-postgres-${{ env.RUN_ID }} \
              pg_isready -h 127.0.0.1 -p 5432 -U postgres; do
              sleep 1
            done
          '

      - name: Run backend tests
        run: |
          podman --remote run --rm \
            -v "$PWD":/workspace \
            -w /workspace \
            --network integ-${{ env.RUN_ID }} \
            -e DATABASE_URL=postgres://postgres:password@test-postgres-${{ env.RUN_ID }}:5432/sharenet_test \
            "$RUST_IMG_DIGEST" \
            sh -lc 'cargo test --lib -- --test-threads=1'

      - name: Cleanup
        if: always()
        run: |
          podman --remote rm -f test-postgres-${{ env.RUN_ID }} 2>/dev/null || true
          podman --remote network rm integ-${{ env.RUN_ID }} 2>/dev/null || true