name: CI - Lint & Test

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_call:

# CI flake mitigation:
# ci.yml is triggered TWICE per PR on the same commit — once directly via
# the `pull_request` trigger above ("Frontend Tests & Build" check) and once
# via `workflow_call` from docker-publish.yml ("CI Gate / Frontend Tests &
# Build" check). Both jobs land on the same Actions runner pool at the same
# time and fight for CPU/RAM. Under contention, React's reconciliation in
# `messagesViewFirstContact.test.tsx > removes an approved contact …`
# overruns its 5s waitFor timeout — that's the single failure mode we've
# seen flake on PRs #226, #237, #261, #262, #265, #294, #303, and the
# fd7d6fa push. Backend tests and every other frontend test pass under
# the same conditions, which is what made this look random.
#
# Pinning a concurrency group on the SHA (PR head, or the pushed commit
# for main) serializes the two invocations so neither starves the other.
# We use cancel-in-progress: false so the second one queues instead of
# cancelling — cancelling could leave the PR check stuck "Expected" if
# only one of the two ever finishes. Total CI time grows by ~2 min in
# exchange for deterministic outcomes.
concurrency:
  group: ci-${{ github.event.pull_request.head.sha || github.sha }}
  cancel-in-progress: false

jobs:
  frontend:
    name: Frontend Tests & Build
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: frontend
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm
          cache-dependency-path: frontend/package-lock.json
      - run: npm ci
      - run: npm run lint
      - run: npm run format:check
      - run: npx vitest run --reporter=verbose
      - run: npm run build
      - run: npm run bundle:report

  backend:
    name: Backend Lint & Test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run secret scan
        run: bash backend/scripts/scan-secrets.sh --all
      - name: Install uv
        uses: astral-sh/setup-uv@v5
        with:
          enable-cache: true
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.11"
      - name: Install dependencies
        run: cd backend && uv sync --frozen --group dev
      - run: cd backend && uv run ruff check .
      - run: cd backend && uv run black --check .
      - run: cd backend && uv run python -c "from services.fetchers.retry import with_retry; from services.env_check import validate_env; print('Module imports OK')"
      - name: Run release smoke tests
        run: |
          cd backend
          uv run pytest \
            tests/mesh/test_mesh_node_bootstrap_runtime.py \
            tests/mesh/test_mesh_infonet_sync_support.py \
            tests/mesh/test_mesh_canonical.py \
            tests/mesh/test_mesh_merkle.py \
            tests/test_release_helper.py \
            -v --tb=short