.github/workflows/pipeline.yml

name: Pipeline
on: [push, workflow_dispatch]

env:
    REGISTRY: ghcr.io
    IMAGE_NAME: ${{ github.repository }}

jobs:
    static_analysis:
        runs-on: ubuntu-latest
        steps:
            - uses: actions/checkout@v4
            - uses: actions/setup-python@v5
              with:
                python-version: '3.11'
            - name: Install Dependencies and library
              shell: bash
              run: |
                set -ux
                python -m pip install --upgrade pip
                pip install -e ".[dev]"
            - name: Run mypy
              shell: bash
              run: mypy captn google_ads openai_agent application.py

            - name: Run bandit
              shell: bash
              run: bandit -c pyproject.toml -r captn

            - name: Run Semgrep
              shell: bash
              run: semgrep scan --config auto --error

    test:
      runs-on: ubuntu-latest
      strategy:
        matrix:
          pytest-marks: ["not openai", "openai and (not brief_creation_team and not campaign_creation_team and not weekly_analysis_team and not get_info_from_the_web_page)", "brief_creation_team and openai", "campaign_creation_team and openai", "weekly_analysis_team", "get_info_from_the_web_page"]
        fail-fast: false
      services:
        postgres:
          image: postgres:13
          env:
            POSTGRES_USER: postgres
            POSTGRES_PASSWORD: postgres
            POSTGRES_DB: gads
          ports:
            - 5432:5432
          options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
      env:
        INFOBIP_API_KEY: "dummy_key"
        INFOBIP_BASE_URL: "dummy_url"
        DATABASE_URL: "postgresql://postgres:postgres@localhost:5432/gads"
        AZURE_API_VERSION: ${{ secrets.STAGING_AZURE_API_VERSION }}
        AZURE_API_ENDPOINT: ${{ secrets.STAGING_AZURE_API_ENDPOINT }}
        AZURE_API_ENDPOINT_GPT4O: ${{ secrets.STAGING_AZURE_API_ENDPOINT_GPT4O }}
        AZURE_GPT4O_MODEL: ${{ secrets.STAGING_AZURE_GPT4O_MODEL }}
        AZURE_GPT4_MODEL: ${{ secrets.STAGING_AZURE_GPT4_MODEL }}
        AZURE_GPT35_MODEL: ${{ secrets.STAGING_AZURE_GPT35_MODEL }}
        AZURE_OPENAI_API_KEY: ${{ secrets.STAGING_AZURE_OPENAI_API_KEY }}
        AZURE_OPENAI_API_KEY_GPT4O: ${{ secrets.STAGING_AZURE_OPENAI_API_KEY_GPT4O }}
      steps:
        - uses: actions/checkout@v4
        - name: Set up Python
          uses: actions/setup-python@v5
          with:
            python-version: "3.11"
            cache: "pip"
            cache-dependency-path: pyproject.toml
        - name: Install Dependencies
          run: pip install -e ".[dev]"
        - name: Prisma generate
          run: prisma generate
        - name: Create client secrets file
          run: echo '{"web":{"client_id":"dummy.apps.googleusercontent.com","project_id":"dummy-id","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"dummy-secret","redirect_uris":["http://localhost:9000/login/callback"]}}' > client_secret.json
        - name: Test
          run: pytest tests/ci/ -m "${{ matrix.pytest-marks }}"

    docker_build_push:
        runs-on: ubuntu-22.04
        permissions:
            contents: read
            packages: write
        env:
            PORT: ${{ vars.PORT }}
        steps:
            - name: Checkout repository
              uses: actions/checkout@v4
            - uses: actions/setup-node@v4
              with:
                node-version: 18

            - name: Install wasp
              run: curl -sSL https://get.wasp-lang.dev/installer.sh | sh

            - name: Log in to the Container registry
              uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
              with:
                  registry: ${{ env.REGISTRY }}
                  username: ${{ github.actor }}
                  password: ${{ secrets.GITHUB_TOKEN }}

            - run: docker pull ghcr.io/$GITHUB_REPOSITORY:$GITHUB_REF_NAME || docker pull ghcr.io/$GITHUB_REPOSITORY:dev || true
            - run: docker build --build-arg PORT=$PORT -t ghcr.io/$GITHUB_REPOSITORY:${GITHUB_REF_NAME////-} .
            - name: Add tag latest if branch is main
              if: github.ref_name == 'main'
              run: docker tag ghcr.io/$GITHUB_REPOSITORY:$GITHUB_REF_NAME ghcr.io/$GITHUB_REPOSITORY:latest
            - name: Push only if branch name is main or dev
              if: github.ref_name == 'main' || github.ref_name == 'dev'
              run: docker push ghcr.io/$GITHUB_REPOSITORY --all-tags

    # https://github.com/marketplace/actions/alls-green#why
    check: # This job does nothing and is only used for the branch protection
      if: github.event.pull_request.draft == false

      needs:
        - test
        - static_analysis
        - docker_build_push

      runs-on: ubuntu-latest

      steps:
        - name: Decide whether the needed jobs succeeded or failed
          uses: re-actors/alls-green@release/v1 # nosemgrep
          with:
            jobs: ${{ toJSON(needs) }}

    deploy:
          runs-on: ubuntu-22.04
          defaults:
              run:
                  shell: bash
          needs: [check]
          if: github.ref_name == 'main' || github.ref_name == 'dev'
          env:
              GITHUB_USERNAME: ${{ github.actor }}
              GITHUB_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
              DEVELOPER_TOKEN: ${{ secrets.DEVELOPER_TOKEN }}
              PORT: ${{ vars.PORT }}

              DOMAIN: ${{ github.ref_name == 'main' && vars.PROD_DOMAIN || vars.STAGING_DOMAIN }}
              REDIRECT_DOMAIN: ${{ github.ref_name == 'main' && vars.PROD_REDIRECT_DOMAIN || vars.STAGING_REDIRECT_DOMAIN }}
              CLIENT_SECRET: ${{ github.ref_name == 'main' && secrets.PROD_CLIENT_SECRET || secrets.STAGING_CLIENT_SECRET }}
              DATABASE_URL: ${{ github.ref_name == 'main' && secrets.PROD_DATABASE_URL || secrets.STAGING_DATABASE_URL }}
              REACT_APP_API_URL: ${{ github.ref_name == 'main' && secrets.PROD_REACT_APP_API_URL || secrets.STAGING_REACT_APP_API_URL }}
              AZURE_API_VERSION: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_API_VERSION || secrets.STAGING_AZURE_API_VERSION }}
              AZURE_API_ENDPOINT: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_API_ENDPOINT || secrets.STAGING_AZURE_API_ENDPOINT }}
              AZURE_API_ENDPOINT_GPT4O: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_API_ENDPOINT_GPT4O || secrets.STAGING_AZURE_API_ENDPOINT_GPT4O }}
              AZURE_GPT4_MODEL: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_GPT4_MODEL || secrets.STAGING_AZURE_GPT4_MODEL }}
              AZURE_GPT4O_MODEL: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_GPT4O_MODEL || secrets.STAGING_AZURE_GPT4O_MODEL }}
              AZURE_GPT35_MODEL: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_GPT35_MODEL || secrets.STAGING_AZURE_GPT35_MODEL }}
              AZURE_OPENAI_API_KEY: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_OPENAI_API_KEY || secrets.STAGING_AZURE_OPENAI_API_KEY }}
              AZURE_OPENAI_API_KEY_GPT4O: ${{ github.ref_name == 'main' && secrets.PROD_AZURE_OPENAI_API_KEY_GPT4O || secrets.STAGING_AZURE_OPENAI_API_KEY_GPT4O }}
              INFOBIP_API_KEY: ${{ github.ref_name == 'main' && secrets.PROD_INFOBIP_API_KEY || secrets.STAGING_INFOBIP_API_KEY }}
              INFOBIP_BASE_URL: ${{ github.ref_name == 'main' && secrets.PROD_INFOBIP_BASE_URL || secrets.STAGING_INFOBIP_BASE_URL }}
              SSH_KEY: ${{ github.ref_name == 'main' && secrets.PROD_SSH_KEY || secrets.STAGING_SSH_KEY }}
          steps:
              - uses: actions/checkout@v3 # Don't change it to cheackout@v4. V4 is not working with container image.
              # This is to fix GIT not liking owner of the checkout dir - https://github.com/actions/runner/issues/2033#issuecomment-1204205989
              - run: chown -R $(id -u):$(id -g) $PWD

              - run: if [[ $GITHUB_REF_NAME == "main" ]]; then echo "TAG=latest" >> $GITHUB_ENV ; else echo "TAG=dev" >> $GITHUB_ENV ; fi;

              - run: echo "PATH=$PATH:/github/home/.local/bin" >> $GITHUB_ENV
              - run: 'which ssh-agent || ( apt-get update -y && apt-get install openssh-client git gettext -y )'
              - run: eval $(ssh-agent -s)
              - run: mkdir -p ~/.ssh
              - run: chmod 700 ~/.ssh
              - run: ssh-keyscan "$DOMAIN" >> ~/.ssh/known_hosts
              - run: chmod 644 ~/.ssh/known_hosts
              - run: echo "$SSH_KEY" | base64 --decode > key.pem
              - run: chmod 600 key.pem

              - run: ssh -o StrictHostKeyChecking=no -i key.pem azureuser@"$DOMAIN" "docker images"
              - run: bash scripts/deploy.sh

              - run: rm key.pem