name: Security Check and Deploy

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

jobs:
  security-check:
    runs-on: ubuntu-latest
    
    steps:
    - uses: actions/checkout@v3
    
    - name: Set up Python
      uses: actions/setup-python@v4
      with:
        python-version: '3.10'
    
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -r requirements.txt
    
    # Run Snyk security scan
    - name: Run Snyk Security Scan
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      run: |
        # Install Snyk CLI
        curl -Lo snyk https://static.snyk.io/cli/latest/snyk-linux
        chmod +x snyk
        
        # Authenticate with Snyk
        ./snyk auth $SNYK_TOKEN
        
        echo "===== Python Dependency Security Scan ====="
        # Test for vulnerabilities (non-blocking initially)
        ./snyk test --severity-threshold=high --file=requirements.txt || true
        
        # Generate SARIF report for GitHub Security tab
        ./snyk test --severity-threshold=low --file=requirements.txt --sarif-file-output=snyk.sarif || true
        
        echo "===== Security Scan Complete ====="
      continue-on-error: true
    
    # Upload results to GitHub Security tab
    - name: Upload Snyk results to GitHub Code Scanning
      if: always()
      uses: github/codeql-action/upload-sarif@v3
      continue-on-error: true
      with:
        sarif_file: snyk.sarif
        category: snyk-python
    
    # Monitor project with Snyk (updates dashboard)
    - name: Monitor with Snyk
      if: github.event_name == 'push' && github.ref == 'refs/heads/main'
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      run: |
        ./snyk monitor --file=requirements.txt --project-name=visualisable-ai-backend || true
      continue-on-error: true
    
    # Run Python security checks with bandit
    - name: Run Bandit Security Linter
      run: |
        pip install bandit
        echo "===== Python Code Security Analysis ====="
        bandit -r backend/ -f json -o bandit-report.json || true
        bandit -r backend/ || true
        echo "===== Code Analysis Complete ====="
      continue-on-error: true
    
    # Run safety check for known security vulnerabilities
    - name: Run Safety Check
      run: |
        pip install safety
        echo "===== Safety Vulnerability Check ====="
        safety check --json > safety-report.json || true
        safety check || true
        echo "===== Safety Check Complete ====="
      continue-on-error: true
    
    - name: Security Summary
      if: always()
      run: |
        echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "### Checks Performed:" >> $GITHUB_STEP_SUMMARY
        echo "- ✅ Snyk dependency vulnerability scan" >> $GITHUB_STEP_SUMMARY
        echo "- ✅ Bandit Python security linter" >> $GITHUB_STEP_SUMMARY
        echo "- ✅ Safety known vulnerability check" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "### Known Issues to Address:" >> $GITHUB_STEP_SUMMARY
        echo "- transformers==4.35.0 has known vulnerabilities" >> $GITHUB_STEP_SUMMARY
        echo "- Consider upgrading to transformers>=4.36.0" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "Check the logs above for detailed findings." >> $GITHUB_STEP_SUMMARY
  
  deploy-to-huggingface:
    runs-on: ubuntu-latest
    needs: security-check
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    
    steps:
    - uses: actions/checkout@v3
      with:
        fetch-depth: 0
        lfs: true
    
    - name: Push to CPU HuggingFace Space
      env:
        HF_TOKEN: ${{ secrets.HF_TOKEN }}
      run: |
        # Configure git
        git config --global user.email "github-actions[bot]@users.noreply.github.com"
        git config --global user.name "github-actions[bot]"
        
        # Add CPU HuggingFace Space remote with authentication
        git remote add hf-cpu https://visualisable-ai:$HF_TOKEN@huggingface.co/spaces/visualisable-ai/api
        
        # Push to CPU Space
        echo "Deploying to CPU HuggingFace Space..."
        git push hf-cpu main:main --force
        
        echo "✅ Deployed to CPU HuggingFace Space successfully!" >> $GITHUB_STEP_SUMMARY
        echo "🔗 CPU Space: https://huggingface.co/spaces/visualisable-ai/api" >> $GITHUB_STEP_SUMMARY
    
    - name: Push to GPU HuggingFace Space
      env:
        HF_TOKEN: ${{ secrets.HF_TOKEN }}
      run: |
        # Add GPU HuggingFace Space remote with authentication
        git remote add hf-gpu https://visualisable-ai:$HF_TOKEN@huggingface.co/spaces/visualisable-ai/api-gpu
        
        # Push to GPU Space
        echo "Deploying to GPU HuggingFace Space..."
        git push hf-gpu main:main --force
        
        echo "✅ Deployed to GPU HuggingFace Space successfully!" >> $GITHUB_STEP_SUMMARY
        echo "🔗 GPU Space: https://huggingface.co/spaces/visualisable-ai/api-gpu" >> $GITHUB_STEP_SUMMARY