.github/workflows/ci-cd.yml

name: CI/CD Optimized

on:
  merge_group:
  pull_request:
  push:
  workflow_dispatch:
  workflow_run:
    workflows: ["Pre-commit fix"]
    types:
      - completed

env:
  FORCE_COLOR: 1

concurrency:
  cancel-in-progress: true
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

jobs:
  setup:
    name: Setup and Cache Dependencies
    runs-on: ubuntu-latest
    permissions: 
      contents: read  # Minimal permission for checking out code
    outputs:
      python-cache-dir: ${{ steps.poetry-cache.outputs.dir }}
    steps:
      - uses: actions/checkout@v4
      
      - name: Cache pre-commit hooks
        uses: actions/cache@v3
        with:
          path: ~/.cache/pre-commit
          key: ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pre-commit-

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: 3.11.2

      - name: Get Poetry cache directory
        id: poetry-cache
        run: echo "POETRY_CACHE_DIR=$(poetry config cache-dir)" >> $GITHUB_ENV
      
      - name: Cache Poetry dependencies
        uses: actions/cache@v3
        with:
          path: ${{ env.POETRY_CACHE_DIR }}
          key: ${{ runner.os }}-poetry-${{ hashFiles('**/poetry.lock') }}
          restore-keys: |
            ${{ runner.os }}-poetry-

  pre-commit:
    name: Run pre-commit
    needs: setup
    runs-on: ubuntu-latest
    permissions: 
      issues: write
      pull-requests: write
      contents: write
      actions: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: 3.11.2
      - name: Run pre-commit
        uses: pre-commit/action@v3.0.1

  code-ql:
    name: Run CodeQL
    needs: pre-commit
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      actions: read
      contents: read
    strategy:
      fail-fast: true
      matrix:
        language: ['none']  # Default to none, will be updated based on changes
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 2

      - name: Detect file changes
        id: changes
        uses: dorny/paths-filter@v2
        with:
          filters: |
            python:
              - '**/*.py'
              - 'requirements.txt'
              - 'poetry.lock'
              - 'pyproject.toml'
            javascript:
              - '**/*.js'
              - '**/*.jsx'
              - '**/*.ts'
              - '**/*.tsx'
              - 'package.json'
              - 'yarn.lock'

      - name: Set languages matrix
        id: set-matrix
        run: |
          languages=()
          if [[ "${{ steps.changes.outputs.python }}" == 'true' ]]; then
            languages+=("python")
          fi
          if [[ "${{ steps.changes.outputs.javascript }}" == 'true' ]]; then
            languages+=("javascript")
          fi
          if [ ${#languages[@]} -eq 0 ]; then
            echo "No relevant file changes detected, skipping CodeQL"
            exit 0
          fi
          echo "languages=${languages[@]}" >> $GITHUB_OUTPUT

      - uses: github/codeql-action/init@v2
        if: steps.set-matrix.outputs.languages
        with:
          languages: ${{ steps.set-matrix.outputs.languages }}

      - uses: github/codeql-action/autobuild@v2
        if: steps.set-matrix.outputs.languages

      - uses: github/codeql-action/analyze@v2 
        if: steps.set-matrix.outputs.languages

  test:
    name: Run Tests
    needs: code-ql
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
      contents: write
      actions: write
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v4
        with:
          python-version: 3.11.2
      - run: pip install poetry
      - run: poetry lock --no-update
      - run: poetry install
      - run: poetry run python manage.py collectstatic --noinput
      - name: Run tests
        run: poetry run xvfb-run --auto-servernum python manage.py test -v 3 --failfast