name: Codeant Security Scan

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:

jobs:
  codeant-scan:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: '22'

      - name: Install CodeAnt CLI
        run: npm install -g codeant-cli

      # ✅ KEEP THIS (correct method)
      - name: Configure CodeAnt Auth
        env:
          CODEANT_API_TOKEN: ${{ secrets.CODEANT_API_TOKEN }}
        run: |
          mkdir -p $HOME/.codeant
          printf '{"apiKey":"%s"}\n' "$CODEANT_API_TOKEN" > $HOME/.codeant/config.json

      - name: Setup Git identity
        run: |
          git config --global user.email "ci@gitea.local"
          git config --global user.name "Gitea CI"

      # 🔥 Full scan only on schedule
      - name: Full repo AI scan (daily)
        if: github.event_name == 'schedule'
        run: |
          echo "Running FULL repo scan..."

          git checkout -b codeant-fullscan || git checkout codeant-fullscan

          find . -type f \
            -not -path "./.git/*" \
            -exec sh -c 'echo "" >> "$1"' _ {} \;

          git add .
          git commit -m "full repo scan" || true

          codeant review --committed > review.txt || true

      # ⚡ Incremental scan
      - name: Incremental AI scan
        if: github.event_name != 'schedule'
        run: |
          echo "Running incremental scan..."
          codeant review --committed > review.txt || true

      - name: Show results
        run: cat review.txt