name: Codeant Security Scan

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    - cron: "0 0 * * *" # Daily Scan
  workflow_dispatch:

jobs:
  codeant-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Setup Node.js (Satisfies Engine Requirements)
        uses: actions/setup-node@v3
        with:
          node-version: '22' # Using Node 22 to avoid EBADENGINE errors
      - name: Install and Inject Config
        env:
          MY_KEY: ${{ secrets.CODEANT_API_TOKEN }}
        run: |
          npm install -g codeant-cli
          mkdir -p $HOME/.codeant
          echo $MY_KEY
          # Now we use the environment variable $MY_KEY
          printf '{"apiKey":"%s"}\n' "$MY_KEY" > $HOME/.codeant/config.json
          cat $HOME/.codeant/config.json
          
          # Verify: This should now show ~35-40 bytes
          echo "Config file size: $(wc -c < $HOME/.codeant/config.json) bytes"

      - name: Run CodeAnt AI Review (Full Repo First Time)
        run: |
          echo "Preparing full repo scan..."
      
          # Ensure full git history
          git fetch --unshallow || true
      
          # 👇 Create fake baseline so everything is treated as new
          git checkout --orphan codeant-scan
          git add .
          git commit -m "full repo scan baseline"
      
          echo "Running CodeAnt AI Review..."
          codeant review --committed > review.txt || true
      
          echo "===== CodeAnt Output ====="
          cat review.txt