# Woodpecker CI Quality Enforcement Pipeline - Monorepo
when:
  - event: [push, pull_request, manual]

variables:
  - &node_image "node:20-alpine"
  - &gitleaks_image "ghcr.io/gitleaks/gitleaks:v8.24.0"
  - &install_deps |
      corepack enable
      npm ci --ignore-scripts

steps:
  # Secret scanning (runs in parallel with install, no deps)
  secret-scan:
    image: *gitleaks_image
    commands:
      - gitleaks git --redact --verbose --log-opts="HEAD~1..HEAD"
    depends_on: []

  install:
    image: *node_image
    commands:
      - *install_deps

  security-audit:
    image: *node_image
    commands:
      - *install_deps
      - npm audit --audit-level=high
    depends_on:
      - install

  lint:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
    commands:
      - *install_deps
      - npm run lint
    depends_on:
      - install

  typecheck:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
    commands:
      - *install_deps
      - npm run type-check
    depends_on:
      - install

  test:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
    commands:
      - *install_deps
      - npm run test -- --coverage --coverageThreshold='{"global":{"branches":80,"functions":80,"lines":80,"statements":80}}'
    depends_on:
      - install

  build:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
      NODE_ENV: "production"
    commands:
      - *install_deps
      - npm run build
    depends_on:
      - lint
      - typecheck
      - test
      - security-audit
      - secret-scan