# Codex AI Review Pipeline for Woodpecker CI
# Drop this into your repo's .woodpecker/ directory to enable automated
# code and security reviews on every pull request.
#
# Required secrets:
#   - codex_api_key: OpenAI API key or Codex-compatible key
#
# Optional secrets:
#   - gitea_token: Gitea API token for posting PR comments (if not using tea CLI auth)

when:
  event: pull_request

variables:
  - &node_image "node:24-slim"
  - &install_codex "npm i -g @openai/codex"

steps:
  # --- Code Quality Review ---
  code-review:
    image: *node_image
    environment:
      CODEX_API_KEY:
        from_secret: codex_api_key
    commands:
      - *install_codex
      - apt-get update -qq && apt-get install -y -qq jq git > /dev/null 2>&1

      # Generate the diff
      - git fetch origin ${CI_COMMIT_TARGET_BRANCH:-main}
      - DIFF=$(git diff origin/${CI_COMMIT_TARGET_BRANCH:-main}...HEAD)

      # Run code review with structured output
      - |
        codex exec \
          --sandbox read-only \
          --output-schema .woodpecker/schemas/code-review-schema.json \
          -o /tmp/code-review.json \
          "You are an expert code reviewer. Review the following code changes for correctness, code quality, testing, performance, and documentation issues. Only flag actionable, important issues. Categorize as blocker/should-fix/suggestion. If code looks good, say so.

        Changes:
        $DIFF"

      # Output summary
      - echo "=== Code Review Results ==="
      - jq '.' /tmp/code-review.json
      - |
        BLOCKERS=$(jq '.stats.blockers // 0' /tmp/code-review.json)
        if [ "$BLOCKERS" -gt 0 ]; then
          echo "FAIL: $BLOCKERS blocker(s) found"
          exit 1
        fi
        echo "PASS: No blockers found"

  # --- Security Review ---
  security-review:
    image: *node_image
    environment:
      CODEX_API_KEY:
        from_secret: codex_api_key
    commands:
      - *install_codex
      - apt-get update -qq && apt-get install -y -qq jq git > /dev/null 2>&1

      # Generate the diff
      - git fetch origin ${CI_COMMIT_TARGET_BRANCH:-main}
      - DIFF=$(git diff origin/${CI_COMMIT_TARGET_BRANCH:-main}...HEAD)

      # Run security review with structured output
      - |
        codex exec \
          --sandbox read-only \
          --output-schema .woodpecker/schemas/security-review-schema.json \
          -o /tmp/security-review.json \
          "You are an expert application security engineer. Review the following code changes for security vulnerabilities including OWASP Top 10, hardcoded secrets, injection flaws, auth/authz gaps, XSS, CSRF, SSRF, path traversal, and supply chain risks. Include CWE IDs and remediation steps. Only flag real security issues, not code quality.

        Changes:
        $DIFF"

      # Output summary
      - echo "=== Security Review Results ==="
      - jq '.' /tmp/security-review.json
      - |
        CRITICAL=$(jq '.stats.critical // 0' /tmp/security-review.json)
        HIGH=$(jq '.stats.high // 0' /tmp/security-review.json)
        if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
          echo "FAIL: $CRITICAL critical, $HIGH high severity finding(s)"
          exit 1
        fi
        echo "PASS: No critical or high severity findings"