name: Code Quality

on:
  workflow_dispatch:
  schedule:
    # Run weekly on Sundays at 2 AM UTC
    - cron: '0 2 * * 0'

jobs:
  code-quality:
    runs-on: ubuntu-latest
    
    steps:
    - uses: actions/checkout@v4
    
    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: "3.12"
    
    - name: Install uv
      uses: astral-sh/setup-uv@v4
    
    - name: Install dependencies
      run: |
        uv sync --extra dev
    
    - name: Run comprehensive linting
      run: |
        echo "Running full linting analysis..."
        uv run python lint.py --autofix || true
    
    - name: Check for auto-fixes
      run: |
        if [[ -n $(git status --porcelain) ]]; then
          echo "Auto-fixes were applied"
          git diff
        else
          echo "No auto-fixes needed"
        fi
    
    - name: Create Pull Request for fixes
      if: success()
      uses: peter-evans/create-pull-request@v6
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        commit-message: "🔧 Auto-fix code quality issues"
        title: "🔧 Automated Code Quality Improvements"
        body: |
          ## Automated Code Quality Fixes
          
          This PR contains automated fixes for code quality issues:
          
          ### Changes Applied
          - Line length adjustments
          - Import sorting
          - Whitespace cleanup
          - Unused import removal
          
          ### Review Notes
          - All changes are automatically applied by linting tools
          - Tests should still pass after these changes
          - Manual review recommended for any significant changes
          
          🤖 This PR was automatically created by the Code Quality workflow.
        branch: automated-code-quality-fixes
        delete-branch: true
        reviewers: montevive
        labels: |
          code-quality
          automated
          enhancement
    
    - name: Security Analysis
      run: |
        echo "Running security analysis..."
        uv add bandit[toml]
        uv run bandit -r penpot_mcp/ -f json -o bandit-report.json || true
        
        if [ -f bandit-report.json ]; then
          echo "Security report generated"
          cat bandit-report.json | head -20
        fi
    
    - name: Code Coverage Analysis
      run: |
        echo "Running code coverage analysis..."
        uv run pytest --cov=penpot_mcp tests/ --cov-report=html --cov-report=term
        
        echo "Coverage report generated in htmlcov/"
    
    - name: Upload Coverage Report
      uses: actions/upload-artifact@v4
      with:
        name: coverage-report
        path: htmlcov/
        retention-days: 30
    
    - name: Upload Security Report
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: security-report
        path: bandit-report.json
        retention-days: 30
    
    - name: Summary
      run: |
        echo "## Code Quality Summary" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "### Linting" >> $GITHUB_STEP_SUMMARY
        echo "- Auto-fixes applied (if any)" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "### Security Analysis" >> $GITHUB_STEP_SUMMARY
        echo "- Bandit security scan completed" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "### Coverage" >> $GITHUB_STEP_SUMMARY
        echo "- Code coverage report generated" >> $GITHUB_STEP_SUMMARY
        echo "" >> $GITHUB_STEP_SUMMARY
        echo "### Artifacts" >> $GITHUB_STEP_SUMMARY
        echo "- Coverage report: htmlcov/" >> $GITHUB_STEP_SUMMARY
        echo "- Security report: bandit-report.json" >> $GITHUB_STEP_SUMMARY