name: Lint & Build

on:
  push:
    branches: [main]
    tags: ['v*']
  pull_request:
    branches: [main]
  workflow_dispatch:
    inputs:
      deploy:
        description: 'Deploy to ESP fleet after build'
        required: false
        default: 'false'
        type: choice
        options:
          - 'false'
          - 'true'

jobs:
  build:
    name: Build Firmware
    runs-on: anvil
    container:
      image: docker.io/espressif/idf:v5.3
    steps:
      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Build firmware
        run: |
          . /opt/esp/idf/export.sh
          cd get-started/csi_recv_router
          idf.py build

      - name: Show binary size
        run: |
          ls -lh get-started/csi_recv_router/build/*.bin

      - name: Upload firmware artifact
        run: |
          mkdir -p /tmp/artifacts
          cp get-started/csi_recv_router/build/csi_recv_router.bin /tmp/artifacts/
          cp get-started/csi_recv_router/build/bootloader/bootloader.bin /tmp/artifacts/
          cp get-started/csi_recv_router/build/partition_table/partition-table.bin /tmp/artifacts/
          cp get-started/csi_recv_router/build/ota_data_initial.bin /tmp/artifacts/
          echo "Artifacts ready in /tmp/artifacts"
          ls -la /tmp/artifacts/

  deploy:
    name: Deploy to ESP Fleet
    runs-on: anvil
    needs: build
    if: github.event_name == 'workflow_dispatch' && github.event.inputs.deploy == 'true' || startsWith(github.ref, 'refs/tags/v')
    steps:
      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Rebuild firmware for deploy
        run: |
          podman run --rm -v $(pwd):/project -w /project docker.io/espressif/idf:v5.3 \
            bash -c ". /opt/esp/idf/export.sh && cd get-started/csi_recv_router && idf.py build"

      - name: Deploy via OTA
        run: |
          FIRMWARE="$(pwd)/get-started/csi_recv_router/build/csi_recv_router.bin"
          SENSORS="muddy-storm amber-maple hollow-acorn"
          PORT=8070

          # Get runner IP (first non-loopback IPv4)
          RUNNER_IP=$(hostname -I | awk '{print $1}')
          echo "Runner IP: $RUNNER_IP"

          # Start HTTP server in background
          cd get-started/csi_recv_router/build
          python3 -m http.server $PORT &
          HTTP_PID=$!
          sleep 2

          # Deploy to each sensor
          for sensor in $SENSORS; do
            echo "=== Deploying to $sensor ==="
            # Resolve mDNS hostname
            SENSOR_IP=$(getent hosts ${sensor}.local | awk '{print $1}' || avahi-resolve -n ${sensor}.local 2>/dev/null | awk '{print $2}')
            if [ -z "$SENSOR_IP" ]; then
              echo "Warning: Could not resolve $sensor.local, skipping"
              continue
            fi
            echo "Sensor IP: $SENSOR_IP"

            # Send OTA command via UDP
            echo "OTA http://${RUNNER_IP}:${PORT}/csi_recv_router.bin" | nc -u -w 2 $SENSOR_IP 5501
            echo "OTA command sent to $sensor"

            # Wait for device to download and reboot
            sleep 30
          done

          # Cleanup
          kill $HTTP_PID 2>/dev/null || true
          echo "=== Deployment complete ==="

  cppcheck:
    name: C/C++ Static Analysis
    runs-on: anvil
    container:
      image: docker.io/library/debian:bookworm-slim
    steps:
      - name: Install tools
        run: |
          apt-get update && apt-get install -y --no-install-recommends git cppcheck ca-certificates

      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Run cppcheck
        run: |
          cppcheck --enable=warning,style,performance,portability \
            --suppress=missingIncludeSystem \
            --error-exitcode=1 \
            --inline-suppr \
            -I get-started/csi_recv_router/main \
            get-started/csi_recv_router/main/*.c

  flawfinder:
    name: Security Flaw Analysis
    runs-on: anvil
    container:
      image: docker.io/library/python:3.12-slim
    steps:
      - name: Install tools
        run: |
          apt-get update && apt-get install -y --no-install-recommends git ca-certificates
          pip install --no-cache-dir flawfinder

      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Run flawfinder
        run: |
          flawfinder --minlevel=2 --error-level=4 \
            get-started/csi_recv_router/main/

  gitleaks:
    name: Secret Scanning
    runs-on: anvil
    container:
      image: docker.io/zricethezav/gitleaks:latest
    steps:
      - name: Checkout
        run: |
          git clone --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Run gitleaks
        run: gitleaks detect --source . --verbose --redact

  shellcheck:
    name: Shell Script Analysis
    runs-on: anvil
    container:
      image: docker.io/koalaman/shellcheck-alpine:stable
    steps:
      - name: Install git
        run: apk add --no-cache git

      - name: Checkout
        run: |
          git clone --depth=1 --branch=${{ github.ref_name }} \
            https://oauth2:${{ github.token }}@git.mymx.me/${{ github.repository }}.git .

      - name: Find and check shell scripts
        run: |
          SCRIPTS=$(find . -name "*.sh" -type f 2>/dev/null || true)
          if [ -n "$SCRIPTS" ]; then
            echo "Checking: $SCRIPTS"
            echo "$SCRIPTS" | xargs shellcheck --severity=warning
          else
            echo "No shell scripts found, skipping"
          fi