steps:
  audit_dependencies:
    image: node:20
    environment:
      DISCORD_WEBHOOK:
        from_secret: discord_webhook
    commands:
      - apt-get update && apt-get install -y jq
      - npm install --package-lock-only
      - npm audit --audit-level=moderate || AUDIT_EXIT=$?
      - |
        if [ ! -z "$AUDIT_EXIT" ]; then
          echo ""
          echo "=========================================="
          echo "⚠️  WARNING: npm audit found vulnerabilities!"
          echo "⚠️  Please review the security issues above"
          echo "⚠️  Build continues despite vulnerabilities"
          echo "=========================================="
          echo ""

          # Discord Benachrichtigung mit jq (sicher gegen Sonderzeichen)
          if [ ! -z "$DISCORD_WEBHOOK" ]; then
            PAYLOAD=$(printf '%s' "${CI_COMMIT_MESSAGE:-No commit message}" | jq -Rs \
              --arg title "⚠️ npm audit Warnung - Build #${CI_BUILD_NUMBER}" \
              --arg repo "${CI_REPO}" \
              --arg branch "${CI_COMMIT_BRANCH}" \
              --arg commit "${CI_COMMIT_SHA:0:7}" \
              --arg author "${CI_COMMIT_AUTHOR}" \
              --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
              '. as $message | {
                embeds: [{
                  title: $title,
                  description: "Es wurden Sicherheitslücken in den Dependencies gefunden!",
                  color: 16744448,
                  fields: [
                    { name: "Repository", value: $repo, inline: true },
                    { name: "Branch", value: $branch, inline: true },
                    { name: "Commit", value: ("`" + $commit + "`"), inline: true },
                    { name: "Author", value: $author, inline: true },
                    { name: "Commit Message", value: $message, inline: false }
                  ],
                  footer: {
                    text: "Build läuft trotzdem durch"
                  },
                  timestamp: $timestamp
                }]
              }')

            curl -H "Content-Type: application/json" -X POST \
              -d "$PAYLOAD" "$DISCORD_WEBHOOK"
          fi
        else
          echo "✓ No vulnerabilities found"
        fi
      - exit 0
    when:
      branch: main
      event: push

  deploy_frontend:
    image: node:20
    environment:
      FLY_API_TOKEN:
        from_secret: FLY_API_TOKEN
      DISCORD_WEBHOOK:
        from_secret: discord_webhook
    commands:
      - apt-get update && apt-get install -y jq
      - curl -L https://fly.io/install.sh | sh
      - export PATH="$HOME/.fly/bin:$PATH"
      - flyctl deploy --config fly.toml --app gallus-pub --remote-only
    when:
      branch: main
      event: push

  notify_success:
    image: node:20
    environment:
      DISCORD_WEBHOOK:
        from_secret: discord_webhook
    commands:
      - apt-get update && apt-get install -y jq
      - |
        if [ ! -z "$DISCORD_WEBHOOK" ]; then
          PAYLOAD=$(printf '%s' "${CI_COMMIT_MESSAGE:-No commit message}" | jq -Rs \
            --arg title "✅ Build #${CI_BUILD_NUMBER} - Success" \
            --arg repo "${CI_REPO}" \
            --arg branch "${CI_COMMIT_BRANCH}" \
            --arg commit "${CI_COMMIT_SHA:0:7}" \
            --arg author "${CI_COMMIT_AUTHOR}" \
            --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
            '. as $message | {
              embeds: [{
                title: $title,
                description: "Build und Deployment erfolgreich abgeschlossen!",
                color: 3066993,
                fields: [
                  { name: "Repository", value: $repo, inline: true },
                  { name: "Branch", value: $branch, inline: true },
                  { name: "Commit", value: ("`" + $commit + "`"), inline: true },
                  { name: "Author", value: $author, inline: true },
                  { name: "Commit Message", value: $message, inline: false }
                ],
                timestamp: $timestamp
              }]
            }')

          curl -H "Content-Type: application/json" -X POST \
            -d "$PAYLOAD" "$DISCORD_WEBHOOK"
        fi
    when:
      branch: main
      event: push
      status: success

  notify_failure:
    image: node:20
    environment:
      DISCORD_WEBHOOK:
        from_secret: discord_webhook
    commands:
      - apt-get update && apt-get install -y jq
      - |
        if [ ! -z "$DISCORD_WEBHOOK" ]; then
          PAYLOAD=$(printf '%s' "${CI_COMMIT_MESSAGE:-No commit message}" | jq -Rs \
            --arg title "❌ Build #${CI_BUILD_NUMBER} - Failure" \
            --arg repo "${CI_REPO}" \
            --arg branch "${CI_COMMIT_BRANCH}" \
            --arg commit "${CI_COMMIT_SHA:0:7}" \
            --arg author "${CI_COMMIT_AUTHOR}" \
            --arg timestamp "$(date -u +%Y-%m-%dT%H:%M:%S.000Z)" \
            '. as $message | {
              embeds: [{
                title: $title,
                description: "Build oder Deployment ist fehlgeschlagen!",
                color: 15158332,
                fields: [
                  { name: "Repository", value: $repo, inline: true },
                  { name: "Branch", value: $branch, inline: true },
                  { name: "Commit", value: ("`" + $commit + "`"), inline: true },
                  { name: "Author", value: $author, inline: true },
                  { name: "Commit Message", value: $message, inline: false }
                ],
                timestamp: $timestamp
              }]
            }')

          curl -H "Content-Type: application/json" -X POST \
            -d "$PAYLOAD" "$DISCORD_WEBHOOK"
        fi
    when:
      branch: main
      event: push
      status: failure