name: Production Deployment

on:
  push:
    branches: [main]
    tags: ['v*']
  workflow_dispatch:
    inputs:
      environment:
        description: 'Deployment environment'
        required: true
        default: 'staging'
        type: choice
        options:
        - staging
        - production

jobs:
  security-scan:
    runs-on: ubuntu-latest
    name: Security Scanning
    outputs:
      security-passed: ${{ steps.security-check.outputs.passed }}
    steps:
      - uses: actions/checkout@v4
      
      - name: Run comprehensive security scan
        run: |
          python scripts/focused_dotenv_linter.py --check
          bandit -r . -f json -o bandit-report.json
          slither contracts/ --json slither-report.json
          
      - name: Security validation
        id: security-check
        run: |
          if [ -f bandit-report.json ] && [ -f slither-report.json ]; then
            echo "passed=true" >> $GITHUB_OUTPUT
          else
            echo "passed=false" >> $GITHUB_OUTPUT
            exit 1
          fi

  build-and-test:
    runs-on: ubuntu-latest
    name: Build and Test
    needs: security-scan
    if: needs.security-scan.outputs.security-passed == 'true'
    steps:
      - uses: actions/checkout@v4
      
      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.13'
          cache: 'pip'
      
      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -e .
          pip install -e packages/py/aitbc-crypto
          pip install pytest pytest-cov pytest-asyncio
      
      - name: Run comprehensive tests
        run: |
          python -m pytest -m "not slow" --cov=aitbc_cli --cov-report=xml --cov-fail-under=90
      
      - name: Build application
        run: |
          python -m build
          
      - name: Upload build artifacts
        uses: actions/upload-artifact@v4
        with:
          name: build-artifacts
          path: dist/
          retention-days: 30

  deploy-staging:
    runs-on: ubuntu-latest
    name: Deploy to Staging
    needs: build-and-test
    if: github.ref == 'refs/heads/main' || github.event.inputs.environment == 'staging'
    steps:
      - uses: actions/checkout@v4
      
      - name: Download build artifacts
        uses: actions/download-artifact@v4
        with:
          name: build-artifacts
          path: dist/
      
      - name: Deploy to staging
        run: |
          echo "Deploying to staging environment..."
          # Add staging deployment commands here
          # Example: scp to staging server, restart services, etc.
      
      - name: Run smoke tests
        run: |
          python scripts/smoke_tests.py --environment=staging
      
      - name: Health check
        run: |
          curl -f https://staging.aitbc.dev/health || exit 1

  deploy-production:
    runs-on: ubuntu-latest
    name: Deploy to Production
    needs: [build-and-test, deploy-staging]
    if: startsWith(github.ref, 'refs/tags/v') || github.event.inputs.environment == 'production'
    steps:
      - uses: actions/checkout@v4
      
      - name: Download build artifacts
        uses: actions/download-artifact@v4
        with:
          name: build-artifacts
          path: dist/
      
      - name: Create production backup
        run: |
          echo "Creating production backup..."
          # Add backup commands here
      
      - name: Deploy to production
        run: |
          echo "Deploying to production environment..."
          # Add production deployment commands here
      
      - name: Run production smoke tests
        run: |
          python scripts/smoke_tests.py --environment=production
      
      - name: Production health check
        run: |
          curl -f https://api.aitbc.dev/health || exit 1
      
      - name: Update monitoring
        run: |
          if [ -n "${{ secrets.MONITORING_TOKEN }}" ]; then
            curl -X POST https://monitoring.aitbc.net/api/deployment \
              -H "Authorization: Bearer ${{ secrets.MONITORING_TOKEN }}" \
              -d '{"version": "${{ github.ref_name }}", "environment": "production"}'
          fi

  post-deployment:
    runs-on: ubuntu-latest
    name: Post-Deployment Verification
    needs: [deploy-staging, deploy-production]
    if: always() && (needs.deploy-staging.result == 'success' || needs.deploy-production.result == 'success')
    steps:
      - name: Notify team
        uses: actions/github-script@v6
        with:
          script: |
            const environment = '${{ github.event.inputs.environment || (startsWith(github.ref, 'refs/tags/v') && 'production' || 'staging') }}';
            const deploymentUrl = environment === 'production' ? 'https://aitbc.dev' : 'https://staging.aitbc.dev';
            
            const message = `🚀 **Deployment Complete**
            
            **Environment**: ${environment}
            **Version**: ${github.ref_name}
            **URL**: ${deploymentUrl}
            **Commit**: ${github.sha}
            
            **Next Steps**:
            1. Verify functionality at ${deploymentUrl}
            2. Check monitoring dashboard
            3. Review deployment logs
            4. Update documentation if needed`;
            
            github.rest.issues.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: `Deployment Complete: ${environment} - ${github.ref_name}`,
              body: message,
              labels: ['deployment', environment]
            });
      
      - name: Update documentation
        run: |
          echo "Updating API documentation..."
          # Add documentation update commands here
      
      - name: Performance baseline
        run: |
          python scripts/performance_baseline.py --environment=${{ github.event.inputs.environment || 'staging' }}