klz-cables.com/.gitea/workflows/deploy.yml

name: Build & Deploy

on:
  push:
    branches:
      - '**'
    tags:
      - 'v*'
  workflow_dispatch:
    inputs:
      skip_checks:
        description: 'Skip tests? (true/false)'
        required: false
        default: 'false'

concurrency:
  group: ${{ github.workflow }}-${{ (github.ref_type == 'tag' && !contains(github.ref_name, '-')) && 'prod' || (github.ref_name == 'main' && 'testing' || github.ref_name) }}
  cancel-in-progress: true

jobs:
  # ──────────────────────────────────────────────────────────────────────────────
  # JOB 1: Prepare Environment
  # ──────────────────────────────────────────────────────────────────────────────
  prepare:
    name: 🔍 Prepare
    runs-on: docker
    outputs:
      target:           ${{ steps.determine.outputs.target }}
      image_tag:        ${{ steps.determine.outputs.image_tag }}
      env_file:         ${{ steps.determine.outputs.env_file }}
      traefik_host:     ${{ steps.determine.outputs.traefik_host }}
      traefik_rule:     ${{ steps.determine.outputs.traefik_rule }}
      next_public_url:  ${{ steps.determine.outputs.next_public_url }}
      directus_url:     ${{ steps.determine.outputs.directus_url }}
      project_name:     ${{ steps.determine.outputs.project_name }}
      short_sha:        ${{ steps.determine.outputs.short_sha }}
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - name: 🧹 Maintenance (High Density Cleanup)
        shell: bash
        run: |
          echo "Purging old build layers and dangling images..."
          docker image prune -f
          docker builder prune -f --filter "until=6h"

      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: 🔍 Environment ermitteln
        id: determine
        shell: bash
        run: |
          REF="${{ github.ref_name }}"
          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
          DOMAIN="klz-cables.com"
          PRJ="klz"

          if [[ "${{ github.ref_type }}" == "branch" && "$REF" == "main" ]]; then
            TARGET="testing"
            IMAGE_TAG="main-${SHORT_SHA}"
            ENV_FILE=".env.testing"
            TRAEFIK_HOST="testing.${DOMAIN}"
          elif [[ "${{ github.ref_type }}" == "tag" ]]; then
            if [[ "$REF" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
              TARGET="production"
              IMAGE_TAG="$REF"
              ENV_FILE=".env.prod"
              TRAEFIK_HOST="${DOMAIN}, www.${DOMAIN}"
            else
              TARGET="staging"
              IMAGE_TAG="$REF"
              ENV_FILE=".env.staging"
              TRAEFIK_HOST="staging.${DOMAIN}"
            fi
          else
            TARGET="branch"
            SLUG=$(echo "$REF" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//')
            IMAGE_TAG="branch-${SLUG}-${SHORT_SHA}"
            ENV_FILE=".env.branch-${SLUG}"
            TRAEFIK_HOST="${SLUG}.branch.mintel.me"
          fi

          # Standardize Traefik Rule
          if [[ "$TRAEFIK_HOST" == *","* ]]; then
            TRAEFIK_RULE=$(echo "$TRAEFIK_HOST" | sed 's/,/ /g' | awk '{for(i=1;i<=NF;i++) printf "Host(\"%s\")%s", $i, (i==NF?"":" || ")}')
            PRIMARY_HOST=$(echo "$TRAEFIK_HOST" | cut -d',' -f1 | sed 's/ //g')
          else
            TRAEFIK_RULE="Host(\"$TRAEFIK_HOST\")"
            PRIMARY_HOST="$TRAEFIK_HOST"
          fi

          {
            echo "target=$TARGET"
            echo "image_tag=$IMAGE_TAG"
            echo "env_file=$ENV_FILE"
            echo "traefik_host=$PRIMARY_HOST"
            echo "traefik_rule=$TRAEFIK_RULE"
            echo "next_public_url=https://$PRIMARY_HOST"
            echo "directus_url=https://cms.$PRIMARY_HOST"
            if [[ "$TARGET" == "production" ]]; then
              echo "project_name=klz-cablescom"
            else
              echo "project_name=$PRJ-$TARGET"
            fi
            echo "short_sha=$SHORT_SHA"
          } >> "$GITHUB_OUTPUT"

          # ⏳ Wait for Upstream Packages/Images if Tagged
          if [[ "${{ github.ref_type }}" == "tag" ]]; then
            echo "🔎 Checking for @mintel dependencies in package.json..."
            # Extract any @mintel/ version (they should be synced in monorepo)
            UPSTREAM_VERSION=$(grep -o '"@mintel/.*": "[^"]*"' package.json | grep -v "next-utils" | cut -d'"' -f4 | sed 's/\^//; s/\~//' | sort -V | tail -1)
            TAG_TO_WAIT="v$UPSTREAM_VERSION"
            
            if [[ -n "$UPSTREAM_VERSION" && "$UPSTREAM_VERSION" != "workspace:"* ]]; then
              # 1. Discovery (Works without token for public repositories)
              UPSTREAM_SHA=$(git ls-remote --tags https://git.infra.mintel.me/mmintel/at-mintel.git "$TAG_TO_WAIT" | grep "$TAG_TO_WAIT" | tail -n1 | awk '{print $1}')
              
              if [[ -z "$UPSTREAM_SHA" ]]; then
                echo "❌ Error: Tag $TAG_TO_WAIT not found in mmintel/at-mintel."
                exit 1
              fi
              echo "✅ Tag verified: Found upstream SHA $UPSTREAM_SHA for $TAG_TO_WAIT"

              # 2. Status Check (Requires GITEA_PAT for cross-repo API access)
              POLL_TOKEN="${{ secrets.GITEA_PAT || secrets.MINTEL_PRIVATE_TOKEN }}"
              
              if [[ -n "$POLL_TOKEN" ]]; then
                echo "⏳ GITEA_PAT found. Checking upstream build status..."
                curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
                  "https://git.infra.mintel.me/mmintel/at-mintel/raw/branch/main/packages/infra/scripts/wait-for-upstream.sh" > wait-for-upstream.sh
                chmod +x wait-for-upstream.sh
                GITEA_TOKEN="$POLL_TOKEN" ./wait-for-upstream.sh "mmintel/at-mintel" "$TAG_TO_WAIT"
              else
                echo "ℹ️ No GITEA_PAT secret found. Skipping build status wait (Actions API is restricted)."
                echo "   If this build fails, ensure that mmintel/at-mintel $TAG_TO_WAIT has finished its Docker build."
              fi
            fi
          fi

  # ──────────────────────────────────────────────────────────────────────────────
  # JOB 2: QA (Lint, Typecheck, Test)
  # ──────────────────────────────────────────────────────────────────────────────
  qa:
    name: 🧪 QA
    needs: prepare
    if: needs.prepare.outputs.target != 'skip'
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup pnpm
        uses: pnpm/action-setup@v3
        with:
          version: 10
      - name: Get pnpm store directory
        id: pnpm-cache
        shell: bash
        run: |
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
      - name: Setup pnpm cache
        uses: actions/cache@v4
        with:
          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pnpm-store-
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: 🔐 Registry Auth
        run: |
          echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc
          echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: 🧪 QA Checks
        if: github.event.inputs.skip_checks != 'true'
        run: |
          pnpm lint
          pnpm typecheck
          pnpm test

  # ──────────────────────────────────────────────────────────────────────────────
  # JOB 3: Build & Push
  # ──────────────────────────────────────────────────────────────────────────────
  build:
    name: 🏗️ Build
    needs: [prepare, qa]
    if: needs.prepare.outputs.target != 'skip'
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: 🐳 Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: 🔐 Registry Login
        run: echo "${{ secrets.REGISTRY_PASS }}" | docker login registry.infra.mintel.me -u "${{ secrets.REGISTRY_USER }}" --password-stdin
      - name: 🏗️ Build and Push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          provenance: false
          platforms: linux/arm64
          build-args: |
            NEXT_PUBLIC_BASE_URL=${{ needs.prepare.outputs.next_public_url }}
            NEXT_PUBLIC_TARGET=${{ needs.prepare.outputs.target }}
            DIRECTUS_URL=${{ needs.prepare.outputs.directus_url }}
            UMAMI_WEBSITE_ID=${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
            UMAMI_API_ENDPOINT=${{ secrets.UMAMI_API_ENDPOINT || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }}
            NPM_TOKEN=${{ secrets.REGISTRY_PASS }}
          tags: registry.infra.mintel.me/mintel/klz-cables.com:${{ needs.prepare.outputs.image_tag }}
          cache-from: type=registry,ref=registry.infra.mintel.me/mintel/klz-cables.com:buildcache-v3
          cache-to: type=registry,ref=registry.infra.mintel.me/mintel/klz-cables.com:buildcache-v3,mode=max
          secrets: |
            "NPM_TOKEN=${{ secrets.REGISTRY_PASS }}"

  # ──────────────────────────────────────────────────────────────────────────────
  # JOB 4: Deploy
  # ──────────────────────────────────────────────────────────────────────────────
  deploy:
    name: 🚀 Deploy
    needs: [prepare, build, qa]
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    env:
      TARGET:               ${{ needs.prepare.outputs.target }}
      IMAGE_TAG:            ${{ needs.prepare.outputs.image_tag }}
      PROJECT_NAME:         ${{ needs.prepare.outputs.project_name }}
      NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
      DIRECTUS_URL:         ${{ needs.prepare.outputs.directus_url }}
      DIRECTUS_HOST:        cms.${{ needs.prepare.outputs.traefik_host }}
      TRAEFIK_HOST:         ${{ needs.prepare.outputs.traefik_host }}
      
      # Secrets mapping (Directus)
      DIRECTUS_KEY:            ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_KEY) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_KEY) || secrets.DIRECTUS_KEY || vars.DIRECTUS_KEY }}
      DIRECTUS_SECRET:         ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_SECRET) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_SECRET) || secrets.DIRECTUS_SECRET || vars.DIRECTUS_SECRET }}
      DIRECTUS_ADMIN_EMAIL:    ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_ADMIN_EMAIL) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_ADMIN_EMAIL) || secrets.DIRECTUS_ADMIN_EMAIL || vars.DIRECTUS_ADMIN_EMAIL || 'admin@mintel.me' }}
      DIRECTUS_ADMIN_PASSWORD: ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_ADMIN_PASSWORD) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_ADMIN_PASSWORD) || secrets.DIRECTUS_ADMIN_PASSWORD || vars.DIRECTUS_ADMIN_PASSWORD }}
      DIRECTUS_DB_NAME:        ${{ secrets.DIRECTUS_DB_NAME || vars.DIRECTUS_DB_NAME || 'directus' }}
      DIRECTUS_DB_USER:        ${{ secrets.DIRECTUS_DB_USER || vars.DIRECTUS_DB_USER || 'directus' }}
      DIRECTUS_DB_PASSWORD:    ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_DB_PASSWORD) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_DB_PASSWORD) || secrets.DIRECTUS_DB_PASSWORD || vars.DIRECTUS_DB_PASSWORD || 'directus' }}
      DIRECTUS_API_TOKEN:      ${{ (needs.prepare.outputs.target == 'testing' && secrets.TESTING_DIRECTUS_API_TOKEN) || (needs.prepare.outputs.target == 'staging' && secrets.STAGING_DIRECTUS_API_TOKEN) || secrets.DIRECTUS_API_TOKEN || vars.DIRECTUS_API_TOKEN }}
      
      # Secrets mapping (Mail)
      MAIL_HOST:        ${{ secrets.SMTP_HOST || vars.SMTP_HOST }}
      MAIL_PORT:        ${{ secrets.SMTP_PORT || vars.SMTP_PORT || '587' }}
      MAIL_USERNAME:    ${{ secrets.SMTP_USER || vars.SMTP_USER }}
      MAIL_PASSWORD:    ${{ secrets.SMTP_PASS || vars.SMTP_PASS }}
      MAIL_FROM:        ${{ secrets.SMTP_FROM || vars.SMTP_FROM }}
      MAIL_RECIPIENTS:  ${{ secrets.CONTACT_RECIPIENT || vars.CONTACT_RECIPIENT }}
      
      # Monitoring
      SENTRY_DSN:       ${{ secrets.SENTRY_DSN || vars.SENTRY_DSN }}
      
      # Gatekeeper
      GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}

      # Analytics
      UMAMI_WEBSITE_ID:    ${{ secrets.UMAMI_WEBSITE_ID || vars.UMAMI_WEBSITE_ID }}
      UMAMI_API_ENDPOINT:  ${{ secrets.UMAMI_API_ENDPOINT || vars.UMAMI_API_ENDPOINT || 'https://analytics.infra.mintel.me' }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: 📝 Generate Environment
        shell: bash
        env:
          TRAEFIK_RULE:     ${{ needs.prepare.outputs.traefik_rule }}
          ENV_FILE:         ${{ needs.prepare.outputs.env_file }}
        run: |
          # Middleware Selection Logic
          # Regular app routes get auth on non-production
          # Unprotected routes (/stats, /errors) never get auth
          LOG_LEVEL=$( [[ "$TARGET" == "testing" || "$TARGET" == "development" ]] && echo "debug" || echo "info" )
          COOKIE_DOMAIN=.$(echo $NEXT_PUBLIC_BASE_URL | sed 's|https://||')
          STD_MW="${PROJECT_NAME}-ratelimit,${PROJECT_NAME}-forward,${PROJECT_NAME}-compress"
          
          if [[ "$TARGET" == "production" ]]; then
            AUTH_MIDDLEWARE="$STD_MW"
            COMPOSE_PROFILES=""
          else
            # Order: Ratelimit -> Forward (Proto) -> Auth -> Compression
            AUTH_MIDDLEWARE="${PROJECT_NAME}-ratelimit,${PROJECT_NAME}-forward,${PROJECT_NAME}-auth,${PROJECT_NAME}-compress"
            COMPOSE_PROFILES="gatekeeper"
          fi
          AUTH_MIDDLEWARE_UNPROTECTED="$STD_MW"

          # Gatekeeper Origin
          GATEKEEPER_ORIGIN="$NEXT_PUBLIC_BASE_URL/gatekeeper"

          {
            echo "# Generated by CI - $TARGET"
            echo "IMAGE_TAG=$IMAGE_TAG"
            echo "NEXT_PUBLIC_BASE_URL=$NEXT_PUBLIC_BASE_URL"
            echo "GATEKEEPER_ORIGIN=$GATEKEEPER_ORIGIN"
            echo "SENTRY_DSN=$SENTRY_DSN"
            echo "LOG_LEVEL=$LOG_LEVEL"
            echo "MAIL_HOST=$MAIL_HOST"
            echo "MAIL_PORT=$MAIL_PORT"
            echo "MAIL_USERNAME=$MAIL_USERNAME"
            echo "MAIL_PASSWORD=$MAIL_PASSWORD"
            echo "MAIL_FROM=$MAIL_FROM"
            echo "MAIL_RECIPIENTS=$MAIL_RECIPIENTS"
            echo ""
            echo "# Directus"
            echo "DIRECTUS_URL=$DIRECTUS_URL"
            echo "DIRECTUS_HOST=$DIRECTUS_HOST"
            echo "DIRECTUS_KEY=$DIRECTUS_KEY"
            echo "DIRECTUS_SECRET=$DIRECTUS_SECRET"
            echo "DIRECTUS_ADMIN_EMAIL=$DIRECTUS_ADMIN_EMAIL"
            echo "DIRECTUS_ADMIN_PASSWORD=$DIRECTUS_ADMIN_PASSWORD"
            echo "DIRECTUS_DB_NAME=$DIRECTUS_DB_NAME"
            echo "DIRECTUS_DB_USER=$DIRECTUS_DB_USER"
            echo "DIRECTUS_DB_PASSWORD=$DIRECTUS_DB_PASSWORD"
            echo "DIRECTUS_DB_CLIENT=pg"
            echo "DIRECTUS_DB_HOST=directus-db"
            echo "DIRECTUS_DB_PORT=5432"
            echo "DIRECTUS_API_TOKEN=$DIRECTUS_API_TOKEN"
            echo "INTERNAL_DIRECTUS_URL=http://directus:8055"
            echo ""
            echo "# Gatekeeper"
            echo "GATEKEEPER_PASSWORD=$GATEKEEPER_PASSWORD"
            echo "AUTH_COOKIE_NAME=klz_gatekeeper_session"
            echo "COOKIE_DOMAIN=$COOKIE_DOMAIN"
            echo ""
            echo "# Analytics"
            echo "UMAMI_WEBSITE_ID=$UMAMI_WEBSITE_ID"
            echo "UMAMI_API_ENDPOINT=$UMAMI_API_ENDPOINT"
            echo ""
            echo "TARGET=$TARGET"
            echo "SENTRY_ENVIRONMENT=$TARGET"
            echo "PROJECT_NAME=$PROJECT_NAME"
            printf 'TRAEFIK_HOST_RULE=%s\n' "$TRAEFIK_RULE"
            echo "TRAEFIK_HOST=$TRAEFIK_HOST"
            echo "TRAEFIK_ENTRYPOINT=websecure"
            echo "TRAEFIK_TLS=true"
            echo "TRAEFIK_CERT_RESOLVER=le"
            echo "ENV_FILE=$ENV_FILE"
            echo "COMPOSE_PROFILES=$COMPOSE_PROFILES"
            echo "AUTH_MIDDLEWARE=$AUTH_MIDDLEWARE"
            echo "AUTH_MIDDLEWARE_UNPROTECTED=$AUTH_MIDDLEWARE_UNPROTECTED"
          } > .env.deploy

          echo "--- Generated .env.deploy ---"
          cat .env.deploy
          echo "----------------------------"

      - name: 🚀 SSH Deploy
        shell: bash
        env:
          ENV_FILE:         ${{ needs.prepare.outputs.env_file }}
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.ALPHA_SSH_KEY }}" > ~/.ssh/id_ed25519
          chmod 600 ~/.ssh/id_ed25519
          ssh-keyscan -H alpha.mintel.me >> ~/.ssh/known_hosts 2>/dev/null

          # Transfer and Restart
          SITE_DIR="/home/deploy/sites/klz-cables.com"
          ssh root@alpha.mintel.me "mkdir -p $SITE_DIR/directus/schema $SITE_DIR/directus/uploads $SITE_DIR/directus/extensions"
          
          scp .env.deploy root@alpha.mintel.me:$SITE_DIR/$ENV_FILE
          scp docker-compose.yml root@alpha.mintel.me:$SITE_DIR/docker-compose.yml
          scp -r directus/schema root@alpha.mintel.me:$SITE_DIR/directus/
          
          ssh root@alpha.mintel.me "cd $SITE_DIR && echo '${{ secrets.REGISTRY_PASS }}' | docker login registry.infra.mintel.me -u '${{ secrets.REGISTRY_USER }}' --password-stdin"
          ssh root@alpha.mintel.me "cd $SITE_DIR && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' pull"
          ssh root@alpha.mintel.me "cd $SITE_DIR && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' up -d --remove-orphans"
          
          # Apply Directus Schema Snapshot if available
          ssh root@alpha.mintel.me "cd $SITE_DIR && if docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' exec -T directus ls /directus/schema/snapshot.yaml >/dev/null 2>&1; then echo '→ Applying Directus Schema Snapshot...' && docker compose -p '${{ needs.prepare.outputs.project_name }}' --env-file '$ENV_FILE' exec -T directus npx directus schema apply /directus/schema/snapshot.yaml --yes; fi"
          
          ssh root@alpha.mintel.me "docker system prune -f --filter 'until=24h'"

      - name: 🧹 Post-Deploy Cleanup (Runner)
        if: always()
        run: docker builder prune -f --filter "until=1h"

  # ──────────────────────────────────────────────────────────────────────────────
  # JOB 5: Smoke Test (OG Images)
  # ──────────────────────────────────────────────────────────────────────────────
  smoke_test:
    name: 🧪 Smoke Test
    needs: [prepare, deploy]
    if: needs.deploy.result == 'success'
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup pnpm
        uses: pnpm/action-setup@v3
        with:
          version: 10
      - name: Get pnpm store directory
        id: pnpm-cache
        shell: bash
        run: |
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
      - name: Setup pnpm cache
        uses: actions/cache@v4
        with:
          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pnpm-store-
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: 🔐 Registry Auth
        run: |
          echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc
          echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: 🚀 Run OG Image Check
        env:
          TEST_URL: ${{ needs.prepare.outputs.next_public_url }}
        run: pnpm run check:og

  # ──────────────────────────────────────────────────────────────────────────────
  # JOB 6: Lighthouse (Performance & Accessibility)
  # ──────────────────────────────────────────────────────────────────────────────
  lighthouse:
    name: ⚡ Lighthouse
    needs: [prepare, deploy]
    if: success() && needs.prepare.outputs.target != 'skip'
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Setup pnpm
        uses: pnpm/action-setup@v3
        with:
          version: 10
      - name: Get pnpm store directory
        id: pnpm-cache
        shell: bash
        run: |
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
      - name: Setup pnpm cache
        uses: actions/cache@v4
        with:
          path: ${{ steps.pnpm-cache.outputs.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pnpm-store-
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 20
      - name: 🔐 Registry Auth
        run: |
          echo "@mintel:registry=https://${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}" > .npmrc
          echo "//${{ vars.REGISTRY_HOST || 'npm.infra.mintel.me' }}/:_authToken=${{ secrets.REGISTRY_PASS }}" >> .npmrc
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
      - name: 🔍 Install Chromium (Native & ARM64)
        run: |
          apt-get update
          apt-get install -y gnupg wget ca-certificates
          
          # Detect OS
          OS_ID=$(. /etc/os-release && echo $ID)
          CODENAME=$(. /etc/os-release && echo $VERSION_CODENAME)
          
          if [ "$OS_ID" = "debian" ]; then
            echo "🎯 Debian detected - installing native chromium"
            apt-get install -y chromium
          else
            echo "🎯 Ubuntu detected - adding xtradeb PPA"
            mkdir -p /etc/apt/keyrings
            KEY_ID="82BB6851C64F6880"
            
            # Fetch PPA key
            wget -qO- "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x$KEY_ID" | gpg --dearmor > /etc/apt/keyrings/xtradeb.gpg
            
            # Add PPA repository
            echo "deb [signed-by=/etc/apt/keyrings/xtradeb.gpg] http://ppa.launchpad.net/xtradeb/apps/ubuntu $CODENAME main" > /etc/apt/sources.list.d/xtradeb-ppa.list
            
            # PRIORITY PINNING: Force PPA over Snap-dummy
            printf "Package: *\nPin: release o=LP-PPA-xtradeb-apps\nPin-Priority: 1001\n" > /etc/apt/preferences.d/xtradeb
            
            apt-get update
            apt-get install -y --allow-downgrades chromium
          fi
          
          # Standardize binary paths
          [ -f /usr/bin/chromium ] && ln -sf /usr/bin/chromium /usr/bin/google-chrome
          [ -f /usr/bin/chromium ] && ln -sf /usr/bin/chromium /usr/bin/chromium-browser
      - name: ⚡ Run Lighthouse CI
        env:
          NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
          GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
          CHROME_PATH: /usr/bin/chromium
          PAGESPEED_LIMIT: 8
        run: pnpm run pagespeed:test

      - name: ♿ Run WCAG Audit
        env:
          NEXT_PUBLIC_BASE_URL: ${{ needs.prepare.outputs.next_public_url }}
          GATEKEEPER_PASSWORD: ${{ secrets.GATEKEEPER_PASSWORD || 'klz2026' }}
          PAGESPEED_LIMIT: 8
        run: pnpm run check:wcag

  # ──────────────────────────────────────────────────────────────────────────────
  # JOB 7: Notifications
  # ──────────────────────────────────────────────────────────────────────────────
  notifications:
    name: 🔔 Notify
    needs: [prepare, deploy, smoke_test, lighthouse]
    if: always()
    runs-on: docker
    container:
      image: catthehacker/ubuntu:act-latest
    steps:
      - name: 🔔 Gotify
        run: |
          STATUS="${{ needs.deploy.result }}"
          TITLE="klz-cables.com: $STATUS"
          [[ "$STATUS" == "success" ]] && PRIORITY=5 || PRIORITY=8
          
          curl -s -k -X POST "${{ secrets.GOTIFY_URL }}/message?token=${{ secrets.GOTIFY_TOKEN }}" \
            -F "title=$TITLE" \
            -F "message=Deploy to ${{ needs.prepare.outputs.target }} finished with status $STATUS.\nVersion: ${{ needs.prepare.outputs.image_tag }}" \
            -F "priority=$PRIORITY" || true