apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: fastapi-ci
  namespace: tekton-ci
spec:
  params:
  - name: git-url
    type: string
  - name: git-revision
    type: string
  - name: image-tag
    type: string
  workspaces:
  - name: source
  tasks:

  # 1. 拉取代码
  - name: git-clone
    taskRef:
      name: git-clone
    params:
    - name: url
      value: $(params.git-url)
    - name: revision
      value: $(params.git-revision)
    workspaces:
    - name: output
      workspace: source

  # 2. 单元测试
  - name: pytest
    runAfter: [git-clone]
    taskSpec:
      steps:
      - name: test
        image: python:3.10-slim
        script: |
          cd $(workspaces.source.path)
          pip install -r requirements.txt
          pytest app/test_main.py -v
    workspaces:
    - name: source
      workspace: source

  # 3. 构建并推送镜像 (Docker CLI, 需宿主机 docker socket，限 k8smaster)
  - name: build-and-push
    runAfter: [pytest]
    taskSpec:
      nodeSelector:
        kubernetes.io/hostname: k8smaster
      steps:
      - name: docker-build-push
        image: docker:cli
        env:
        - name: DOCKER_HOST
          value: unix:///var/run/docker.sock
        script: |
          cd $(workspaces.source.path)
          docker build -t registry.plfai.cn/fastapi-demo:$(params.image-tag) .
          cat $(workspaces.dockerconfig.path)/.dockerconfigjson | \
            docker login registry.plfai.cn -u k3s --password-stdin 2>/dev/null || true
          docker push registry.plfai.cn/fastapi-demo:$(params.image-tag)
        volumeMounts:
        - name: docker-sock
          mountPath: /var/run/docker.sock
      volumes:
      - name: docker-sock
        hostPath:
          path: /var/run/docker.sock
          type: Socket
    workspaces:
    - name: source
      workspace: source

  # 4. 镜像漏洞扫描 (可选，trivy 镜像可能不可达)
  - name: trivy-scan
    runAfter: [build-and-push]
    taskSpec:
      steps:
      - name: scan
        image: alpine
        script: |
          echo "Trivy scan skipped (offline). Image: registry.plfai.cn/fastapi-demo:$(params.image-tag)"
          echo "Run: trivy image --severity=HIGH,CRITICAL registry.plfai.cn/fastapi-demo:$(params.image-tag)"

  # 5. 更新部署清单 (GitOps)
  - name: gitops-update
    runAfter: [trivy-scan]
    taskSpec:
      steps:
      - name: update-image
        image: alpine/git
        script: |
          git clone $(params.git-url) /workspace/repo
          cd /workspace/repo
          sed -i "s|image: registry.plfai.cn/fastapi-demo:.*|image: registry.plfai.cn/fastapi-demo:$(params.image-tag)|" \
            k8s/deployment.yaml
          git config user.email "tekton@plfai.cn"
          git config user.name "Tekton CI"
          git add k8s/deployment.yaml
          git commit -m "ci: update image to $(params.image-tag) [skip ci]"
          git push origin main