name: SonarQube Code Quality Scan

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  scan:
    runs-on: windowsx64

    steps:
      # ============================
      # STEP 1: Checkout from Gitea
      # ============================
      - name: Checkout Code (Gitea Direct)
        run: |
          git clone https://git.we965.cn/learning/VectorDBDemo.git .
          git fetch --depth=0
          git checkout ${{ github.ref_name }}

      # ============================
      # STEP 2: Setup Sonar Scanner
      # ============================
      - name: Add Sonar Scanner to PATH
        run: |
          echo "D:\Paths\sonar-scanner-cli\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8

      # ============================
      # STEP 3: Check .NET SDK
      # ============================
      - name: Verify .NET SDK (Local)
        run: |
          dotnet --list-sdks
          dotnet --version

      - name: Install OWASP Dependency Check
        run: |
          Invoke-WebRequest -Uri "https://github.com/jeremylong/DependencyCheck/releases/download/v10.0.3/dependency-check-10.0.3-release.zip" -OutFile "dc.zip"
          Expand-Archive -Path "dc.zip" -DestinationPath "./dc" -Force
          echo "$PWD/dc/dependency-check/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append

      - name: Run OWASP Dependency Check
        run: |
          dependency-check.bat --project "VectorDBDemo" --scan "." --format "XML" --out "./depcheck"

      # ============================
      # STEP 5: Build .NET
      # ============================
      - name: Build .NET Project
        run: |
          dotnet restore
          dotnet build --configuration Release

      # ============================
      # STEP 6: SonarQube Scan
      # ============================
      - name: SonarQube Full Scan
        run: |
          dotnet tool install --global dotnet-sonarscanner

          dotnet sonarscanner begin `
            /k:"vectordbdemo" `
            /d:sonar.host.url="http://127.0.0.1:9000" `
            /d:sonar.login="${{ secrets.SONAR_TOKEN }}" `
            /d:sonar.sources="./" `
            /d:sonar.exclusions="**/obj/**,**/bin/**" `
            /d:sonar.dependencyCheck.xmlReportPath="depcheck/dependency-check-report.xml"
          dotnet build --configuration Release
          dotnet sonarscanner end `
            /d:sonar.login="${{ secrets.SONAR_TOKEN }}"

      # ============================
      # STEP 7: Fetch Blocker Issues
      # ============================
      - name: Fetch SonarQube Blocker Issues
        id: fetch_issues
        run: |
          $projectKey = "vectordbdemo"
          $sonarApiUrl = "http://127.0.0.1:9000/api/issues/search?projectKeys=$projectKey&severities=BLOCKER&statuses=OPEN"

          $response = Invoke-R