name: CI
on:
  pull_request:
    types:
      - opened
      - edited
      - synchronize
      - reopened

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v6.0.1
        with:
          fetch-depth: 0

      # - name: Run Hadolint
      #   uses: hadolint/hadolint-action@v3.3.0
      #   with:
      #     dockerfile: Dockerfile
      #     output-file: hadolint.out
      #     format: sonarqube
      #     no-fail: true

      - name: Setup Go
        uses: actions/setup-go@v6.1.0
        with:
          go-version: "1.23"

      # - name: uv cache
      #   uses: actions/cache@v5
      #   with:
      #     path: /tmp/.uv-cache
      #     key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
      #     restore-keys: |
      #       uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
      #       uv-${{ runner.os }}

      - name: Install dependencies
        run: go mod tidy
      
      # - name: Check Import Sorting
      #   run: uv run isort --check app/ tests/

      # - name: Lint
      #   run: |
      #     uv run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
      #     cat lintreport.txt

      # - name: Unit Test
      #   run: |
      #     uv run coverage run -m pytest -v --junitxml=testresults.xml
      #     uv run coverage report
        # sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml

      # - name: Minimize uv cache
      #   run: uv cache prune --ci

      # - name: SonarQube Scan
      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
      #   env:
      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}

      # - name: Set up environment for Snyk
      #   run: |
      #     uv pip freeze > requirements.txt
      #     mv pyproject.toml pyproject.toml.bak
      #     mv uv.lock uv.lock.bak

      - name: Snyk SAST Scan
        uses: snyk/actions/golang@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          # command: snyk
          args: snyk code test #--all-projects --exclude=.archive

      # - name: Snyk Vulnerability Scan
      #   uses: snyk/actions/python@master
      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
      #   env:
      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      #     DEBUG: "*snyk*"
      #   with:
      #     # command: snyk
      #     args: snyk test #--all-projects --exclude=.archive
      
      # - name: Reverse set up environment for Snyk
      #   run: |
      #     rm -f requirements.txt
      #     mv pyproject.toml.bak pyproject.toml
      #     mv uv.lock.bak uv.lock