name: CI
on:
  pull_request:
    types:
      - opened
      - edited
      - synchronize
      - reopened

jobs:
  ci:
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4.2.2
        with:
          fetch-depth: 0

      - name: Run Hadolint
        uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: Dockerfile
          output-file: hadolint.out
          format: sonarqube
          no-fail: true

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: "3.13"

      - name: uv cache
        uses: actions/cache@v4
        with:
          path: /tmp/.uv-cache
          key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
          restore-keys: |
            uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
            uv-${{ runner.os }}

      - name: Install dependencies
        run: uv sync
      
      - name: Check Import Sorting
        run: uv run isort --check app/ tests/

      - name: Lint
        run: |
          uv run pylint --fail-under=8 --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
          cat lintreport.txt

      - name: Unit Test
        run: |
          uv run coverage run -m pytest -v --junitxml=testresults.xml
          uv run coverage report
        # sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml

      - name: Minimize uv cache
        run: uv cache prune --ci

      # - name: SonarQube Scan
      #   uses: SonarSource/sonarqube-scan-action@v5.2.0
      #   env:
      #     SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST_URL }}
      #     SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}

      - name: Set up environment for Snyk
        run: |
          uv pip freeze > requirements.txt
          mv pyproject.toml pyproject.toml.bak
          mv uv.lock uv.lock.bak

      - name: Snyk SAST Scan
        uses: snyk/actions/python@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          # command: snyk
          args: snyk code test #--all-projects --exclude=.archive

      - name: Snyk Vulnerability Scan
        uses: snyk/actions/python@master
        continue-on-error: true # Sometimes vulns aren't immediately fixable
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
          DEBUG: "*snyk*"
        with:
          # command: snyk
          args: snyk test #--all-projects --exclude=.archive
      
      - name: Reverse set up environment for Snyk
        run: |
          rm -f requirements.txt
          mv pyproject.toml.bak pyproject.toml
          mv uv.lock.bak uv.lock

      # - name: Trivy Setup
      #   uses: aquasecurity/setup-trivy@v0.2.0
      #   with:
      #     cache: true
      #     version: v0.61.1

      # - name: Trivy Vulnerability Scan
      #   uses: aquasecurity/trivy-action@master
      #   with:
      #     skip-setup-trivy: true
      #     scan-type: "fs"
      #     scan-ref: "${{ gitea.workspace }}"
      #     exit-code: "1"
      #     ignore-unfixed: true
      #     format: "table"
      #     severity: "CRITICAL,HIGH,MEDIUM"
      #     scanners: "vuln,secret,misconfig,license"
      
      # - name: Trivy Vulnerability Scan (Docker)
      #   uses: aquasecurity/trivy-action@master
      #   with:
      #     skip-setup-trivy: true
      #     image-ref: "docker.io/my-organization/my-app:${{ github.sha }}"
      #     format: "table"
      #     exit-code: "1"
      #     ignore-unfixed: true
      #     vuln-type: 'os,library'
      #     severity: "CRITICAL,HIGH,MEDIUM"