.github/workflows/ci.yml

name: CI

on:
  push:
    branches:
      - main
    tags:
      - 'v*'
  pull_request:
    branches:
      - 'main'

env:
  REGISTRY: ghcr.io
  POETRY_CACHE_DIR: ~/.cache/pypoetry
  IMAGE_NAME: ${{ github.repository }}
  PYTHON_VERSION: "3.11"

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install poetry
        run: pipx install poetry

      - name: Set up Python ${{ env.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: "poetry"

      - name: Install dependencies
        run: poetry install

      - name: run ruff
        run: poetry run ruff check --output-format=github

      - name: run format
        run: poetry run ruff format --check

      - name: run pyright
        run: poetry run pyright

  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install poetry
        run: pipx install poetry

      - name: Set up Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          cache: "poetry"

      - name: Install dependencies
        run: poetry install

      - name: Generate SBOM
        run: poetry run cyclonedx-py poetry > sbom.json

      - name: Generace licenses file
        run: |
          poetry run pip-licenses  --order=license --format=json --with-description > licenses.txt

      - name: Upload SBOM and licenses
        uses: actions/upload-artifact@v4
        with:
          name: sbom-licenses-${{ github.sha }}.json
          path: |
            sbom.json
            licenses.txt
          if-no-files-found: error
          overwrite: true

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          trivy-config: trivy.yaml

  test:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ["3.10", "3.11", "3.12"]

    steps:
      - uses: actions/checkout@v4

      - name: Install poetry
        run: pipx install poetry

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
          cache: "poetry"

      - name: Install dependencies
        run: poetry install

      - name: run pytest
        run: poetry run coverage run -m pytest

      - name: run coverage
        run: poetry run coverage report

      - name: run coverage
        run: poetry run coverage html

      - name: Upload code coverage report
        if: ${{ matrix.python-version }} == '3.11'
        uses: actions/upload-artifact@v4
        with:
          name: codecoverage-${{ github.sha }}
          path: htmlcov/
          if-no-files-found: error
          overwrite: true


  build:
    needs: test
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v4

      - name: Log in to the Container registry
        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1 #todo: set to version
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Extract metadata for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64,darwin/amd64

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.meta.outputs.tags }}
          trivy-config: trivy.yaml
          scan-type: image
          github-pat: ${{ secrets.GITHUB_TOKEN }}

  # notifyMattermost:
  #   runs-on: ubuntu-latest
  #   if: failure()
  #   steps:
  #     - uses: mattermost/action-mattermost-notify@master
  #       with:
  #         MATTERMOST_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }}
  #         MATTERMOST_CHANNEL: the-best-channel
  #         TEXT: |
  #           This is a message from ${{ github.repository }}.
  #           [Pipeline](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) failed :fire:
  #         MATTERMOST_USERNAME: ${{ github.triggering_actor }}