name: CI

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  lint:
    runs-on: linux
    container:
      image: python:3.12-alpine
    steps:
      - name: Checkout
        run: |
          apk add --no-cache -q git
          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
      - name: Install ruff
        run: pip install --no-cache-dir -q ruff
      - name: Lint
        run: ruff check src/ tests/

  test:
    runs-on: linux
    needs: [lint]
    container:
      image: python:3.12-alpine
    steps:
      - name: Checkout
        run: |
          apk add --no-cache -q git
          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
      - name: Install deps
        run: |
          pip install --no-cache-dir -q -r requirements.txt
          pip install --no-cache-dir -q pytest pytest-asyncio
      - name: Test
        run: PYTHONPATH=src pytest tests/ -v

  secrets:
    runs-on: linux
    container:
      image: alpine:latest
    steps:
      - name: Checkout
        run: |
          apk add --no-cache -q git curl
          git clone --branch "${GITHUB_REF_NAME}" \
            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
      - name: Install gitleaks
        run: |
          ARCH=$(uname -m | sed 's/x86_64/x64/;s/aarch64/arm64/')
          VER=$(curl -sI https://github.com/gitleaks/gitleaks/releases/latest | grep -i location | grep -oE 'v[0-9.]+' | tr -d v)
          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${VER}/gitleaks_${VER}_linux_${ARCH}.tar.gz" \
            | tar xz -C /usr/local/bin/ gitleaks
      - name: Scan for secrets
        run: gitleaks detect --source . -v

  build:
    runs-on: linux
    needs: [test, secrets]
    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
    container:
      image: docker:latest
    steps:
      - name: Checkout
        run: |
          apk add --no-cache -q git
          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
      - name: Login to Harbor
        run: echo "$HARBOR_PASS" | docker login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
        env:
          HARBOR_USER: ${{ secrets.HARBOR_USER }}
          HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
      - name: Build and push
        run: |
          TAG="harbor.mymx.me/library/bouncer:${GITHUB_SHA::8}"
          LATEST="harbor.mymx.me/library/bouncer:latest"
          docker build --push -t "$TAG" -t "$LATEST" -f Containerfile .