name: CI

on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  lint:
    runs-on: linux
    steps:
      - uses: actions/checkout@v4
      - name: Lint
        run: |
          podman run --rm \
            -v "$PWD:/app:ro" \
            -w /app \
            python:3.12-alpine \
            sh -c "pip install --no-cache-dir -q ruff && \
                   ruff check src/ tests/"

  test:
    runs-on: linux
    needs: [lint]
    steps:
      - uses: actions/checkout@v4
      - name: Test
        run: |
          podman run --rm \
            -v "$PWD:/app:ro" \
            -w /app \
            python:3.12-alpine \
            sh -c "pip install --no-cache-dir -q -r requirements.txt && \
                   pip install --no-cache-dir -q pytest pytest-asyncio && \
                   PYTHONPATH=src pytest tests/ -v"

  secrets:
    runs-on: linux
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Scan for secrets
        run: |
          podman run --rm \
            -v "$PWD:/scan:ro" \
            ghcr.io/gitleaks/gitleaks:latest \
            detect --source /scan -v

  build:
    runs-on: linux
    needs: [test, secrets]
    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
    steps:
      - uses: actions/checkout@v4
      - name: Login to Harbor
        run: echo "$HARBOR_PASS" | podman login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
        env:
          HARBOR_USER: ${{ secrets.HARBOR_USER }}
          HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
      - name: Build and push
        run: |
          TAG="harbor.mymx.me/library/bouncer:${GITHUB_SHA::8}"
          LATEST="harbor.mymx.me/library/bouncer:latest"
          podman build -t "$TAG" -t "$LATEST" -f Containerfile .
          podman push "$TAG"
          podman push "$LATEST"