name: CI
on:
  push:
    branches: [master]
  pull_request:
    branches: [master]

jobs:
  gitleaks:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install gitleaks
        run: |
          VERSION=$(curl -sI https://github.com/gitleaks/gitleaks/releases/latest | grep -i '^location:' | grep -oP 'v[\d.]+')
          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/${VERSION}/gitleaks_${VERSION#v}_linux_x64.tar.gz" \
            | tar xz -C /usr/local/bin gitleaks
      - name: Scan for secrets
        run: gitleaks detect --source . --verbose

  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.13"
      - run: pip install -e . && pip install ruff
      - run: ruff check src/ tests/ plugins/

  test:
    runs-on: ubuntu-latest
    needs: [lint]
    strategy:
      matrix:
        python-version: ["3.11", "3.12", "3.13"]
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
      - run: pip install -e . && pip install pymumble pytest
      - run: pytest -v

  build:
    runs-on: ubuntu-latest
    if: github.event_name == 'push' && github.ref == 'refs/heads/master'
    needs: [gitleaks, test]
    steps:
      - uses: actions/checkout@v4
      - name: Login to Harbor
        run: >-
          echo "${{ secrets.HARBOR_PASS }}" |
          docker login harbor.mymx.me
          -u "${{ secrets.HARBOR_USER }}"
          --password-stdin
      - name: Build and push
        run: |
          TAG="harbor.mymx.me/library/derp:${GITHUB_SHA::8}"
          LATEST="harbor.mymx.me/library/derp:latest"
          docker build -t "$TAG" -t "$LATEST" .
          docker push "$TAG"
          docker push "$LATEST"