name: ci

on:
  push:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: '3.13'
      - run: pip install pyyaml ruff pytest
      - run: ruff check src/ tests/
      - run: PYTHONPATH=src pytest tests/ -v

  secrets:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - run: |
          docker run --rm \
            -v "$PWD:/scan:ro" \
            ghcr.io/gitleaks/gitleaks:latest \
            detect --source /scan -v

  build:
    needs: [test, secrets]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          mkdir -p ~/.docker
          AUTH=$(printf '%s:%s' "$HARBOR_USER" "$HARBOR_PASS" | base64 -w0)
          printf '{"auths":{"harbor.mymx.me":{"auth":"%s"}}}\n' "$AUTH" > ~/.docker/config.json
        env:
          HARBOR_USER: ${{ secrets.HARBOR_USER }}
          HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
      - run: docker build --push -t harbor.mymx.me/s5p/s5p:latest -f Containerfile .