name: ci

on:
  push:
    branches: [main]

jobs:
  test:
    runs-on: linux
    steps:
      - run: |
          git clone --depth 1 \
            -c "http.extraHeader=Authorization: token ${{ github.token }}" \
            "${{ github.server_url }}/${{ github.repository }}.git" .
      - run: |
          podman run --rm \
            -v "$PWD:/app:ro" \
            -w /app \
            python:3.13-alpine \
            sh -c "pip install --no-cache-dir -r requirements.txt ruff pytest && \
                   ruff check src/ tests/ && \
                   PYTHONPATH=src pytest tests/ -v"

  secrets:
    runs-on: linux
    steps:
      - run: |
          git clone \
            -c "http.extraHeader=Authorization: token ${{ github.token }}" \
            "${{ github.server_url }}/${{ github.repository }}.git" .
      - run: |
          podman run --rm \
            -v "$PWD:/scan:ro" \
            ghcr.io/gitleaks/gitleaks:latest \
            detect --source /scan -v

  build:
    needs: [test, secrets]
    runs-on: linux
    steps:
      - run: |
          git clone --depth 1 \
            -c "http.extraHeader=Authorization: token ${{ github.token }}" \
            "${{ github.server_url }}/${{ github.repository }}.git" .
      - run: echo "$HARBOR_PASS" | podman login -u "$HARBOR_USER" --password-stdin harbor.mymx.me
        env:
          HARBOR_USER: ${{ secrets.HARBOR_USER }}
          HARBOR_PASS: ${{ secrets.HARBOR_PASS }}
      - run: podman build -t harbor.mymx.me/s5p/s5p:latest -f Containerfile .
      - run: podman push harbor.mymx.me/s5p/s5p:latest