name: frontend-ci

on:
  push:
    branches: ["**"]
    tags: ["v*"]
  pull_request:

env:
  IMAGE: ${{ secrets.HARBOR_HOST }}/movieloop/frontend

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
          cache-dependency-path: package-lock.json
      - run: npm ci
      - run: npx eslint .

  typecheck:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
      - run: npm ci
      - run: npx tsc -b

  secrets-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Install and run gitleaks
        run: |
          GL_VERSION=8.18.4
          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \
            | tar xz -C /tmp gitleaks
          /tmp/gitleaks detect --redact --no-banner --verbose --source .

  sast:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: returntocorp/semgrep-action@v1
        with:
          config: "p/auto"

  fs-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install and run Trivy (filesystem)
        run: |
          TRIVY_VERSION=0.70.0
          curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
            | tar xz -C /tmp trivy
          /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress .

  build:
    runs-on: ubuntu-latest
    needs: [lint, typecheck]
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/build-push-action@v5
        with:
          context: .
          file: Dockerfile
          target: production
          tags: movieloop-frontend:ci-${{ github.sha }}
          load: true
      - name: Install and run Trivy (image)
        run: |
          TRIVY_VERSION=0.70.0
          curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
            | tar xz -C /tmp trivy
          /tmp/trivy image --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress \
            movieloop-frontend:ci-${{ github.sha }}

  push:
    runs-on: ubuntu-latest
    needs: [build, secrets-scan, sast, fs-scan]
    if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: ${{ secrets.HARBOR_HOST }}
          username: ${{ secrets.MOVIELOOP_USERNAME }}
          password: ${{ secrets.MOVIELOOP_PASSWORD }}
      - uses: docker/metadata-action@v5
        id: meta
        with:
          images: ${{ env.IMAGE }}
          tags: |
            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
            type=sha,format=long
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
      - uses: docker/build-push-action@v5
        with:
          context: .
          file: Dockerfile
          target: production
          push: true
          tags: ${{ steps.meta.outputs.tags }}