name: Build, test, security
on:
  push:
    branches-ignore:
      - main
jobs:
  Clone-repo:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - uses: actions/upload-artifact@v3
        with:
          name: source-code
          path: .

  Unit-tests:
    runs-on: ubuntu-latest
    needs: Clone-repo
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: source-code
          path: .
      - run: make tests

  clang-analysis:
    runs-on: ubuntu-latest
    needs: Clone-repo
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: source-code
          path: .
      - run: make static-analysis

  SAST-flawfinder:
    runs-on: ubuntu-latest
    needs: Clone-repo
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: source-code
          path: .
      - run: sudo apt-get install -y flawfinder
      - run: make security-analysis

  Build:
    runs-on: ubuntu-latest
    needs: [ Unit-tests, clang-analysis, SAST-flawfinder ]
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: source-code
          path: .
      - name: Build server and browser
        run: make dev
      - uses: actions/upload-artifact@v3
        with:
          name: dev-build-files
          path: ./build

  Trivy-dev-test:
    runs-on: ubuntu-latest
    needs: Build
    permissions:
      security-events: write
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: source-code
          path: .
      - uses: actions/download-artifact@v3
        with:
          name: dev-build-files
          path: ./build
      - uses: docker/setup-buildx-action@v1
      - run: docker build -t pico-web-dev -f ./docker/dev/Dockerfile .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: pico-web-dev
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: 0
          ignore-unfixed: true

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
          sha: ${{ github.sha }}
          ref: ${{ github.ref }}

  Trivy-prod-test:
    runs-on: ubuntu-latest
    needs: Build
    permissions:
      security-events: write
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: source-code
          path: .
      - uses: docker/setup-buildx-action@v1
      - run: docker build -t pico-web -f ./docker/prod/Dockerfile .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: pico-web
          format: 'sarif'
          output: 'trivy-results.sarif'
          exit-code: 0
          ignore-unfixed: true

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
          sha: ${{ github.sha }}
          ref: ${{ github.ref }}