# CI for Go services on Gitea Actions.
# `shared` always runs; `test` and `image` activate when go.sum lands.
name: ci

on:
  pull_request:
    branches: [main]
  push:
    branches: [main]

jobs:
  shared:
    runs-on: docker
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }

      - name: commitlint (PR only)
        if: github.event_name == 'pull_request'
        shell: bash
        env:
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          set -euo pipefail
          pattern='^(feat|fix|docs|chore|refactor|test|perf|build|ci|revert)(\([a-z0-9_/.-]+\))?!?: .{1,72}$'
          bad=0
          while IFS= read -r subject; do
            if ! [[ "$subject" =~ $pattern ]]; then
              echo "::error::Commit subject does not match Conventional Commits: $subject"
              bad=$((bad+1))
            fi
          done < <(git log --format=%s "${BASE_SHA}..${HEAD_SHA}")
          if [ "$bad" -gt 0 ]; then
            echo "::error::$bad commit(s) failed commitlint."
            exit 1
          fi
          echo "commitlint: OK"

      - name: gitleaks
        shell: bash
        run: |
          set -euo pipefail
          GL_VERSION=8.18.4
          curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \
            | tar -xz -C /tmp gitleaks
          /tmp/gitleaks detect --source . --no-banner --redact --verbose --exit-code 1

      - name: trivy fs scan
        shell: bash
        run: |
          set -euo pipefail
          TRIVY_VERSION=0.50.0
          curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
            | tar -xz -C /tmp trivy
          /tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist .

  test:
    runs-on: docker
    if: hashFiles('go.sum') != ''
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-go@v5
        with: { go-version: '1.22' }

      - name: fmt
        run: test -z "$(gofmt -l .)"

      - name: vet
        run: go vet ./...

      - name: lint
        uses: golangci/golangci-lint-action@v6
        with: { version: latest }

      - name: test
        run: go test -race -coverprofile=cover.out ./...

      - name: coverage gate
        run: |
          go tool cover -func=cover.out | tail -1 | awk '{ if ($3+0 < 70.0) { print "coverage below 70%"; exit 1 } }'

      - name: build
        run: go build ./...

  image:
    needs: [shared, test]
    if: github.event_name == 'push' && github.ref == 'refs/heads/main' && hashFiles('Dockerfile') != ''
    runs-on: docker
    steps:
      - uses: actions/checkout@v4

      - uses: docker/login-action@v3
        with:
          registry: registry.yourplatform.com
          username: ${{ secrets.REGISTRY_USER }}
          password: ${{ secrets.REGISTRY_PASS }}

      - uses: docker/build-push-action@v6
        with:
          push: true
          tags: |
            registry.yourplatform.com/${{ github.event.repository.name }}:sha-${{ github.sha }}
            registry.yourplatform.com/${{ github.event.repository.name }}:env-stage

      - uses: anchore/sbom-action@v0
        with:
          image: registry.yourplatform.com/${{ github.event.repository.name }}:sha-${{ github.sha }}

      - name: orca deploy stage
        run: orca apply --env=stage --image-tag=sha-${{ github.sha }}
        env:
          ORCA_TOKEN: ${{ secrets.ORCA_STAGE_TOKEN }}