.github/workflows/ci-checks.yml

name: CI Checks

on:
  pull_request:
  push:
    branches:
      - main

jobs:
  build:
    name: Build Docker image
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Build
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./Dockerfile
          build-args: RAILS_ENV=test
          push: false
          tags: complete-app:ci
          cache-from: type=gha
          cache-to: type=gha,mode=min
          outputs: type=docker,dest=/tmp/base.tar
      -
        name: Upload artifact
        uses: actions/upload-artifact@v4
        with:
          name: complete-app-ci
          path: /tmp/base.tar

  lint-and-format:
    name: Linting and formatting
    runs-on: ubuntu-latest
    needs: build
    steps:
      -
        name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: complete-app-ci
          path: /tmp
      -
        name: Load image
        run: |
          docker load --input /tmp/base.tar
          docker image ls -a
      -
        name: Run linters and formaters
        run: |
          docker run --rm complete-app:ci /bin/bash -c "bin/standardrb -f simple && bin/erb_lint --lint-all \
          && yarn run lint:format && yarn run lint:js"

  static-analysis:
    name: Static analysis
    runs-on: ubuntu-latest
    needs: build
    steps:
      -
        name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: complete-app-ci
          path: /tmp
      -
        name: Load image
        run: |
          docker load --input /tmp/base.tar
          docker image ls -a
      -
        name: Run Brakeman
        run: |
          docker run --rm complete-app:ci /bin/bash -c "bin/brakeman"

  specs:
    name: Specs and coverage
    runs-on: ubuntu-latest
    needs: build
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: complete-app-ci
          path: /tmp
      -
        name: Load image
        run: |
          docker load --input /tmp/base.tar
          docker image ls -a
      -
        name: Run RSpec and Simplecov
        run: |
          docker compose -p complete-app -f docker-compose.checks.yml \
            run --name complete-app test /bin/bash -c "bin/rails spec"
      -
        name: Grab coverage report from container
        run:
          docker cp complete-app:/srv/app/coverage/coverage.json coverage/coverage.json
      -
        name: Shutdown containers
        run: docker compose -p complete-app down && docker compose -p complete-app rm
      -
        name: Upload coverage report
        uses: actions/upload-artifact@v4
        with:
          name: coverage-report
          path: coverage/coverage.json

  accessibility:
    name: Accessibility
    runs-on: ubuntu-latest
    needs: build
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: complete-app-ci
          path: /tmp
      -
        name: Load image
        run: |
          docker load --input /tmp/base.tar
          docker image ls -a
      -
        name: Run RSpec Accessibility checks
        run: |
          docker compose -p complete-app -f docker-compose.checks.yml \
          run -e NO_COVERAGE=true --rm test /bin/bash -c "bin/rails javascript:build && bin/rspec --tag accessibility"
      -
        name: Shutdown containers
        run: docker compose -p complete-app down && docker compose -p complete-app rm

  sonarcloud:
    name: SonarCloud
    runs-on: ubuntu-latest
    needs: specs
    steps:
      -
        name: Checkout
        uses: actions/checkout@v4
      -
        uses: actions/download-artifact@v4
        with:
          name: coverage-report
          path: ./coverage
      -
        name: Update coverage report paths
        run: sed -i "s|/srv/app|/github/workspace|g" ./coverage/coverage.json
      -
        name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  docker:
    name: Docker
    runs-on: ubuntu-latest
    needs: build
    steps:
      -
        name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: complete-app-ci
          path: /tmp
      -
        name: Scan Docker image for CVEs
        uses: aquasecurity/trivy-action@0.29.0
        with:
          input: /tmp/base.tar
          format: 'sarif'
          output: 'trivy-results.sarif'
          limit-severities-for-sarif: true
          scanners: vuln
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH'
          github-pat: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Upload scan results to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'