.github/workflows/analysis.yml

name: Analysis

on:
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
      - ready_for_review
  push:
    branches:
      - main
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  codeql:
    name: CodeQL
    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - uses: github/codeql-action/init@v2
        with:
          languages: javascript

      - name: Autobuild
        uses: github/codeql-action/autobuild@v2

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

  # https://github.com/marketplace/actions/aqua-security-trivy
  trivy:
    name: Security Scan
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@0.12.0
        with:
          format: "sarif"
          output: "trivy-results.sarif"
          ignore-unfixed: true
          scan-type: "fs"
          scanners: "vuln,secret,config"
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: "trivy-results.sarif"

  tests:
    name: Unit Tests
    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        #dir: [backend/vehicles, frontend]
        dir: [backend/vehicles, backend/dops, frontend]
        include:
          - dir: backend/vehicles
            sonar_projectKey: bcgov_onroutebc_backend
            token: SONAR_TOKEN_BACKEND
          - dir: backend/dops
            sonar_projectKey: bcgov_onroutebc_backend
            token: SONAR_TOKEN_BACKEND
          - dir: frontend
            sonar_projectKey: bcgov_onroutebc_frontend
            token: SONAR_TOKEN_FRONTEND
    steps:
      - uses: bcgov-nr/action-test-and-analyse@v0.0.1
        with:
          commands: |
            npm ci
            npm run test:cov
          dir: ${{ matrix.dir }}
          sonar_args: >
            -Dsonar.exclusions=**/coverage/**,**/node_modules/**
            -Dsonar.organization=bcgov-sonarcloud
            -Dsonar.project.monorepo.enabled=true
            -Dsonar.projectKey=${{ matrix.sonar_projectKey }}
          sonar_project_token: ${{ secrets[matrix.token] }}