.github/workflows/nodejs.yml

name: Build

on: [push]

jobs:

  # -- TESTS ------------------------------------------------------------------
  tests:
    name: Tests
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node: ['16']

    steps:
      - name: Harden GitHub Actions Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Setup Node.js ${{ matrix.node }}
        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
        with:
          node-version: ${{ matrix.node }}
          check-latest: true

      - name: Install dependencies
        run: npm install

      - name: Run unit-tests + Code Coverage
        run: npm run test:coverage

      - name: Save Code Coverage
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: code-coverage
          path: coverage

  # -- SONARCLOUD -------------------------------------------------------------
  code-quality:
    name: Code Quality
    runs-on: ubuntu-latest
    needs: tests

    steps:
      - name: Harden GitHub Actions Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Download Code Coverage
        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
        with:
          name: code-coverage
          path: coverage

      - name: Get App Version
        run: ./scripts/version.sh

      - name: SonarCloud Scan
        uses: sonarsource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  # -- SAST SCAN --------------------------------------------------------------
  code-security:
    name: Code Security
    runs-on: ubuntu-latest
    needs: tests
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')

    steps:
      - name: Harden GitHub Actions Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Perform Scan
        uses: ShiftLeftSecurity/scan-action@master

        env:
          WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SCAN_ANNOTATE_PR: true

      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
        with:
          name: reports
          path: reports

  # -- RELEASE ----------------------------------------------------------------
  pre-release:
    name: Prepare Release
    runs-on: ubuntu-latest
    needs:
      - code-quality
      - code-security
    if: github.ref == 'refs/heads/master'

    steps:
      - name: Harden GitHub Actions Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Semantic Release
        uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  # -- BUILD ------------------------------------------------------------------
  build:
    name: Build & Release
    runs-on: ubuntu-latest
    needs: pre-release

    strategy:
      matrix:
        node: ['16']

    steps:
      - name: Harden GitHub Actions Runner
        uses: step-security/harden-runner@0d381219ddf674d61a7572ddd19d7941e271515c
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Setup Node.js ${{ matrix.node }}
        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
        with:
          node-version: ${{ matrix.node }}
          check-latest: true

      - name: Install dependencies
        run: npm install