name: CI

on:
  push:
    branches: [ master, main, develop ]
  pull_request:
    branches: [ master, main, develop ]

# Cancel in-flight runs on the same ref to save CI minutes.
concurrency:
  group: ci-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  GO_VERSION: '1.23.4'
  NODE_VERSION: '20'

jobs:
  test-backend:
    name: Backend (go 1.23.x)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: backend/go.sum
      - name: go vet
        working-directory: backend
        run: go vet ./...
      - name: go build
        working-directory: backend
        run: go build ./...
      - name: go test
        working-directory: backend
        run: go test ./...

  scan-backend:
    name: Backend security scanners
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
          cache-dependency-path: backend/go.sum
      - name: Install staticcheck
        run: go install honnef.co/go/tools/cmd/staticcheck@v0.5.1
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
      - name: staticcheck
        working-directory: backend
        run: staticcheck ./...
      - name: govulncheck
        working-directory: backend
        run: govulncheck ./...

  test-frontend:
    name: Frontend (node 20)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          submodules: recursive
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_VERSION }}
          cache: 'npm'
          cache-dependency-path: frontend/package-lock.json
      - name: Install dependencies
        working-directory: frontend
        run: npm ci
      - name: Lint (eslint)
        working-directory: frontend
        run: npm run lint
      - name: Type-check (tsc)
        working-directory: frontend
        run: npm run type-check
      - name: Build
        working-directory: frontend
        run: npm run build

  gitleaks:
    name: gitleaks (secret scan)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          # Full history so we can also scan past commits, not just the tip.
          fetch-depth: 0
      - name: Run gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # Repo-local config lives at .gitleaks.toml.
          GITLEAKS_CONFIG: .gitleaks.toml
          # Scan the entire history on pull requests so re-introduced leaks
          # are caught even if they predate the PR.
          GITLEAKS_ENABLE_SUMMARY: 'true'