name: Coverage

on:
  push:
    branches:
      - "main"
  pull_request:
    types: [opened, reopened, synchronize]
    branches:
      - "main"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  compliance:
    name: "License Compliance"
    runs-on: ubuntu-24.04
    steps:
      - name: "Checkout Code"
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check secret
        id: checksecret
        uses: ./.github/actions/exists
        with:
          value: ${{ secrets.FOSSA_API_KEY }}
      - name: "Run FOSSA Scan"
        if: steps.checksecret.outputs.result == 'true'
        uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
        with:
          api-key: ${{ secrets.FOSSA_API_KEY }}
      - name: "Run FOSSA Test"
        if: steps.checksecret.outputs.result == 'true'
        uses: fossas/fossa-action@3ebcea1862c6ffbd5cf1b4d0bd6b3fe7bd6f2cac # v1.7.0
        with:
          api-key: ${{ secrets.FOSSA_API_KEY }}
          run-tests: true
  sast:
    name: "SAST"
    runs-on: ubuntu-24.04
    env:
      GO111MODULE: on
    permissions:
      security-events: write
      actions: read
      contents: read
    steps:
      - name: Checkout Source
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: 'go.mod'
      - name: Run Gosec Security Scanner
        uses: securego/gosec@424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f # v2.22.11
        with:
          args: '-no-fail -fmt sarif -out gosec.sarif ./...'
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@8aac4e47ac8ace7d9e0e0b4ef7407aff0ceb5e87
        with:
          sarif_file: gosec.sarif
  unit_tests:
    name: "Unit tests"
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
        with:
          go-version-file: 'go.mod'
      - name: Unit Test
        run: make test
      - name: Check secret
        id: checksecret
        uses: ./.github/actions/exists
        with:
          value: ${{ secrets.CODECOV_TOKEN }}
      - name: Upload Report to Codecov
        if: ${{ steps.checksecret.outputs.result == 'true' }}
        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: projectcapsule/capsule
          files: ./coverage.out
          fail_ci_if_error: true
          verbose: true