.github/workflows/node.yaml

name: Node CI

on:
  push:
    branches:
      - "**"
    tags:
      - "v**"
  pull_request:
  workflow_dispatch:

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    continue-on-error: true
    timeout-minutes: 15

    strategy:
      fail-fast: false
      matrix:
        package-name:
          - "@sofie-prompter-editor/shared-model"
          - "@sofie-prompter-editor/shared-lib"
          - "@sofie-prompter-editor/apps-backend"
          - "@sofie-prompter-editor/apps-client"

    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - run: corepack enable
      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
          node-version-file: ".node-version"
          cache: "yarn"
      - name: Prepare Environment
        run: |
          yarn install
          yarn lerna run --scope ${{ matrix.package-name }} --include-dependencies --stream build
        env:
          CI: true
      - name: Run typecheck and linter
        run: |
          yarn lerna run --scope ${{ matrix.package-name }} --stream lint
        env:
          CI: true

  test:
    name: Test
    runs-on: ubuntu-latest
    timeout-minutes: 15

    strategy:
      fail-fast: false
      matrix:
        package-name:
          - "@sofie-prompter-editor/shared-model"
          - "@sofie-prompter-editor/shared-lib"
          - "@sofie-prompter-editor/apps-backend"
          - "@sofie-prompter-editor/apps-client"

    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - run: corepack enable
      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
          node-version-file: ".node-version"
          cache: "yarn"
      - name: Prepare Environment
        run: |
          yarn install
          yarn lerna run --scope ${{ matrix.package-name }} --include-dependencies --stream build
        env:
          CI: true
      - name: Run tests
        run: |
          yarn lerna run --scope ${{ matrix.package-name }} --stream test
        env:
          CI: true

  build-docker-image:
    name: Build docker image
    runs-on: ubuntu-latest
    timeout-minutes: 30

    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Determine if images should be published to DockerHub
        id: dockerhub
        run: |
          # HACK: Never publish to dockerhub for now
          # check if a release branch, or main, or a tag
          # if [[ "${{ github.ref }}" =~ ^refs/heads/release([0-9]+)$ || "${{ github.ref }}" == "refs/heads/main" || "${{ github.ref }}" == "refs/tags/*" ]]
          # then
          #   DOCKERHUB_PUBLISH="1"
          # else
            DOCKERHUB_PUBLISH="0"
          # fi
          # debug output
          echo "dockerhub-publish $DOCKERHUB_PUBLISH"
          echo "dockerhub-publish=$DOCKERHUB_PUBLISH" >> $GITHUB_OUTPUT
      - name: Check if push to GHCR is enabled
        id: check-ghcr
        env:
          GHCR_ENABLED: ${{ vars.GHCR_ENABLED }}
        run: |
          echo "Enable push to GHCR: ${{ env.GHCR_ENABLED != '' }}"
          echo "enable=${{ env.GHCR_ENABLED != '' }}" >> $GITHUB_OUTPUT
      - name: Check if there is access to repo secrets (needed for build and push)
        if: steps.dockerhub.outputs.dockerhub-publish == '1' || steps.check-ghcr.outputs.enable == 'true'
        id: check-build-and-push
        env:
          SECRET_ACCESS: ${{ secrets.GITHUB_TOKEN }}
        run: |
          echo "Enable build and push: ${{ env.SECRET_ACCESS != '' }}"
          echo "enable=${{ env.SECRET_ACCESS != '' }}" >> $GITHUB_OUTPUT
      - name: Get the Docker tag for GHCR
        id: ghcr-tag
        if: steps.check-ghcr.outputs.enable == 'true'
        uses: docker/metadata-action@v5
        with:
          images: |
            ghcr.io/${{ github.repository }}
          tags: |
            type=schedule
            type=ref,event=branch
            type=ref,event=tag
            type=raw,value=latest,enable={{is_default_branch}}
      - name: Get the Docker tag for DockerHub
        id: dockerhub-tag
        if: steps.check-build-and-push.outputs.enable == 'true'
        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ secrets.DOCKERHUB_IMAGE_PREFIX }}
          tags: |
            type=schedule
            type=ref,event=branch
            type=ref,event=tag
            type=raw,value=latest,enable={{is_default_branch}}
      - name: Use Node.js
        uses: actions/setup-node@v4
        if: steps.check-build-and-push.outputs.enable == 'true' 
        with:
          node-version-file: ".node-version"
      - name: Set up Docker Buildx
        if: steps.check-build-and-push.outputs.enable == 'true' 
        uses: docker/setup-buildx-action@v3
      - name: Login to DockerHub
        if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to GitHub Container Registry
        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push to GHCR
        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
        uses: docker/build-push-action@v5
        with:
          push: true
          provenance: false
          labels: ${{ steps.ghcr-tag.outputs.labels }}
          tags: "${{ steps.ghcr-tag.outputs.tags }}"
      - name: Build and push to DockerHub
        if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
        uses: docker/build-push-action@v5
        with:
          push: true
          provenance: false
          labels: ${{ steps.dockerhub-tag.outputs.labels }}
          tags: "${{ steps.dockerhub-tag.outputs.tags }}"
      - name: Get image for Trivy scanning
        id: trivy-image
        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
        run: |
          image=$(echo ${{ steps.ghcr-tag.outputs.tags }} | head -n 1)
          echo "image=$image" >> $GITHUB_OUTPUT
      - name: Trivy scanning
        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
        uses: aquasecurity/trivy-action@0.17.0
        with:
          image-ref: "${{ steps.trivy-image.outputs.image }}"
          format: "table"
          output: trivy-scan-result.txt
          ignore-unfixed: true
          severity: "CRITICAL,HIGH"
      - name: Post all Trivy scan results to Github Summary as a table
        if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
        env:
          CODE_BLOCK: "```"
        run: |
          echo "# Trivy scan results" >> $GITHUB_STEP_SUMMARY

          echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY
          cat trivy-scan-result.txt >> $GITHUB_STEP_SUMMARY
          echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY