name: CVE Scan & Docker Build

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

env:
  REGISTRY: git.helu.ca
  IMAGE_NAME: ${{ gitea.repository }}

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Install Trivy
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
          trivy --version

      - name: Install pip-tools and resolve dependencies
        run: |
          python3 -m venv /tmp/scanenv
          /tmp/scanenv/bin/pip install --quiet pip-tools
          /tmp/scanenv/bin/pip-compile pyproject.toml \
            -o requirements.txt \
            --no-header --quiet --allow-unsafe --strip-extras \
            --resolver=backtracking || {
            /tmp/scanenv/bin/pip install --quiet . && \
            /tmp/scanenv/bin/pip freeze > requirements.txt
          }
          cat requirements.txt

      - name: Scan Python dependencies for CVEs
        continue-on-error: true
        run: |
          trivy fs --scanners vuln --severity HIGH,CRITICAL --format table requirements.txt

      - name: Scan repository for secrets
        continue-on-error: true
        run: |
          trivy fs --scanners secret --severity HIGH,CRITICAL --format table .

  build-and-push:
    runs-on: ubuntu-latest
    needs: security-scan
    if: always()
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Gitea Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ gitea.actor }}
          password: ${{ secrets.PACKAGE_TOKEN }}

      - name: Extract metadata for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,prefix=
            type=raw,value=latest,enable=${{ gitea.ref == 'refs/heads/main' }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: Dockerfile
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Scan built Docker image
        continue-on-error: true
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
          IMAGE_TAG=$(echo "${{ steps.meta.outputs.tags }}" | head -n1)
          echo "Scanning image: ${IMAGE_TAG}"
          trivy image --severity HIGH,CRITICAL --format table "${IMAGE_TAG}"