.github/workflows/main.yml

name: Test Gradle project

on: [push, pull_request]

jobs:
  scan:
  name: Gitleaks scan
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - uses: gitleaks/gitleaks-action@v2
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  lint-gradle-project:
    runs-on: ubuntu-latest
    name: Lint
    steps:
    - name: Checkout project source
      uses: actions/checkout@v4

    - name: Set Java
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'

    - name: Set up Gradle
      uses: gradle/actions/setup-gradle@v3

    - name: Run lint
      run: ./gradlew lint

  build-and-tests-api:
    runs-on: ubuntu-latest
    name: Build and test
    needs: lint-gradle-project
    steps:
    - name: Checkout project source
      uses: actions/checkout@v4

    - name: Set Java
      uses: actions/setup-java@v4
      with:
        java-version: 17
        distribution: 'adopt'

    - name: Set up Gradle
      uses: gradle/actions/setup-gradle@v3

    - name: Run build without tests
      run: ./gradlew assemble

    - name: Grant execute permission
      run: chmod +x gradlew

    - name: Run tests
      run: ./gradlew test -Dspring.profiles.active=test

  build-docker:
    runs-on: ubuntu-latest
    name: Build Docker image and scan for vulnerabilities
    steps:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ vars.DOCKER_USER }}
          password: ${{ secrets.DOCKER_SECRET }}

      - name: Build
        uses: docker/build-push-action@v5
        with:
          push: flase
          tags: ${{ vars.DOCKER_IMAGE_NAME }}:latest
      
      - name: Download Trivy
        run: curl https://raw.githubusercontent.com/aquasecurity/trivy/7735ec432a83d5446d13a593ab3b27dd02649ca1/contrib/markdown.tpl -o markdown.tpl

      - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@0.20.0
      with:
        image-ref: ${{ vars.DOCKER_IMAGE_NAME }}:latest
        format: 'template'
        template: '@markdown.tpl'
        output: trivy.md
        exit-code: '1'
        ignore-unfixed: true
        vuln-type: 'os,library'
        severity: 'CRITICAL,HIGH'

    - run: cat trivy.md >> $GITHUB_STEP_SUMMARY
      if: always()