.github/workflows/unit-tests.yml

name: Unit Tests and Analysis

on:
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
      - ready_for_review
  push:
    branches:
      - main
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  tests-java:
    name : Quarkus API Unit Tests
    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: backend-java
    services:
      postgres:
        image: postgres
        env:
          POSTGRES_DB: postgres
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 5432:5432
    strategy:
      matrix:
        distribution: [ "temurin" ]
        java-version: [ "17" ]
    steps:
      - uses: actions/checkout@v3

      - uses: actions/setup-java@v3
        with:
          distribution: ${{ matrix.distribution }}
          java-version: ${{ matrix.java-version }}
      - name: Cache local Maven repository
        uses: actions/cache@v3
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
      - name: Run unit tests
        run: mvn -f pom.xml clean package

  tests-python:
    name : Python API Unit Tests
    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
    runs-on: ubuntu-22.04
    defaults:
      run:
        working-directory: backend-python
    services:
      postgres:
        image: postgres
        env:
          POSTGRES_DB: postgres
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 5432:5432
    strategy:
      matrix:
        python-version: [ "3.11" ]

    steps:
      - uses: actions/checkout@v3

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v4
        with:
          python-version: ${{ matrix.python-version }}

      - name: cache poetry install
        uses: actions/cache@v3
        with:
          path: ~/.local
          key: poetry-${{ hashFiles('**/pyproject.toml') }}

      - uses: snok/install-poetry@v1.3.3
        with:
          version: 1.2.2
          virtualenvs-create: true
          virtualenvs-in-project: true
          installer-parallel: true

      - name: cache deps
        id: cache-deps
        uses: actions/cache@v3
        with:
          path: .venv
          key: pydeps-${{ hashFiles('**/poetry.lock') }}

      - run: poetry install --no-interaction --no-root
        if: steps.cache-deps.outputs.cache-hit != 'true'

      - name: Test with pytest
        run: |
          poetry run pytest

  tests:
    name: Unit Tests
    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
    runs-on: ubuntu-22.04
    services:
      postgres:
        image: postgres
        env:
          POSTGRES_DB: postgres
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 5432:5432
    strategy:
      matrix:
        dir: [backend, frontend]
        include:
          - dir: backend
            sonar_projectKey: bcgov_quickstart-openshift_backend
            token: SONAR_TOKEN_BACKEND
          - dir: frontend
            sonar_projectKey: bcgov_quickstart-openshift_frontend
            token: SONAR_TOKEN_FRONTEND
    steps:
      - uses: bcgov-nr/action-test-and-analyse@v0.0.1
        with:
          commands: |
            npm ci
            npm run test:cov
          dir: ${{ matrix.dir }}
          node_version: "20"
          sonar_args: >
            -Dsonar.exclusions=**/coverage/**,**/node_modules/**,**/*spec.ts
            -Dsonar.organization=bcgov-sonarcloud
            -Dsonar.project.monorepo.enabled=true
            -Dsonar.projectKey=${{ matrix.sonar_projectKey }}
            -Dsonar.sources=src
            -Dsonar.tests.inclusions=**/*spec.ts
            -Dsonar.javascript.lcov.reportPaths=./coverage/lcov.info
          sonar_project_token: ${{ secrets[matrix.token] }}

  # https://github.com/marketplace/actions/aqua-security-trivy
  trivy:
    name: Trivy Security Scan
    if: github.event_name != 'pull_request' || !github.event.pull_request.draft
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v3

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@0.10.0
        with:
          format: "sarif"
          output: "trivy-results.sarif"
          ignore-unfixed: true
          scan-type: "fs"
          scanners: "vuln,secret,config"
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: "trivy-results.sarif"