.github/workflows/nodejs.condo.ci.yml

name: Condo CI

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  workflow_dispatch:

env:
  DOCKER_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/condo/condo-image:${{ github.sha }}
  PG_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/doma/utils/postgres:13.2
  REDIS_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/doma/utils/redis:6.2

jobs:
  build-image:
    name: Build Docker Image
    runs-on: test-pool-runners
    outputs:
      DOCKER_IMAGE_FULL: ${{ env.DOCKER_IMAGE_FULL }}
    steps:
      - name: Prepare runner
        run: |
          sudo apt update && sudo apt install -y git
      - name: Set registry variables
        run: |
          echo "DOCKER_CACHE_FROM=type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/condo/condo-image:$( echo "${{github.ref_name}}" | sed 's/[^a-zA-Z0-9]/-/g' ) >> $GITHUB_ENV"
          echo "DOCKER_CACHE_TO=type=registry,ref=${{ secrets.DOCKER_REGISTRY }}/condo/condo-image:$( echo "${{github.ref_name}}" | sed 's/[^a-zA-Z0-9]/-/g' ),mode=min,image-manifest=true" >> $GITHUB_ENV
      - name: Checkout code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          submodules: recursive
          ssh-key: ${{ secrets.SSH_DOCK_SERVER_PRIVATE_KEY }}
      - name: Prune repo to filter out yarn.lock and package.json
        run: |
          bash bin/prune.sh
      - name: Setup context for Docker BuildX
        id: buildx-context
        run: |
          docker context create builders
      - name: Setup Docker BuildX
        id: buildx
        uses: docker/setup-buildx-action@v3
        with:
          endpoint: builders
          driver-opts: env.BUILDKIT_STEP_LOG_MAX_SIZE=10485760
      - name: Login to cloud registry
        uses: docker/login-action@v3
        with:
          registry: ${{ secrets.DOCKER_REGISTRY }}
          username: ${{ secrets.SBERCLOUD_CR_USERNAME }}
          password: ${{ secrets.SBERCLOUD_CR_PASSWORD }}
      - name: Build repo image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: Dockerfile
          push: true
          tags: ${{ env.DOCKER_IMAGE_FULL }}
          build-args: |
            REGISTRY=${{ secrets.DOCKER_REGISTRY }}/doma/utils
            TURBO_TEAM=condo-ci
            TURBO_REMOTE_ONLY=true
            TURBO_TOKEN=${{ secrets.TURBO_TOKEN }}
            TURBO_API=${{ secrets.TURBO_API }}
          provenance: false
          cache-from: ${{ env.DOCKER_CACHE_FROM }}
          cache-to: ${{ env.DOCKER_CACHE_TO }}
      - name: Collect docker logs on failure
        if: failure()
        uses: jwalton/gh-docker-logs@v1
        with:
          dest: './docker-logs'
      - name: Upload log artifact
        uses: actions/upload-artifact@v3
        if: failure()
        with:
          name: logs
          path: |
            *.log
            ./docker-logs
          retention-days: 2

  # SRC: https://how.wtf/run-workflow-step-or-job-based-on-file-changes-github-actions.html
  detect-changes:
    name: Define job list based on changed files
    runs-on: ubuntu-latest
    outputs:
      dev-api: ${{ steps.detect-changes.outputs.dev-api }}
    steps:
      - name: Checkout code with submodules
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          submodules: recursive
          ssh-key: ${{ secrets.SSH_DOCK_SERVER_PRIVATE_KEY }}
      - name: Scan changed files
        uses: dorny/paths-filter@v2
        id: detect-changes
        with:
          filters: |
            dev-api:
              - 'apps/dev-api/**'
              - 'apps/condo/domains/miniapp/**'
              - 'apps/condo/domains/user/**'


  lint:
    name: Lint source code
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code with submodules
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          submodules: recursive
          ssh-key: ${{ secrets.SSH_DOCK_SERVER_PRIVATE_KEY }}
      - name: Prepare Node environment
        uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'yarn'
      - name: Install root dependencies
        run: |
          yarn workspaces focus root
      - name: Check code-style rules
        run: |
          yarn lint:code
        # TODO(DOMA-7753): Think about migrating this check to Typescript, like in dev-portal and documents.
        # Reason: TS check is no cost + you can fix it before you commit it + lint out the box in build-time + have keys autocompletion!!
      - name: Check translations rules
        run: |
          yarn lint:translations
      - name: Check common file patterns
        run: |
          bash ./bin/lint-common-patterns.sh
        # TODO(DOMA-7754): Figure out how to extract schema without starting KS-app (30sec for start per app is slow) and lint all apps

  security:
    name: Semgrep vulnerabilities check
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep
    # Skip any PR created by dependabot to avoid permission issues
    if: (github.actor != 'dependabot[bot]')
    steps:
      # Fetch project source with GitHub Actions Checkout.
      - uses: actions/checkout@v3
      - run: ./bin/run-semgrep.sh -a

  run-dev-api-tests:
    name: DEV-API Tests
    runs-on: ubuntu-latest
    needs:
      - detect-changes
      - build-image
    if: ${{ needs.detect-changes.outputs.dev-api == 'true' }}
    steps:
      - name: Login to cloud registry
        uses: docker/login-action@v3
        with:
          registry: ${{ secrets.DOCKER_REGISTRY }}
          username: ${{ secrets.SBERCLOUD_CR_USERNAME }}
          password: ${{ secrets.SBERCLOUD_CR_PASSWORD }}
      - name: Setup PG db
        run: |
          docker run -e POSTGRES_USER=$POSTGRES_USER -e POSTGRES_PASSWORD=$POSTGRES_PASSWORD -e POSTGRES_DB=$POSTGRES_DB -p="127.0.0.1:5432:5432" -d ${{ env.PG_IMAGE_FULL }}
        env:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
          POSTGRES_DB: main
      - name: Setup Redis db
        run: |
          docker run -p="127.0.0.1:6379:6379" -d ${{ env.REDIS_IMAGE_FULL }}
      - name: Run condo container with daemon
        run: |
          docker run --network="host" --name condo-container -dit ${{ env.DOCKER_IMAGE_FULL }} sh
      - name: Prepare apps
        run: |
          docker exec condo-container node bin/prepare.js -f condo dev-api
      - name: Run apps and tests
        run: |
          docker exec condo-container sh -c "(\
          yarn workspace @app/condo start & \
          yarn workspace @app/dev-api start & \
          node bin/wait-apps-apis.js -f condo dev-api) && \
          yarn workspace @app/dev-api test"