name: Code Review - TypeScript

on:
  pull_request: 
    branches: ['main', 'dev']
    paths: ['ts/**', 'yarn.lock']
  push:
    paths: ['ts/**', 'yarn.lock']

jobs:
  format:
    name: Format
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v3

    - name: Setup Node
      uses: actions/setup-node@v3
      with:
        node-version: '16'
        cache: 'yarn'

    - name: Install dependencies
      run: yarn install --frozen-lockfile

    - name: Format
      run: yarn format

  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v3

    - name: Setup Node
      uses: actions/setup-node@v3
      with:
        node-version: '16'
        cache: 'yarn'

    - name: Install dependencies
      run: yarn install --frozen-lockfile

    - name: Lint
      run: yarn lint

  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v3

    - name: Setup Node
      uses: actions/setup-node@v3
      with:
        node-version: '16'
        cache: 'yarn'

    - name: Install dependencies
      run: yarn install --frozen-lockfile

    - name: Run Test
      run: yarn test

  sast:
    name: Security Scan
    runs-on: ubuntu-latest
    container:
      image: returntocorp/semgrep

    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Run semgrep
        run: semgrep ci --sarif --output=semgrep-results.sarif
        env:
           SEMGREP_RULES: p/typescript
      
      - name: Upload output
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: semgrep-results.sarif
  
  sca:
    name: Dependency Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      # Report all vulnerabilities in security tab
      - name: Report on all vulnerabilities
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: 'yarn.lock'
          ignore-unfixed: true
          hide-progress: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          
      # Fail the job on critical vulnerabiliies with fix available
      - name: Fail on critical vulnerabilities
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: 'yarn.lock'
          ignore-unfixed: true
          hide-progress: true
          format: 'table'
          severity: 'CRITICAL'
          exit-code: '1'

      - name: Upload output
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'
  
  yarn-pass:
      name: Yarn tests pass
      needs: ['format', 'lint', 'test']
      runs-on: ubuntu-latest
      steps:
        - run: echo ok

  security-pass:
      name: Security tests pass
      needs: ['sca', 'sast']
      runs-on: ubuntu-latest
      steps:
        - run: echo ok

  all-pass:
      name: All tests pass 🚀
      needs: ['yarn-pass', 'security-pass']
      runs-on: ubuntu-latest
      steps:
        - run: echo ok