.github/workflows/analysis.yml

name: Analysis

on:
  pull_request:
    types: [opened, reopened, synchronize, ready_for_review, converted_to_draft]
  push:
    branches: [main]
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  tests:
    name: Tests
    if: ${{ ! github.event.pull_request.draft }}
    runs-on: ubuntu-22.04
    steps:
      - uses: bcgov-nr/action-test-and-analyse-java@v1.0.0
        with:
          commands: |
            mvn -B verify -P all-tests checkstyle:checkstyle -Dcheckstyle.skip=false
          dir: .
          java-cache: maven
          java-distribution: temurin
          java-version: "17"
          sonar_args: >
            -Dsonar.organization=bcgov-sonarcloud
            -Dsonar.projectKey=bcgov_forest-client-api
          sonar_token: ${{ secrets.SONAR_TOKEN }}

      - name: Archive CycloneDX
        continue-on-error: true
        uses: actions/upload-artifact@v4
        with:
          name: cyclone
          path: target/bom.json
          retention-days: 5

      - name: Use Checkstyle report
        continue-on-error: true
        uses: jwgmeligmeyling/checkstyle-github-action@master
        with:
          path: "**/checkstyle-result.xml"

      - name: Publish Test Report
        uses: mikepenz/action-junit-report@v4
        continue-on-error: true
        if: success() || failure() # always run even if the previous step fails
        with:
          report_paths: "target/**/TEST-*.xml"
          commit: ${{ github.event.pull_request.head.sha }}
          summary: Pull Request Tests
          detailed_summary: true
          job_name: Tests

      - name: Add coverage to PR
        id: jacoco
        continue-on-error: true
        uses: madrapps/jacoco-report@v1.6
        with:
          paths: target/coverage-reports/merged-test-report/jacoco.xml
          token: ${{ secrets.GITHUB_TOKEN }}
          min-coverage-overall: 75
          min-coverage-changed-files: 75

  # https://github.com/marketplace/actions/aqua-security-trivy
  trivy:
    name: Trivy Security Scan
    if: ${{ ! github.event.pull_request.draft }}
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - uses: aquasecurity/trivy-action@0.16.1
        with:
          format: "sarif"
          ignore-unfixed: true
          output: "trivy-results.sarif"
          scan-type: "fs"
          scanners: "vuln,secret,config"
          severity: "CRITICAL,HIGH"

      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results.sarif"

  codeql:
    name: CodeQL
    runs-on: ubuntu-22.04
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-java@v4
        with:
          distribution: "temurin"
          java-version: "17"
          cache: "maven"
      - uses: github/codeql-action/init@v3
      - run: ./mvnw clean package
      - uses: github/codeql-action/analyze@v3