name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Cache cargo
        uses: Swatinem/rust-cache@v2

      - name: Check formatting
        run: cargo fmt --check

      - name: Clippy
        run: cargo clippy --package nora-registry -- -D warnings

      - name: Run tests
        run: cargo test --package nora-registry

  security:
    name: Security
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write  # for uploading SARIF to GitHub Security tab

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # full history required for gitleaks

      - name: Install Rust
        uses: dtolnay/rust-toolchain@stable

      - name: Cache cargo
        uses: Swatinem/rust-cache@v2

      # ── Secrets ────────────────────────────────────────────────────────────
      - name: Gitleaks — scan for hardcoded secrets
        run: |
          curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
            | tar xz -C /usr/local/bin gitleaks
          gitleaks detect --source . --exit-code 1 --report-format sarif --report-path gitleaks.sarif || true
        continue-on-error: true  # findings are reported, do not block the pipeline

      # ── CVE in Rust dependencies ────────────────────────────────────────────
      - name: Install cargo-audit
        run: cargo install cargo-audit --locked

      - name: cargo audit — RustSec advisory database
        run: cargo audit
        continue-on-error: true  # warn only; known CVEs should not block CI until triaged

      # ── Licenses, banned crates, supply chain policy ────────────────────────
      - name: cargo deny — licenses and banned crates
        uses: EmbarkStudios/cargo-deny-action@v2
        with:
          command: check
          arguments: --all-features

      # ── CVE scan of source tree and Cargo.lock ──────────────────────────────
      - name: Trivy — filesystem scan (Cargo.lock + source)
        if: always()
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: fs
          scan-ref: .
          format: sarif
          output: trivy-fs.sarif
          severity: HIGH,CRITICAL
          exit-code: 0  # warn only; change to 1 to block the pipeline

      - name: Upload Trivy fs results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        if: always()
        with:
          sarif_file: trivy-fs.sarif
          category: trivy-fs