name: 🚦 Security & Quality Gate

on:
  pull_request_target:
    types: [opened, edited, synchronize, reopened]
    branches: [develop, master]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  validate_pr_title:
    name: "📝 Validate PR Title"
    runs-on: ubuntu-24.04
    permissions:
      pull-requests: write
      contents: read
    steps:
      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
        id: lint_pr_title
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
        if: always() && (steps.lint_pr_title.outputs.error_message != null)
        with:
          header: pr-title-lint-error
          message: |
            Hey there and thank you for opening this pull request! 👋🏼
            We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/).

            **Error details:**
            ```
            ${{ steps.lint_pr_title.outputs.error_message }}
            ```

      - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
        uses: marocchino/sticky-pull-request-comment@67d0dec7b07ed060a405f9b2a64b8ab319fdd7db # v2.9.2
        with:
          header: pr-title-lint-error
          delete: true

  dependency-review:
    name: 🔍 Vulnerable Dependencies
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    steps:
      - name: Checkout Repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0

      - name: Dependency Review
        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
        with:
          fail-on-severity: high
          deny-licenses: GPL-3.0, AGPL-3.0
          base-ref: ${{ github.event.pull_request.base.sha || 'develop' }}
          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}

  code_quality:
    name: "🔍 Lint & Test (${{ matrix.command }})"
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        command:
          - "lint"
          - "check"
    steps:
      - name: "📥 Checkout PR code"
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          submodules: recursive
          fetch-depth: 0

      - name: "🟢 Setup Node.js"
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: '20.x'

      - name: "🍞 Setup Bun"
        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
        with:
          # @todo: update to 1.x once this is fixed: https://github.com/streamyfin/streamyfin/pull/690#discussion_r2089749689
          bun-version: '1.2.13'

      - name: "📦 Install dependencies"
        run: bun install --frozen-lockfile

      - name: "🚨 Run ${{ matrix.command }}"
        run: bun run ${{ matrix.command }}