ci-main-pull-request.yml

# CI pipeline for all application types on main and release branches
#
# use stubs/ci-main-pull-request-stub.yml in your repo to call this common action using workflow_call
#
# performs the following actions:
# 1. run source code complexity checks (SCC) using scc
# 2. run language-specific pre-compilation checks and linting (e.g., gosec, rubocop, etc.)
# 3. run language-agnostic pre-compilation checks and secret scans (e.g., OWASP dependency or top 10 checks, trufflehog)
# 4. build and unit test the application (e.g., go test, cargo test, etc.) - integration tests are in CD pipeline
# 5. run static application security tests (SAST, e.g. Sonar, Docker Scout or BlackDuck Polaris)
# 6. report to central dashboards such as harness or Irfan's quality dashboard
# 7. run packaging steps (e.g., go build, cargo build, hab build, go-releaser, etc.), publishing and optional grype scan on output
# 8. generate software bill-of-materials (SBOM) using SPDX format and lookup licenses (GitHub SBOM, Micrsosoft SBOM, license_scout, and/or BlackDuck SBOM)
# 9. run source composition analysis (SCA) scans (e.g., blackduck SCA / "purple" as a replacement to dependabot)
# 
# See DEV-README.md for more details on the steps and how to use this action, or the confluence page at <TODO: URL>
#
# secrets required (by step)
# SonarQube 
# SONAR_TOKEN (repository level)
# SONAR_HOST_URL (organization level)
# AKEYLESS_JWT_ID (organization level, for creation of Azure firewall rules)

# BlackDuck SAST/Polaris
# POLARIS_ACCESS_TOKEN (organization level)
# POLARIS_SERVER_URL (organization level)

# BlackDuck SCA/SBOM, Sbominator
# BLACKDUCK_SBOM_URL (organization level)
# BLACKDUCK_SCA_TOKEN (organization level)

# Custom repository properties (view these in the repo Settings > Code & Automation > Custom Properties)
# - GABuildLanguage (the primary language used in compilation and testing in GitHub Actions. select from go, ruby, erlang, rust)
# - GABuildProfile (a build profile to be used when building an application using GitHub Actions. This is experimental and will determine build, unit test paths by type of application (e.g., CLI, standard container, web API, etc.) in combination with GABuildLanguage
# - lifecycle (the current status of the repo in terms of level of engagement with the contents: indeterminate, active, inactive, under-review, in-process)
# - primaryApplication (the primary application of which this repo is a component. Which product owner is responsible for maintaining this repo? indeterminate, automate, chef-360, chef-server, chef-test-kitchen-enterprise, chef-workstation, chef-client, haabitt, inspec, non-product, online-services, other)
# - standardizationWorkflow (standardize, indtrminate, etc.)

name: CI flow containing PR checks for main & release, v2

on:
  workflow_call:
    inputs:
      github-event-name:
        description: 'GitHub event name (pass github.event_name from calling workflow for PR comment detection)'
        required: false
        type: string
        default: ''
      github-branch-name:
        description: 'GitHub branch name (pass github.ref_name from calling workflow for branch-specific logic)'
        required: false
        type: string
        default: ''
      application:
        # NEW IN 1.0.7 
        description: 'Application set in repository custom properties, typically primaryApplication'
        required: false
        type: string
      visibility:
        description: 'Visibility of the repository'
        required: false
        type: string
        default: 'public' # (private, public, or internal) TODO: should be removed, we know this from github.event.repository.visibility
      go-private-modules:
        description: 'GOPRIVATE for Go private modules'
        required: false
        type: string
        default: 'github.com/progress-platform-services/*'
      version:
        description: 'Version of the project'
        required: false
        type: string
        default: '1.0.0'
      detect-version-source-type:  # options include "none" (do not detect), "file", "github-tag" or "github-release"
        description: 'flag to determine how to detect version dynamically'
        required: false
        type: string
        default: 'none'
      detect-version-source-parameter:  # use for file name
        required: false
        type: string
        default: ''
      language:
        description: 'Build language (Go, Ruby, Rust, etc.), typically from the repository custom property GABuildLanguage'
        required: false
        type: string
        default: 'ruby'  
      
      perform-complexity-checks: 
        description: 'Perform complexity checks with SCC'
        required: false
        type: boolean
        default: true
      scc-output-filename:
        description: 'Name of the SCC complexity output file artifact, do not add file extension'
        required: false
        type: string
        default: 'scc-complexity'
      perform-language-linting:
        description: 'Perform language-specific linting and pre-compilation checks'
        required: false
        type: boolean
        default: true
      perform-trufflehog-scan:
        description: 'Perform trufflehog scan'
        required: false
        type: boolean
        default: true
      fail-trufflehog-on-secrets-found:
        description: 'Fail the pipeline if Trufflehog finds verified secrets'
        required: false
        type: boolean
        default: true
      perform-trivy-scan:
        description: 'Perform Trivy scan'
        required: false
        type: boolean
        default: true
      trivy-fail-on-high:
        description: 'Fail pipeline if Trivy finds HIGH vulnerabilities'
        required: false
        type: boolean
        default: false
      trivy-fail-on-critical:
        description: 'Fail pipeline if Trivy finds CRITICAL vulnerabilities'
        required: false
        type: boolean
        default: false
      perform-grype-scan:
        description: 'Perform Grype scan on source code'
        required: false
        type: boolean
        default: false
      grype-fail-on-high:
        description: 'Fail pipeline if Grype finds HIGH vulnerabilities'
        required: false
        type: boolean
        default: false
      grype-fail-on-critical:
        description: 'Fail pipeline if Grype finds CRITICAL vulnerabilities'
        required: false
        type: boolean
        default: false
      perform-grype-image-scan:
        description: 'Perform Grype scan on Docker image'
        required: false
        type: boolean
        default: false
      grype-image-fail-on-high:
        description: 'Fail pipeline if Grype image scan finds HIGH vulnerabilities'
        required: false
        type: boolean
        default: false
      grype-image-fail-on-critical:
        description: 'Fail pipeline if Grype image scan finds CRITICAL vulnerabilities'
        required: false
        type: boolean
        default: false
      grype-image-skip-aws:
        description: 'Skip Grype image scan on AWS ECR images to avoid rate limits (assumes these images are scanned with Amazon ECR scan or Trivy)'
        required: false
        type: boolean
        default: false
      perform-grype-hab-scan:
        description: 'Perform Grype scan on published Habitat packages from bldr.habitat.sh'
        required: false
        type: boolean
        default: false
      grype-hab-build-package:
        description: 'Build Habitat package from source before scanning (requires checkout)'
        required: false
        type: boolean
        default: false
      grype-hab-origin:
        description: 'Habitat origin (e.g., chef-platform)'
        required: false
        type: string
        default: ''
      grype-hab-package:
        description: 'Habitat package name (e.g., node-management-agent)'
        required: false
        type: string
        default: ''
      grype-hab-version:
        description: 'Habitat package version (optional - scans latest from channel if not specified)'
        required: false
        type: string
        default: ''
      grype-hab-release:
        description: 'Habitat package release (optional - scans latest from channel if not specified)'
        required: false
        type: string
        default: ''
      grype-hab-channel:
        description: 'Habitat package channel (e.g., stable, base, unstable, base-2025, lts-2024)'
        required: false
        type: string
        default: 'stable'
      grype-hab-path:
        description: "Path to built Habitat package (used if build_package is true, overrides hab_origin/hab_package inputs)"
        required: false
        type: string
      grype-hab-scan-linux:
        description: 'Scan Linux (x86_64-linux) Habitat package'
        required: false
        type: boolean
        default: true
      grype-hab-scan-windows:
        description: 'Scan Windows (x86_64-windows) Habitat package'
        required: false
        type: boolean
        default: false
      grype-hab-scan-macos:
        description: 'Scan MacOS (x86_64-darwin) Habitat package'
        required: false
        type: boolean
        default: false
      build:
        description: 'CI Build (language-specific)'
        required: false
        type: boolean
        default: true
      build-profile:
        # NEW IN 1.0.7 
        description: 'Build profile for build step and Sonar, typically from the custom property GABuildProfile on the repository'
        required: false
        type: string
        default: 'cli'
      unit-tests:
        description: 'Run unit tests (language-specific)'
        required: false
        type: boolean
        default: true
      unit-test-output-path: 
        # NEW IN 1.0.7 
        description: "Path to test results folder"
        required: false
        type: string
        default: "test/unittest"
      unit-test-command-override:
        # NEW IN 1.0.7 
        description: "Command line for running tests in this repo, if not the language default"
        required: false 
        type: string

      perform-blackduck-polaris:
        description: 'Perform BlackDuck Polaris (SAST) scan'
        required: false
        type: boolean
        default: false
      polaris-application-name:
        description: 'Polaris application name, one of these {Chef-Agents | Chef-Automate | Chef-Chef360 | Chef-Habitat | Chef-Infrastructure-Server | Chef-Shared-Services}'
        required: false
        type: string
      polaris-project-name:
        description: 'Polaris project name, typically the application name, followed by - and the repository name, for example Chef-Chef360-chef-vault'
        required: false
        default: "${{ github.event.repository.name }}"
        type: string    
      polaris-working-directory:
        # NEW IN 1.0.7
        description: 'Working directory for the scan, defaults to . but usually lang-dependent like ./src'
        required: false
        default: '.'
        type: string
      polaris-config-path:
        # NEW IN 1.0.7
        description: 'Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml'
        required: false
        default: ''
        type: string
      polaris-coverity-config-path:
        # NEW IN 1.0.7
        description: 'Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml'
        required: false
        default: ''
        type: string
      polaris-coverity-clean-command:
        # NEW IN 1.0.7
        description: 'Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean". Leave empty for buildless analysis (Ruby, Python, etc.)'
        required: false
        default: ''
        type: string
      polaris-coverity-build-command:
        # NEW IN 1.0.7
        description: 'Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install". Leave empty for buildless analysis (Ruby, Python, etc.)'
        required: false
        default: ''
        type: string
      polaris-coverity-args:
        # NEW IN 1.0.7
        description: 'Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make'
        required: false
        default: ''
        type: string
      polaris-detect-search-depth:
        # NEW IN 1.0.7 
        description: 'Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan'
        required: false
        default: ''
        type: string
      polaris-detect-args:
        # NEW IN 1.0.7
        description: 'Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true"'
        required: false
        default: ''
        type: string
      polaris-assessment-mode:
        # NEW IN 1.0.7
        description: 'Assessment mode (CI or SOURCE_UPLOAD)'
        required: false
        default: 'CI'
        type: string
      wait-for-scan:
        # NEW IN 1.0.7
        description: 'Wait for scan completion'
        required: false
        default: true
        type: boolean
      polaris-fail-on-high:
        description: 'Fail the pipeline if Polaris SAST scan finds HIGH vulnerabilities'
        required: false
        type: boolean
        default: false
      polaris-fail-on-critical:
        description: 'Fail the pipeline if Polaris SAST scan finds CRITICAL vulnerabilities'
        required: false
        type: boolean
        default: false

      perform-sonarqube-scan: 
        description: 'Perform basic SonarQube scan'
        required: false
        type: boolean
        default: true
      perform-docker-scan:
        description: 'Perform Docker scan of Dockerfile and built images in chef360 and other containerized applications'
        required: false
        type: boolean
        default: false
      report-unit-test-coverage: 
        description: 'Perform unit tests and report coverage to SonarQube'
        required: false
        type: boolean
        default: true
      report-to-atlassian-dashboard: 
        description: 'Report Sonar test coverage and other metrics to Atlassian dashboard (Irfans QA dashboard)'
        required: false
        type: boolean
        default: true     
      quality-product-name:
        description: 'Product name for quality reporting (Chef360, Courier, Inspec)'
        required: false
        type: string
        default: 'Chef360'
      quality-sonar-app-name:
        description: 'Sonar application name for quality reporting'
        required: false
        type: string
        default: 'YourSonarAppName'
      quality-testing-type:
        description: 'Testing type for quality reporting (Unit, Integration, e2e, api, Performance, Security)'
        required: false
        type: string
        default: 'Integration'
      quality-service-name:
        description: 'Service or repository name for quality reporting'
        required: false
        type: string
        default: 'YourServiceOrRepoName'
      quality-junit-report:
        description: 'Path to JUnit report for quality reporting'
        required: false
        type: string
        default: 'path/to/junit/report'
      package-binaries:
        description: 'Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)'
        required: false
        type: boolean
        default: true
      habitat-build:
        description: 'Create Habitat packages'
        required: false
        type: boolean
        default: true
      publish-habitat-packages:
        # NEW IN 1.0.7
        description: 'Publish Habitat packages to Builder'
        required: false
        type: boolean
        default: false
      publish-habitat-hab_package:
        # NEW IN 1.0.7
        description: "Chef Habitat package to install (e.g., core/nginx)"
        required: false
        type: string
        default: "core/nginx"
        # TODO: detect from plan file if not provided
      publish-habitat-hab_version:
        # NEW IN 1.0.7
        description: "Chef Habitat package version (optional)"
        required: false
        type: string
      publish-habitat-hab_release:
        # NEW IN 1.0.7
        description: "Chef Habitat package release (optional)"
        required: false
        type: string
      publish-habitat-hab_channel:
        # NEW IN 1.0.7
        description: "Chef Habitat package channel (e.g., stable, base, base-2025); default is stable"
        required: false
        type: string
        default: "stable"
      publish-habitat-hab_auth_token:
        # NEW IN 1.0.7
        required: false
        type: string
        # TODO: use secret if not provided
      publish-habitat-runner_os:
        description: "Runner OS to use (ubuntu-latest or windows-latest)"
        type: string
        # TODO: these should be options: ubuntu-latest, windows-latest, both, and add MacOS support
        required: false
        default: ubuntu-latest
      habitat-grype-scan:
        # NEW IN 1.0.7
        description: 'Scan built Habitat packages with Grype for vulnerabilities'
        required: false
        type: boolean
        default: false
      publish-packages:
        description: 'Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)'
        required: false
        type: boolean
        default: true

      generate-sbom:
        description: 'Generate software bill-of-materials (SPDX SBOM)'
        required: false
        type: boolean
        default: true
      export-github-sbom:
        description: 'Export SBOM to GitHub'
        required: false
        type: boolean
        default: true
      generate-msft-sbom:
        description: 'Generate SBOM using MSFT tools'
        required: false
        type: boolean
        default: true
      license_scout:
        description: 'Run license scout for license compliance'
        required: false
        type: boolean
        default: true

      perform-blackduck-sca-scan: # combined with generate sbom below, also needs version above
        description: 'Perform BlackDuck SCA scan'
        required: false
        type: boolean
        default: false
      blackduck-project-group-name:
        description: 'BlackDuck project group name, typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services'
        required: false
        type: string
        default: 'Chef' 
      blackduck-project-name:
        description: 'BlackDuck project name, typically the repository name'
        required: false
        type: string
        default: ${{ github.event.repository.name }}
      polaris-blackduck-executable: 
        # TODO: this will be obsolete with built-in polaris in action
        description: 'Path to BlackDuck polaris executable after build or download step'
        required: false
        type: string
        default: 'path/to/blackduck/binary'
      polaris-executable-detect-path: 
        description: 'Additions to $PATH for BlackDuck polaris to find executable'
        required: false
        type: string
        default: 'path/to/detect'
      blackduck-force-low-accuracy-mode:
        description: 'Force low accuracy mode for BlackDuck SCA scan to speed up scan time at the cost of accuracy (not recommended for production use)'
        required: false
        type: boolean
        default: false
      run-bundle-install: # Added to support projects without committed Gemfile.lock (e.g., chef-cli)
        description: 'Run bundle install before scanning to generate Gemfile.lock at runtime'
        required: false
        type: boolean
        default: false
      ruby-app-directory:
        description: 'Subdirectory containing Ruby Gemfile (e.g., "src/supermarket" for repos with non-root Gemfile location). Leave empty if Gemfile is in root.'
        required: false
        type: string
        default: ''
      blackduck-fail-on-blocker:
        description: 'Fail the pipeline if BlackDuck SCA scan finds BLOCKER vulnerabilities'
        required: false
        type: boolean
        default: false
      blackduck-fail-on-critical:
        description: 'Fail the pipeline if BlackDuck SCA scan finds CRITICAL vulnerabilities'
        required: false
        type: boolean
        default: false
      blackduck-fail-on-major:
        description: 'Fail the pipeline if BlackDuck SCA scan finds MAJOR vulnerabilities'
        required: false
        type: boolean
        default: false

      udf1:
        description: 'User defined flag 1'
        required: false
        type: string
        default: 'default'
      udf2:
        description: 'User defined flag 2'
        required: false
        type: string
        default: 'default'
      udf3:
        description: 'User defined flag 3'
        required: false
        type: string
        default: 'default'
      
      # no longer used (retained just for older stub versions)
      generate-blackduck-sbom:  # obsolete
        description: 'Generate SBOM using BlackDuck polaris (OBSOLETE, use perform-blackduck-sca-scan instead)'
        required: false
        type: boolean
        default: false 
      # polaris-server-url:
      #   # should be obsolete with POLARIS_SERVER_URL secret
      #   description: 'Polaris server URL'
      #   required: false
      #   default: 'https://polaris.blackduck.com'
      #   type: string
        
env:
  PRIMARY_APPLICATION: ${{ inputs.application }} # was 'default'   # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder)
  REPO_VISIBILITY: ${{ github.event.repository.visibility }}
  REPO_NAME: ${{ github.event.repository.name }}
  PIPELINE_VERSION: '1.0.7'  # version of this CI pipeline
  GA_BUILD_LANGUAGE: ${{ inputs.language}}  # Custom repo property [GABuildLanguage]: go, ruby, erlang, rust (replaces Language input)
  GA_BUILD_PROFILE: ${{ inputs.build-profile }}   # Custom repo property [GABuildProfile]: TBD
  # APP_VERSION: $(cat VERSION) 
  FILE_PREFIX: $(echo "${{ github.repository }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
  DEFAULT_FILE_EXTENSION: ".json"
  DEFAULT_SEPARATOR: "-"

jobs:
  precompilation-checks:
    name: 'Pre-compilation checks'
    runs-on: ubuntu-latest
    steps:
      - name: detect-custom-properties
        # 'Detect app, language, and build profile environment variables from repository custom properties'
        # GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]'
        run: |
          response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values) 

          primaryApplication=$(echo "$response" | jq -r '.[] | select(.property_name=="primaryApplication") | .value')
          GABuildLanguage=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildLanguage") | .value')
          GABuildProfile=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildProfile") | .value')
          
          echo "PRIMARY APP... $primaryApplication"
          echo "BUILD LANG... $GABuildLanguage"
          echo "BUILD PROFILE... $GABuildProfile"
          
          echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV
          echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV
          echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
        continue-on-error: true
        env:
          GITHUB_TOKEN: ${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }} 
          
      - name: generate-filename-slug
        # description: Generate a simple slug based on repo and date for use in any output artifacts
        run: |
          FILE_PREFIX=$(echo "${{ github.repository }}${{ env.DEFAULT_SEPARATOR }}${{ github.ref_name }}${{ env.DEFAULT_SEPARATOR }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
          echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV
        # FILE_NAME=$(echo "${{ env.FILE_PREFIX }}${{ env.DEFAULT_SEPARATOR }}${{ env.DEFAULT_FILE_NAME }}${{ env.DEFAULT_FILE_EXTENSION }}")
    
      - name: 'Echo inputs'
        run: |
          echo "CI pipeline execution plan for repository [$REPO_NAME] with pipeline version $PIPELINE_VERSION"
          echo "Environment variables"
          echo "  Repository visibility $REPO_VISIBILITY [workflow param was: ${{ inputs.visibility }}]"
          echo "  Repository primary application $PRIMARY_APPLICATION [workflow param was: ${{ inputs.application }}]"
          echo "  Repository build language $GA_BUILD_LANGUAGE [workflow param was: ${{ inputs.language }}]"
          echo "  Repository build profile $GA_BUILD_PROFILE [workflow param was: ${{ inputs.build-profile }}]"
          echo "  Computed file name prefix $FILE_PREFIX"
          if [ ${{ inputs.version }} ]; then
            echo "  Repository version ${{ inputs.version }} from parameter ${{ inputs.detect-version-source-parameter }} and type ${{ inputs.detect-version-source-type }}"
          fi  
          if [ ${{ inputs.go-private-modules }} ]; then
            echo "  GOPRIVATE ${{ inputs.go-private-modules }}"
          fi
          echo "  Pipeline executing on ubuntu-latest"

          echo   "** SOURCE CODE COMPLEXITY AND LINTING ***********************************************"
          if [ ${{ inputs.perform-complexity-checks }} ]; then
            echo "   SCC: performing complexity checks with output filename ${{ inputs.scc-output-filename }} "
          fi
          if [ ${{ inputs.perform-language-linting }} ]; then
            echo "   Linting: performing language-specific linting"
          fi

          echo   "** TRUFFLEHOG (SECRETS) AND TRIVY (DEP SCAN) ****************************************"
          if [ ${{ inputs.perform-trufflehog-scan }} ]; then
            echo "   Trufflehog"
          fi
          if [ ${{ inputs.perform-trivy-scan }} ]; then
            echo "   trivy"
          fi

          if [ ${{ inputs.perform-grype-hab-scan }} ]; then
            echo   "** GRYPE HABITAT PACKAGE SCAN **********************************************************"
            echo   "   Mode: ${{ inputs.grype-hab-build-package == true && 'Build from source' || 'Download from Builder' }}"
            if [ ${{ inputs.grype-hab-build-package }} ]; then
              echo   "   Origin: ${{ inputs.grype-hab-origin }}"
            fi
            echo   "   Scanning Habitat package: ${{ inputs.grype-hab-origin }}/${{ inputs.grype-hab-package }}"
            echo   "   Version: ${{ inputs.grype-hab-version }} Release: ${{ inputs.grype-hab-release }} Channel: ${{ inputs.grype-hab-channel }}"
            echo   "   Platforms: Linux=${{ inputs.grype-hab-scan-linux }} Windows=${{ inputs.grype-hab-scan-windows }} MacOS=${{ inputs.grype-hab-scan-macos }}"
          fi

          if [ ${{ inputs.build }} ]; then
            echo   "** BUILD AND UNIT TEST *************************************************************"
            echo   "   Repository build profile $GA_BUILD_PROFILE [${{ inputs.build-profile }}]"
            if [ ${{ inputs.unit-tests }} ]; then
              echo "   Unit testing to ${{ inputs.unit-test-output-path }} with override command ${{ inputs.unit-test-command-override }}"
            fi
          fi

          if [ ${{ inputs.perform-blackduck-polaris }} ]; then
            echo   "** POLARIS (SAST) TESTING *************************************************************"
            echo   "   Polaris application name ${{ inputs.polaris-application-name }}"
            echo   "   Polaris project name     ${{ inputs.polaris-project-name }}"
            echo   "   Working directory        ${{ inputs.polaris-working-directory }}"
            echo   "   Config path              ${{ inputs.polaris-config-path }} (Coverity ${{ inputs.polaris-coverity-config-path }})"
            echo   "   Clean command            ${{ inputs.polaris-coverity-clean-command }}"
            echo   "   Build command            ${{ inputs.polaris-coverity-build-command }}"
            echo   "   Args                     ${{ inputs.polaris-coverity-args }}"
            echo   "   Detect search depth      ${{ inputs.polaris-detect-search-depth }}"
            echo   "   Detect args              ${{ inputs.polaris-detect-args }}"
            echo   "   Assessment mode          ${{ inputs.polaris-assessment-mode }}"
            echo   "   Wait for scan            ${{ inputs.wait-for-scan }}"
          fi
      
          if [ ${{ inputs.perform-sonarqube-scan }} ]; then
            echo   "** SONARQUBE ******************************************************************"
          fi
          if [ ${{ inputs.perform-docker-scan }} ]; then
            echo   "** DOCKER SCOUT ***************************************************************"
          fi

          if [ ${{ inputs.report-unit-test-coverage }} ]; then
            echo   "** QUALITY DASHBOARD UNIT TEST COVERAGE REPORT ********************************"
            # ignored for now - report-to-atlassian-dashboard, quality-product-name, quality-sonar-app-name, quality-testing-type, quality-service-name, quality-junit-report
          fi
      
          if [ ${{ inputs.package-binaries }} ]; then
            echo   "** PACKAGING ******************************************************************"
            if [ ${{ inputs.habitat-build }} ]; then
              echo "** HABITAT BUILD **************************************************************"
              echo "   Publish Habitat packages      ${{ inputs.publish-habitat-packages }}"
              echo "   Habitat package name          ${{ inputs.publish-habitat-hab_package }}"
              echo "   Habitat package version       ${{ inputs.publish-habitat-hab_version }}"
              echo "   Habitat package release       ${{ inputs.publish-habitat-hab_release }}"
              echo "   Habitat package channel       ${{ inputs.publish-habitat-hab_channel }}"
              echo "   Auth token (overrides secret) ${{ inputs.publish-habitat-hab_auth_token }}"
              echo "   Publish operating system      ${{ inputs.publish-habitat-runner_os }}"
            fi
            if [ ${{ inputs.habitat-grype-scan }} ]; then
              echo "   Performing grype scan on published package"
            fi  
            if [ ${{ inputs.publish-packages }} ]; then
              echo "   PUBLISHING PACKAGES TO ECR, BLDR, RUBYGEMS NOT YET SUPPORTED"
            fi              
          fi

          if [ ${{ inputs.generate-sbom }} ]; then
            echo   "** SOFTWARE BILL OF MATERIALS FILE GENERATION ****************************************"
            if [ ${{ inputs.export-github-sbom }} ]; then
              echo "   GitHub SBOM export"
            fi
            if [ ${{ inputs.generate-msft-sbom }} ]; then
              echo "   Microsoft SBOM file"
            fi
            if [ ${{ inputs.license_scout }} ]; then
              echo "   License scout"
            fi
          fi
          # Generate BlackDuck SBOM set to ${{ inputs.generate-blackduck-sbom }} OBSOLETE, NO EFFECT

          if [ ${{ inputs.perform-blackduck-sca-scan }} ]; then
            echo   "** BLACKDUCK SCAN AND REPORT ***********************************************"
            echo   "   Chef is located at https://progresssoftware.app.blackduck.com/api/project-groups/fc6da208-79a9-4c47-a14d-6cfdf26bcfd5"
            echo   "   BlackDuck project group name     ${{ inputs.blackduck-project-group-name }}"
            echo   "   BlackDuck project name           ${{ inputs.blackduck-project-name }}"
            echo   "   Polaris BlackDuck executable     ${{ inputs.polaris-blackduck-executable }}"
            echo   "   Polaris executable detect path   ${{ inputs.polaris-executable-detect-path }}"
          fi
              
          echo "** USER DEFINED FLAGS ***************************************"
          if [ -n "$${{ inputs.udf1 }}" ]; then  
            echo "  UDF1 ${{ inputs.udf1 }}"
          fi
          if [ -n "$${{ inputs.udf2 }}" ]; then 
            echo "  UDF2 ${{ inputs.udf2 }}"
          fi
          if [ -n "$${{ inputs.udf3 }}" ]; then  
            echo "  UDF3 ${{ inputs.udf3 }}"
          fi
          # echo "The job_id is: $GITHUB_JOB"   
          # echo ${{ secrets.GITHUB_TOKEN }} DO NOT ECHO THIS
     
  checkout:
    name: 'Checkout repository'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
     
  scc:
    name: 'Source code complexity checks'
    if: ${{ inputs.perform-complexity-checks == true }}
    uses: chef/common-github-actions/.github/workflows/scc.yml@main
    needs: checkout
    with:
      outputfilename: ${{ inputs.scc-output-filename }}
     
  language-specific-checks:
    name: 'Language-specific pre-compilation steps and linting'  
    # TODO: make three separate flows, by language with all steps (as oposed to one file per step with language-branching in each)
    # language specific tests (gosec, rubocop, linters, etc.)
    # ${{ inputs.language == 'rust' && inputs.perform-language-linting == true }}
    # TODO: note you cannot do a conditional on the job, only on the step if using an ENV VAR

    if: inputs.perform-language-linting 
    runs-on: ubuntu-latest
    needs: checkout
    steps:
      - name: echo language
        run: |
          echo "Build language is set to ${{ env.GA_BUILD_LANGUAGE }}"
          echo "Build language passed in ${{ inputs.language }}"
      - name: Rust language checks
        if: inputs.language == 'rust' # env.GA_BUILD_LANGUAGE 
        run: echo 'crate linter'
        # https://github.com/rust-lang/rust-clippy
        # cargo clippy --all-targets --all-features -- -D warnings
    
      - name: Ruby language checks
        if: inputs.language == 'ruby'
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.4'
          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
        # generate gemfile.lock (TODO: move this below to OWASP)
      - name: RuboCop Lint
        if: inputs.language == 'ruby'
        run: |
          echo 'ruby linter'
        # gem install rubocop
        # rubocop --format=github --display-cop-names --extra-details --force-exclusion .
        # bundle install
        # - name: 'Bundler Audit'
        #   if: ${{ inputs.language == 'Ruby' && inputs.perform-complexity-checks == true }}
        #   uses: andrewmcodes/bundler-audit-action@main
        #   env:
        #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # TODO: get with Marc/Prajakta on this sequence for Ruby uses: chef/common-github-actions/.github/workflows/rubocop.yml@main
        # TODO: this is also not certified, craete a copy in .github/actions - https://github.com/marketplace/actions/bundler-audit-action
        # Bundler Audit Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

      - name: Go language checks
        if: inputs.language == 'go'
        uses: actions/setup-go@v5
        with: 
          go-version: '1.24'
          check-latest: true
      - name: Configure git for private Go modules
        if: inputs.language == 'go'
        env:
          GOPRIVATE: ${{ inputs.go-private-modules }}
        run: git config --global url."https://${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
      - name: Go linting and security checks  
        if: inputs.language == 'go'
        run: echo "Running Go linting and security checks"
        # TODO: THESE DO NOT RUN IN CHEF ORG - need to create copies in common-github-actions/.github/actions/
        # we can download and install them manually here if needed
        # ERROR ON WORKFLOW: The actions golangci/golangci-lint-action@v6, dominikh/staticcheck-action@v1, and securego/gosec@master are not allowed in chef/arch-sample-cli because all actions must be from a repository owned by your enterprise, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: chef/*, chef/.github, chef/.github/workflows/*.
        # - name: Run golangci-lint
        #   if: env.GA_BUILD_LANGUAGE == 'go'
        #   uses: golangci/golangci-lint-action@v6
        #   with:
        #     version: latest
        #     args: --timeout=5m
        # - name: Run staticcheck
        #   if: env.GA_BUILD_LANGUAGE == 'go'
        #   uses: dominikh/staticcheck-action@v1
        #   with:
        #     version: latest
        # - name: Run Gosec Security Scanner
        #   uses: securego/gosec@master
        #   with:
        #     args: ./...

        # TO GET OUTPUT AS ARTIFACT go install github.com/securego/gosec/v2/cmd/gosec@latest
        # gosec ./... >> ./bin/gosec.out

        # https://go.googlesource.com/vuln - govulncheck is same as BlackDuck SCA backend, redundant to add it here

  language-agnostic-checks:
    name: 'Language-agnostic pre-compilation steps'
    if: inputs.perform-language-linting 
    runs-on: ubuntu-latest
    needs: checkout
    steps:
      - name: Language agnostic checks (OWASP dep check)
        run: echo "placeholder"
        #     - name: 'Language-agnostic pre-compilation steps (OWASP dependency check)'  
        #       uses: dependency-check/Dependency-Check_Action@main
        # TODO: Dependency Check is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation
        # create a copy in common-github-actions/.github/actions/owasp-dependency-check.yml
        # https://github.com/marketplace/actions/dependency-check & https://owasp.org/www-project-dependency-check/ 
        #     and flags at https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
        # - name: 'OWASP dependency check'
        #   uses: dependency-check/Dependency-Check_Action@v4.0.0
        #   with:
        #     project: ${{ github.event.repository.name }} 
        #       with:
        #         project: $REPO_NAME
        #         path: '.'
        #         format: 'JSON'
        # # out: 'reports' # this is the default, no need to specify unless you wish to override it
        #         args: >
        #           --enableRetired
        #           --prettyPrint
        # - name: Upload Test results
        #   uses: actions/upload-artifact@v4
        #   with:
        #     name: OWASP dependency check report
        #     path: ${{github.workspace}}/reports
        # TODO: add flag --failOnCVSS 7
        # TODO: integrate with SonarQube
        # TODO: correct artifact upload names like Sonu's in sbom.yml
                
  run-trufflehog:
    name: 'Trufflehog scan'
    if: ${{ inputs.perform-trufflehog-scan }}
    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
    needs: checkout
    with:
      github-event-name: ${{ inputs.github-event-name }}
      github-branch-name: ${{ inputs.github-branch-name }}
      fail-trufflehog-on-secrets-found: ${{ inputs.fail-trufflehog-on-secrets-found }}

      # temporarily commenting out trivy scan due to https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation
  # run-trivy:
  #   name: 'Trivy scan'
  #   if: ${{ inputs.perform-trivy-scan }}
  #   uses: chef/common-github-actions/.github/workflows/trivy.yml@main
  #   needs: checkout
  #   with:
  #     version: ${{ inputs.version }}
  #     trivy-fail-on-high: ${{ inputs.trivy-fail-on-high }}
  #     trivy-fail-on-critical: ${{ inputs.trivy-fail-on-critical }}

  run-grype:
    name: 'Grype scan'
    if: ${{ inputs.perform-grype-scan }}
    runs-on: ubuntu-latest
    needs: checkout # TODO: fix set-application-version
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Determine severity threshold
        id: severity
        run: |
          if [ "${{ inputs.grype-fail-on-high }}" == "true" ]; then
            echo "level=high" >> $GITHUB_OUTPUT
          elif [ "${{ inputs.grype-fail-on-critical }}" == "true" ]; then
            echo "level=critical" >> $GITHUB_OUTPUT
          else
            echo "level=none" >> $GITHUB_OUTPUT
          fi

      - name: Install Grype and update database
        run: |
          curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin
          grype db update
          grype version
      
      - name: Generate Artifact Name
        run: |
            TIMESTAMP=$(date +%Y%m%d-%H%M%S)
            ARTIFACT_NAME=$(echo "grype-scan-${{ github.event.repository.name }}-${TIMESTAMP}" | sed 's|/|-|g')
            echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV

      - name: Run Grype scan on repo
        id: scan
        run: |
          # Run grype with only-fixed flag and output to JSON for analysis
          grype dir:. --only-fixed -o json > grype-scan.json
          grype dir:. --only-fixed --only-fixed --output table >> grype-scan.log || true
          echo "✅ Grype scan completed successfully"
  

      - name: Check Grype results and fail if vulnerabilities found
        if: always()
        run: |
          JSON_FILE="./grype-scan.json"
          
          if [ ! -f "$JSON_FILE" ] || [ -z "$JSON_FILE" ]; then
            echo "⚠️  Grype JSON output not found"
            exit 0
          fi
          
          # Extract vulnerability counts using jq or grep fallback
          if command -v jq &> /dev/null; then
            CRITICAL_COUNT=$(jq '[.matches[]? | select(.vulnerability.severity == "Critical")] | length' "$JSON_FILE" 2>/dev/null || echo "0")
            HIGH_COUNT=$(jq '[.matches[]? | select(.vulnerability.severity == "High")] | length' "$JSON_FILE" 2>/dev/null || echo "0")
          else
            CRITICAL_COUNT=$(grep -o '"severity":"Critical"' "$JSON_FILE" | wc -l | tr -d ' ' || echo "0")
            HIGH_COUNT=$(grep -o '"severity":"High"' "$JSON_FILE" | wc -l | tr -d ' ' || echo "0")
          fi
          
          echo ""
          echo "============================================"
          echo "Grype Security Scan Summary"
          echo "============================================"
          echo "CRITICAL vulnerabilities: $CRITICAL_COUNT"
          echo "HIGH vulnerabilities: $HIGH_COUNT"
          echo "============================================"
          
          VIOLATIONS=""
          [ "${{ inputs.grype-fail-on-critical }}" == "true" ] && [ "$CRITICAL_COUNT" -gt 0 ] && VIOLATIONS="${VIOLATIONS}$CRITICAL_COUNT CRITICAL, "
          [ "${{ inputs.grype-fail-on-high }}" == "true" ] && [ "$HIGH_COUNT" -gt 0 ] && VIOLATIONS="${VIOLATIONS}$HIGH_COUNT HIGH, "
          
          if [ -n "$VIOLATIONS" ]; then
            echo ""
            echo "❌ BUILD FAILED: Found ${VIOLATIONS%, }"
            exit 1
          fi
          
          echo ""
          echo "✅ No policy violations found"

      - name: Upload Grype scan results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: ${{ env.ARTIFACT_NAME }}
          path: |
            grype-scan.json
            grype-scan.log

      # - name: Run Grype scan on repo
      #   uses: anchore/scan-action@v3
      #   with:
      #     path: .
      #     fail-build: true
      #     severity-cutoff: high

  run-grype-image:
    name: 'Grype Docker image scan'
    if: ${{ inputs.perform-grype-image-scan }}
    uses: chef/common-github-actions/.github/workflows/grype.yml@main
    needs: checkout
    secrets: inherit
    with:
      fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }}
      fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
      grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}

  run-grype-hab-package-scan:
    name: 'Grype scan Habitat packages from bldr.habitat.sh'
    if: ${{ inputs.perform-grype-hab-scan == true }}
    uses: chef/common-github-actions/.github/workflows/grype-hab-package-scan.yml@main
    needs: checkout
    secrets: inherit
    with:
      build_package: ${{ inputs.grype-hab-build-package }}
      hab_origin: ${{ inputs.grype-hab-origin }}
      hab_package: ${{ inputs.grype-hab-package }}
      hab_version: ${{ inputs.grype-hab-version }}
      hab_release: ${{ inputs.grype-hab-release }}
      hab_channel: ${{ inputs.grype-hab-channel }}
      hab_path: ${{ inputs.grype-hab-path }}
      scan-linux: ${{ inputs.grype-hab-scan-linux }}
      scan-windows: ${{ inputs.grype-hab-scan-windows }}
      scan-macos: ${{ inputs.grype-hab-scan-macos }}
      fail-grype-on-high: ${{ inputs.grype-fail-on-high }}
      fail-grype-on-critical: ${{ inputs.grype-fail-on-critical }}
  
    # run-srcclr:
    #   if: ${{ inputs.perform-srcclr-scan == true }}
    #   uses: chef/common-github-actions/.github/workflows/srcclr.yml@main
    #   needs: run-scc

    # run-veracode-sca:
    #   if: ${{ inputs.perform-veracode-sca-scan == true }}
    #   uses: chef/common-github-actions/.github/workflows/veracode-sca.yml@main
    #   needs: run-scc
    #   secrets: inherit
    
  ci-build:
    name: 'Build/compilation and unit tests (CI)'
    if : ${{ inputs.build == true }}
    needs: checkout
    timeout-minutes: 40 # Maximum allowed minutes for GitHub-hosted runners (6 hours = 360 minutes)
    runs-on: ubuntu-latest
    # TODO: make this matrix strategy, and allow language compiler version overrides
    steps:
      - name: 'Build language: ${{ inputs.language }}'
        run: |
          echo "Building application in language ${{ env.GA_BUILD_LANGUAGE }}"
          echo " passed in with ${{ inputs.language }}"
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Configure git for private Go modules
        if: inputs.language == 'go'
        env:
          GOPRIVATE: ${{ inputs.go-private-modules }}
        run: git config --global url."https://${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
      - name: 'Go build'
        if: ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }}
        continue-on-error: true
        # TODO: make this a matrix on WIndows/Mac/Linux
        # TODO: parameterize build output path
        run: |
          ls
          pwd
          go mod tidy
          go build -o ./bin/${{ env.REPO_NAME }} .
      - name: 'Go unit tests'
        if: ${{ inputs.language == 'go' && inputs.unit-tests == true && inputs.build-profile == 'cli' }}
        continue-on-error: true
        run: |
          go test -v ./... > ${{ inputs.unit-test-output-path }}

      # TODO: add unit-test-command-override if go test is not desired        

      - name: Upload test coverage artifact
        if: ${{ inputs.language == 'go' && inputs.unit-tests == true && inputs.build-profile == 'cli' }}
        uses: actions/upload-artifact@v4
        # TODO: parameterize the unit test and coverage report names
        with:
            # Name of the artifact to upload.
            name: test-coverage.out
            # A file, directory or wildcard pattern that describes what to upload
            path: ${{ inputs.unit-test-output-path }}
        #   run: go test -v -coverprofile="coverage.out" ./... and upload artifact!
        #     - name: Build for Rust binary
        #       if: ${{ env.GA_BUILD_LANGUAGE == 'rust' }}  
        #       run: echo 'hello world'
        #       # cargo build --release --target-dir ./bin

      #     - name: Build for Ruby binary 
      # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem
      # https://bundler.io/man/bundle-install.1.html
      - name: Set up Ruby # Fixed: Ruby setup was missing, causing "bundle: command not found" errors
        if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }}
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.4'
          bundler-cache: false

      - name: Configure Bundler for private Ruby gems
        if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }}
        run: |
          if [ -z "${{ secrets.PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE }}" ]; then
            echo "Skipping: PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE secret not configured or not in scope"
            exit 0
          fi
          bundle config set --local github.com "x-access-token:${{ secrets.PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE }}"

      - name: 'Ruby build'
        if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }}
        continue-on-error: true
        run: |
          mkdir -p vendor
          if [ -f "Gemfile.lock" ]; then
            bundle install --deployment
          else
            echo "No Gemfile.lock found, creating it now"
            bundle install --path vendor/bundle # Fixed: Removed --deployment flag when lockfile doesn't exist
          fi
          bundle exec rake build
      # this does not work on all repos - chef-telemetry needs bundle install to generate gemfile.lock, but chef-cli does not commit gemfile.lock and needs bundle install to generate it at runtime - add flag to control whether bundle install is run in ci-build or language-specific checks
      # TODO: detect if rakefile exists, else do bundler default
      - name: 'Ruby unit tests'
        if: ${{ inputs.language == 'ruby' && inputs.unit-tests == true && inputs.build-profile == 'cli' }}
        continue-on-error: true
        run: |
          echo "Running Ruby unit tests with output to ${{ inputs.unit-test-output-path }}"
        # bundle exec rake spec --trace > ${{ inputs.unit-test-output-path }}

    # - name: Configure git for private modules
    #   env:
    #     GOPRIVATE: github.com/progress-platform-services/*
    #   run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
    
    # TODO: dynamic version detection stepswith new flags ${{ detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
    # AND ${{ detect-version-source-parameter: '' # use for file name}}
    # version: ${{ github.workflow.env.APP_VERSION }}
    # version: ${{ needs.set-app-version.outputs.app-version }}
      
    # if you have a version file, you can read it in to an environment variable with
    #     - name: Set variables
    #       run: |
    #         VER=$(cat VERSION)
    #         echo "VERSION=$VER" >> $GITHUB_ENV
    #   then ${{ env.VERSION }}
  
  set-application-version:
    runs-on: ubuntu-latest
    name: 'Detect SBOM version for application'
    if: (inputs.version == '') && (inputs.detect-version-source-parameter != '') 
    needs: ci-build
    steps:
      - name: Detect SBOM version
        run: |
          echo "placeholder for setting version"
          echo ${{ inputs.version }}
          echo ${{ inputs.detect-version-source-parameter }}
          echo ${{ inputs.detect-version-source-type }}
    # outputs:
    #   app-version: ${{ steps.set-app-version.outputs.version }} # Map the step's output to the job's output
    # steps:
    #   - name: Checkout code
    #     uses: actions/checkout@v6
    #   - name: Set application version from file
    #     id: set-app-version
    #     run: |
    #       VERSION=$(cat VERSION) # cat VERSION works
    #       echo "APP_VERSION=$VERSION" >> $GITHUB_ENV

    #       echo "env.APP_VERSION = ${{ env.APP_VERSION }}"

    #       VERSION=$(cat VERSION)
    #       echo "two $VERSION"
    #       echo "VERSION=$VERSION" >> $GITHUB_ENV
    #       echo "$VERSION is the shell variable" 
    #       echo "Setting version to ${{ github.env.VERSION }} [$VERSION]"
    #       echo "version=$VERSION" >> $GITHUB_OUTPUT

    # if "latest-tag" then use action to get latest tag or ${{ github.event.release.tag_name }}
      # - name: Get latest tag
      #   uses: actions-ecosystem/action-get-latest-tag@v1
      #   id: latest_tag
      # - name: Use the latest tag
      #   run: echo "The latest tag is ${{ steps.latest_tag.outputs.tag }}"

  ci-unit-test: # FROM CHEF-VAULT
    # TODO: add language-specific unit tests
    name: 'Unit tests'
    if: ${{ inputs.unit-tests == true && success() && inputs.language == 'Ruby' }}
    needs:  ci-build
    strategy:
      fail-fast: false
      matrix:
        os-version: [ubuntu-latest, ubuntu-22.04, macos-latest]   # ubuntu-22.04 was original chef-vault
        ruby-version: ['3.4'] # '2.7', '3.1', 
    runs-on: ${{ matrix.os-version }}
    steps:
      - uses: actions/checkout@v6
      - name: Set up ruby version
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: ${{ matrix.ruby-version }}
          bundler-cache: true
      - name: run specs
        run: bundle exec rake spec --trace
      # - name: Simplecov Report
      #   uses: aki77/simplecov-report-action@v1  # TODO: archived action - replace with another simplecov 
      #   with:
      #     token: ${{ secrets.GITHUB_TOKEN }}
      #     failedThreshold: 90
      #     resultPath: coverage/.last_run.json

      #   runs-on: ubuntu-latest
      #   needs: ci-package-binary
      #   name: 'CI unit tests'
      #   steps:
      #     - name: Build for Rust binary
      #       if: ${{ inputs.language == 'Rust' }}
      #       run: echo 'hello world'
      #       # cargo test --target-dir ./bin OR
      # - name: Run cargo-tarpaulin
      # shell: bash
      # run: |
      #   RUN_MODE=local cargo tarpaulin --ignore-tests --all-features --release --out Lcov
      #   sonar-scanner -Dcommunity.rust.lcov.reportPaths=lcov.info -Dsonar.login=${{ secrets.SONAR_TOKEN }}

      #     - name: Build for Ruby binary
      #       if: ${{ inputs.language == 'Ruby' }}
      #       run: echo 'hello world'
      #       # bundle exec rake test
      #       # bundle exec rake test:unit
      #       # bundle exec rake test:integration
      #       # bundle exec rake test:unit:rubocop

      #     - name: Build for Go binary
      #       if: ${{ inputs.language == 'Go' }}
      #       run: echo 'hello world'
      #       # go test -v ./... > ./bin/test.out

      # - name: Upload test coverage artifact
      #   uses: actions/upload-artifact@v4
      #   with:
      #     # Name of the artifact to upload.
      #     name: test-coverage.out
      #     # A file, directory or wildcard pattern that describes what to upload
      #     path: test/unittest/coverage.out
         
  # Sonar-public-repo:
  #   name: 'PUBLIC Sonar SAST scan'
  #   needs: ci-build
  #   if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'public'}}
  #   uses: chef/common-github-actions/.github/workflows/sonarqube-public-repo.yml@main
  #   secrets: inherit
  #   permissions:
  #     id-token: write
  #     contents: read
  #   with:
  #     perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
  #     build-profile: ${{ inputs.build-profile }}
  #     language: ${{ inputs.language }}
  #     report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
  #     report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
  #     quality-product-name: ${{ inputs.quality-product-name }}
  #     quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
  #     quality-testing-type: ${{ inputs.quality-testing-type }}
  #     quality-service-name: ${{ inputs.quality-service-name }}
  #     quality-junit-report: ${{ inputs.quality-junit-report }}
  #     visibility: ${{ inputs.visibility }}
  #     go-private-modules: ${{ inputs.go-private-modules }}
  #     udf1: ${{ inputs.udf1 }}
  #     udf2: ${{ inputs.udf2 }}
  #     udf3: ${{ inputs.udf3 }}
        
  # Sonar-private-repo:
  #   name: 'PRIVATE Sonar scan (inline)'
  #   if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'private'}}
  #   needs: ci-build
  #   # was uses: chef/common-github-actions/.github/workflows/sonarqube-private-repo.yml@main
  #   runs-on: ubuntu-latest
  #   steps:
  #   - name: SonarQube Scan
  #     if: ${{ inputs.visibility == 'private' }}
  #     uses: sonarsource/sonarqube-scan-action@v5.3.1
  #     continue-on-error: true
  #     env:
  #       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
  #       SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        
  # Sonar-internal-repo:
  #   name: 'INTERNAL Sonar scan'
  #   if: ${{ inputs.perform-sonarqube-scan == true && inputs.visibility == 'internal'}}
  #   # was if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'internal'}}
  #   needs: ci-build
  #   uses: chef/common-github-actions/.github/workflows/sonarqube-internal-repo.yml@main
  #   secrets: inherit
  #   permissions:
  #     id-token: write
  #     contents: read
  #   with:
  #     perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
  #     build-profile: ${{ inputs.build-profile }}
  #     language: ${{ inputs.language }}
  #     report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
  #     report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
  #     quality-product-name: ${{ inputs.quality-product-name }}
  #     quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
  #     quality-testing-type: ${{ inputs.quality-testing-type }}
  #     quality-service-name: ${{ inputs.quality-service-name }}
  #     quality-junit-report: ${{ inputs.quality-junit-report }}
  #     visibility: ${{ inputs.visibility }}
  #     go-private-modules: ${{ inputs.go-private-modules }}
  #     udf1: ${{ inputs.udf1 }}
  #     udf2: ${{ inputs.udf2 }}
  #     udf3: ${{ inputs.udf3 }}
      
  BlackDuck-Polaris-SAST:
    name: 'BlackDuck Polaris SAST scan'
    if: ${{ inputs.perform-blackduck-polaris && github.event_name == 'push' }}
    uses: chef/common-github-actions/.github/workflows/polaris-sast.yml@main
    needs: checkout
    secrets: inherit
    with:
      github-event-name: ${{ inputs.github-event-name }}
      github-branch-name: ${{ inputs.github-branch-name }}
      language: ${{ inputs.language }}
      polaris-application-name: ${{ inputs.polaris-application-name }}
      polaris-project-name: ${{ inputs.polaris-project-name }}
      polaris-working-directory: ${{ inputs.polaris-working-directory }}
      polaris-config-path: ${{ inputs.polaris-config-path }}
      polaris-coverity-config-path: ${{ inputs.polaris-coverity-config-path }}
      polaris-coverity-clean-command: ${{ inputs.polaris-coverity-clean-command }}
      polaris-coverity-build-command: ${{ inputs.polaris-coverity-build-command }}
      polaris-coverity-args: ${{ inputs.polaris-coverity-args }}
      polaris-detect-search-depth: ${{ inputs.polaris-detect-search-depth }}
      polaris-detect-args: ${{ inputs.polaris-detect-args }}
      polaris-assessment-mode: ${{ inputs.polaris-assessment-mode }}
      wait-for-scan: ${{ inputs.wait-for-scan }}
      polaris-fail-on-high: ${{ inputs.polaris-fail-on-high }}
      polaris-fail-on-critical: ${{ inputs.polaris-fail-on-critical }}
       
  package-binary:
    name: 'Creating packaged binaries'
    # TODO: Add packaging steps – rpm, deb, MSI, dpkg + signing + SHA
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.package-binaries == true }}
    needs: ci-build
    steps:
      - name: 'Create packaged binaries'
        run: echo "Creating packaged binaries"

   #    TODO: Add habitat build steps from plan.sh for various packages/platforms/machine archs, optionally publish to Builder, then optionally test with grype
  habitat-build:
    name: 'Creating Habitat packages'
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.habitat-build == true }}
    needs: package-binary
    steps:
      - name: 'Create Habitat packages'
        run: echo "Creating Habitat packages"
    # TODO: add flag for any params needed
  habitat-publish:
    name: 'Publishing Habitat packages to Builder'
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.publish-habitat-packages == true }}
    needs: habitat-build
    steps:
      - name: 'Publishing Habitat packages to Builder'
        run: echo "Publishing Habitat packages to Builder"

  habitat-grype-scan-linux:
    # this workflow installs a specified Chef Habitat package and runs a Grype security scan against it.
    # It supports multiple OS runners (Linux, Windows, MacOS) and allows dynamic input of package details.
    # The results of the Grype scan are uploaded as artifacts for further analysis.

    # Example hab pkg install command:
    # hab pkg install core/7zip/24.09/20250708070501 --channel base-2025 --auth HAB_PERSONAL_ACCESS_TOKEN 
    # -z, --auth <AUTH_TOKEN>            Authentication token for Builder [env: HAB_AUTH_TOKEN=]
    #     --binlink-dir <BINLINK_DIR>    Binlink all binaries from installed package(s) into BINLINK_DIR [env: HAB_BINLINK_DIR=]  [default: /bin]
    # -u, --url <BLDR_URL>               Specify an alternate Builder endpoint. If not specified, the value will be taken from the HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh)
    # -c, --channel <CHANNEL>            Install from the specified release channel [env: HAB_BLDR_CHANNEL=]  [default: stable]

    # Example hab pkg download command (we do not use this in the workflow but it's here for reference; allows --target):
    # hab pkg download core/nginx/<VERSION>/<RELEASE> \
    # --channel stable \  
    # --target x86_64-linux \
    # --download-directory /tmp/habitat_packages
    name: 'Grype scan of Habitat packages'
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.habitat-grype-scan == true && inputs.publish-habitat-runner_os == 'ubuntu-latest' }}
    # TODO: make this a matrix operation 
    needs: habitat-publish
    steps:
      - name: Install Chef Habitat (MacOS and Linux)
        run: |
          curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | sudo bash

      - name: Configure Habitat (MacOS and Linux)
        run: |
          # Add Habitat to PATH (for current session and future steps if needed, though install.sh usually handles symlinks)
          echo "/hab/bin" >> $GITHUB_PATH
          
          # Accept the license
          echo "HAB_LICENSE=accept-no-persist" >> $GITHUB_ENV
          
          # Create the necessary directory structure for license file
          sudo mkdir -p /hab/accepted-licenses/
          sudo touch /hab/accepted-licenses/habitat

      - name: Install Grype (Linux and MacOS)
        continue-on-error: true
        run: |
          curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin

      - name: Install Habitat Package under test (example core/nginx on MacOS and Linux)
        run: |
          PACKAGE="${{ inputs.publish-habitat-hab_package }}"
          if [ -n "${{ inputs.publish-habitat-hab_version }}" ]; then
            PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_version }}"
          fi
          if [ -n "${{ inputs.publish-habitat-hab_release }}" ]; then
            PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_release }}"
          fi
          
          INSTALL_CMD="sudo hab pkg install ${PACKAGE}"
          
          if [ -n "${{ inputs.publish-habitat-hab_channel }}" ]; then
            INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.publish-habitat-hab_channel }}"
          fi
          
          AUTH_TOKEN="${{ inputs.publish-habitat-hab_auth_token }}"
          if [ -z "${AUTH_TOKEN}" ]; then
            AUTH_TOKEN="${{ secrets.HAB_PUBLIC_BLDR_PAT }}"
            echo "Using token from repository secret"
          else
            echo "Using token from workflow input"
          fi
          # if [ -n "${AUTH_TOKEN}" ]; then
          #   INSTALL_CMD="${INSTALL_CMD} --auth ${AUTH_TOKEN}"
          # fi
          
          echo "Installing: ${INSTALL_CMD}"
          eval ${INSTALL_CMD}

      - name: Run Grype Scan on Habitat Package
        timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
        run: |
          # Find the installed package path. 'hab pkg path' returns the path to the latest installed version.
          PKG_PATH=$(hab pkg path ${{ inputs.publish-habitat-hab_package }})
          # run grype in runner
          grype dir:$PKG_PATH --name ${{ inputs.publish-habitat-hab_package }} 
          # run grype to output to file (which is uploaded to the job as an artifact)
          OUTPUT_FILE="grype-results-ubuntu-${{ inputs.publish-habitat-hab_package }}.txt"
          OUTPUT_FILE="${OUTPUT_FILE//\//-}"
          echo $OUTPUT_FILE
          grype dir:$PKG_PATH --name ${{ inputs.publish-habitat-hab_package }} > $OUTPUT_FILE
          echo "OUTPUT_FILE=$OUTPUT_FILE" >> $GITHUB_ENV
          
      - name: Upload Grype Scan Results
        uses: actions/upload-artifact@v4
        with:
          name: grype-results-ubuntu-${{ env.OUTPUT_FILE }}
          path: ${{ env.OUTPUT_FILE }}

  habitat-grype-scan-windows:
    name: 'Grype scan of Habitat packages (Windows)'
    runs-on: windows-latest
    if: ${{ success() && inputs.habitat-grype-scan == true && inputs.publish-habitat-runner_os == 'windows-latest' }}
    # TODO: make this a matrix operation 
    needs: habitat-publish
    steps:
      - name: Install Chef Habitat (Windows)
        run: |
          choco install habitat

          # Set-ExecutionPolicy Bypass -Scope Process -Force;
          # [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
          # iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1'))
          # $env:PATH += ";~\bin\hab-1.6.1245-20250905141844-x86_64-windows"
          # Write-Host "one"
          # ls ~/bin
          # Write-Host "two"
          # ls c:/users/runneradmin/bin
          # Write-Host "three"
          # ls c:/hab
          # ls "~\bin\hab-1.6.1245-20250905141844-x86_64-windows"
          
          # Write-Host "end"
          hab --version
      
      - name: Configure Habitat (Windows)
        run: |
          # Accept the license
          echo "HAB_LICENSE=accept-no-persist" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
          
          # Create the necessary directory structure for license file
          New-Item -ItemType Directory -Force -Path "C:\hab\accepted-licenses"
          New-Item -ItemType File -Force -Path "C:\hab\accepted-licenses\habitat"
          
      - name: Install Grype (Windows)
        continue-on-error: true
        run: |
          $ErrorActionPreference = 'Stop'
          # Download and install Grype for Windows
          $grypeVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/anchore/grype/releases/latest").tag_name
          $grypeUrl = "https://github.com/anchore/grype/releases/download/$grypeVersion/grype_$($grypeVersion.TrimStart('v'))_windows_amd64.zip"
          $grypeZip = "$env:TEMP\grype.zip"
          $grypeDir = "$env:TEMP\grype"
          
          # Download Grype
          Invoke-WebRequest -Uri $grypeUrl -OutFile $grypeZip
          
          # Extract Grype
          Expand-Archive -Path $grypeZip -DestinationPath $grypeDir -Force
          
          # Add Grype to PATH for subsequent steps
          echo "$grypeDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
          
          # Verify installation
          & "$grypeDir\grype.exe" version

      - name: Install Habitat Package under test (Windows)
        run: |
          $Package = "${{ inputs.publish-habitat-hab_package }}"
          if ("${{ inputs.publish-habitat-hab_version }}" -ne "") {
            $Package = "${Package}/${{ inputs.publish-habitat-hab_version }}"
          }
          if ("${{ inputs.publish-habitat-hab_release }}" -ne "") {
            $Package = "${Package}/${{ inputs.publish-habitat-hab_release }}"
          }
          
          $InstallCmd = "hab pkg install ${Package}"
          
          if ("${{ inputs.publish-habitat-hab_channel }}" -ne "") {
            $InstallCmd = "${InstallCmd} --channel ${{ inputs.publish-habitat-hab_channel }}"
          }
          
          $AuthToken = "${{ inputs.publish-habitat-hab_auth_token }}"
          if ([string]::IsNullOrEmpty($AuthToken)) {
            $AuthToken = "${{ secrets.HAB_PUBLIC_BLDR_PAT }}"
            Write-Host "Using token from repository secret"
          } else {
            Write-Host "Using token from workflow input"
          }
          # if (-not [string]::IsNullOrEmpty($AuthToken)) {
          #   $InstallCmd = "${InstallCmd} --auth ${AuthToken}"
          # }
          
          Write-Host "Installing: ${InstallCmd}"
          Invoke-Expression $InstallCmd

      - name: Run Grype Scan on Habitat Package (Windows)
        timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
        run: |
          # Find the installed package path. 'hab pkg path' returns the path to the latest installed version.
          $PkgPath = hab pkg path ${{ inputs.publish-habitat-hab_package }}
          # run grype in runner
          grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }}
          # run grype to output to file (which is uploaded to the job as an artifact)
          $OutputFile = "grype-results-windows-${{ inputs.publish-habitat-hab_package }}.txt"
          $OutputFile = $OutputFile -replace '/', '-'
          Write-Host $OutputFile
          grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }} | Out-File -FilePath $OutputFile -Encoding utf8
          echo "OUTPUT_FILE=$OutputFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
                
      - name: Upload Grype Scan Results
        uses: actions/upload-artifact@v4
        with:
          name: grype-results-windows-${{ env.OUTPUT_FILE }}
          path: ${{ env.OUTPUT_FILE }}

  publish:
    name: 'Publishing packages'
    #    TODO: Add binary publishing steps – container from Dockerfile to ECR, go-releaser binary to releases page, 
    #       omnibus to artifactory, gems, choco, homebrew, other app stores
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.publish-packages == true }}
    needs: habitat-build
    steps:
      - name: 'Publishing packages'
        run: echo "Publishing packages"
  
  generate-sbom:
    name: 'Generating SBOM'
    #    Create software bill-of-materials (SBOM) using SPDX format
    if: ${{ inputs.generate-sbom == true }}
    uses: chef/common-github-actions/.github/workflows/sbom.yml@main
    needs: checkout # TODO: fix set-application-version
    secrets: inherit
    with:
      github-event-name: ${{ inputs.github-event-name }}
      github-branch-name: ${{ inputs.github-branch-name }}
      version: ${{ inputs.version }}
      export-github-sbom: ${{ inputs.export-github-sbom }}
      perform-blackduck-sca-scan: ${{ inputs.perform-blackduck-sca-scan && github.event_name == 'push' }}
      # generate-blackduck-sbom: ${{ inputs.generate-blackduck-sbom }}  # obsolete, remove TODO
      blackduck-project-group-name: ${{ inputs.blackduck-project-group-name }}
      blackduck-project-name: ${{ inputs.blackduck-project-name }}
      generate-msft-sbom: ${{ inputs.generate-msft-sbom }}
      license_scout: ${{ inputs.license_scout }}
      go-private-modules: ${{ inputs.go-private-modules }}
      blackduck-force-low-accuracy-mode: ${{ inputs.blackduck-force-low-accuracy-mode }}
      run-bundle-install: ${{ inputs.run-bundle-install }} # Passed to sbom.yml to generate Gemfile.lock at runtime
      language: ${{ inputs.language }}
      ruby-app-directory: ${{ inputs.ruby-app-directory }}
      blackduck-fail-on-blocker: ${{ inputs.blackduck-fail-on-blocker }}
      blackduck-fail-on-critical: ${{ inputs.blackduck-fail-on-critical }}
      blackduck-fail-on-major: ${{ inputs.blackduck-fail-on-major }}

  quality-dashboard:
    name: 'Reporting to quality dashboard'
    needs: generate-sbom
    secrets: inherit
    permissions:
      id-token: write
      contents: read
    if: ${{ inputs.report-to-atlassian-dashboard == true && success() }}
    uses: chef/common-github-actions/.github/workflows/irfan-quality-dashboard.yml@main
    with:
      perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
      build-profile: ${{ inputs.build-profile }}
      language: ${{ inputs.language }}
      report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
      report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
      quality-product-name: ${{ inputs.quality-product-name }}
      quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
      quality-testing-type: ${{ inputs.quality-testing-type }}
      quality-service-name: ${{ inputs.quality-service-name }}
      quality-junit-report: ${{ inputs.quality-junit-report }}
      visibility: ${{ inputs.visibility }}
      go-private-modules: ${{ inputs.go-private-modules }}
      udf1: ${{ inputs.udf1 }}
      udf2: ${{ inputs.udf2 }}
      udf3: ${{ inputs.udf3 }}