ci.yml

name: CI/CD Pipeline

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]

permissions:
  contents: read

jobs:
  dependency-review:
    name: Dependency Review
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest

    steps:
      - name: Check dependency review API availability
        id: dependency-review-availability
        env:
          GITHUB_TOKEN: ${{ github.token }}
          REPOSITORY: ${{ github.repository }}
          BASE_SHA: ${{ github.event.pull_request.base.sha }}
          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        run: |
          response_file="$(mktemp)"
          status_code="$(curl --silent --output "$response_file" --write-out '%{http_code}' \
            -H "Authorization: Bearer ${GITHUB_TOKEN}" \
            -H "Accept: application/vnd.github+json" \
            "https://api.github.com/repos/${REPOSITORY}/dependency-graph/compare/${BASE_SHA}...${HEAD_SHA}")"

          if [ "$status_code" = "200" ]; then
            echo "supported=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          if [ "$status_code" = "403" ] || [ "$status_code" = "404" ]; then
            echo "supported=false" >> "$GITHUB_OUTPUT"
            echo "status_code=$status_code" >> "$GITHUB_OUTPUT"
            exit 0
          fi

          cat "$response_file"
          echo "Unexpected dependency review API response: $status_code" >&2
          exit 1

      - name: Checkout code
        if: steps.dependency-review-availability.outputs.supported == 'true'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Review dependency changes
        if: steps.dependency-review-availability.outputs.supported == 'true'
        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
        with:
          fail-on-severity: moderate
          fail-on-scopes: development, runtime, unknown

      - name: Explain skipped dependency review
        if: steps.dependency-review-availability.outputs.supported != 'true'
        run: |
          echo "::warning title=Dependency review skipped::GitHub dependency review is unavailable for this repository. Enable Dependency graph in repository settings to re-enable this check."
          {
            echo "## Dependency review skipped"
            echo
            echo "GitHub's dependency review API returned HTTP ${STATUS_CODE:-unknown} for this repository."
            echo
            echo "Enable Dependency graph in repository settings to re-enable actions/dependency-review-action."
          } >> "$GITHUB_STEP_SUMMARY"
        env:
          STATUS_CODE: ${{ steps.dependency-review-availability.outputs.status_code }}

  secure-install-review:
    name: Secure Install Review
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: "20"
          cache: "npm"

      - name: Restore cached dependencies
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Install dependency metadata without scripts
        run: npm ci --ignore-scripts

      - name: Verify frozen lockfile
        run: git diff --exit-code -- package-lock.json

      - name: Run npm audit
        run: npm audit --audit-level=high

  setup:
    name: Setup Dependencies
    runs-on: ubuntu-latest
    outputs:
      cache-hit: ${{ steps.cache-node-modules.outputs.cache-hit }}

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: "20"
          cache: "npm"

      - name: Cache node modules
        id: cache-node-modules
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-node-

      - name: Install dependencies
        run: npm ci

      - name: Verify frozen lockfile
        run: git diff --exit-code -- package-lock.json

  lint:
    name: Lint Code
    runs-on: ubuntu-latest
    needs: [setup, secure-install-review]

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: "20"
          cache: "npm"

      - name: Restore cached dependencies
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Install dependencies
        run: npm ci

      - name: Verify frozen lockfile
        run: git diff --exit-code -- package-lock.json

      - name: Run linter
        run: npm run lint

  type-check:
    name: Type Check
    runs-on: ubuntu-latest
    needs: [setup, secure-install-review]

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: "20"
          cache: "npm"

      - name: Restore cached dependencies
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Install dependencies
        run: npm ci

      - name: Verify frozen lockfile
        run: git diff --exit-code -- package-lock.json

      - name: Run type-check
        run: npx tsc --noEmit

  test:
    name: Run Tests
    runs-on: ubuntu-latest
    needs: [setup, secure-install-review]

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: "20"
          cache: "npm"

      - name: Restore cached dependencies
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Install dependencies
        run: npm ci

      - name: Verify frozen lockfile
        run: git diff --exit-code -- package-lock.json

      - name: Run tests
        run: npm run test:run

      - name: Generate coverage report
        run: npm run test:coverage
        continue-on-error: true

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          files: ./coverage/coverage-final.json
          fail_ci_if_error: false
        continue-on-error: true

  build:
    name: Build Application
    runs-on: ubuntu-latest
    needs: [lint, type-check, test, secure-install-review]

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: "20"
          cache: "npm"

      - name: Restore cached dependencies
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Install dependencies
        run: npm ci

      - name: Verify frozen lockfile
        run: git diff --exit-code -- package-lock.json

      - name: Build application
        run: npm run build

      - name: Upload build artifacts
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: dist
          path: dist/
          retention-days: 7

  performance:
    name: Performance Check
    runs-on: ubuntu-latest
    needs: build
    if: github.event_name == 'pull_request'

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup Node.js
        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: "20"
          cache: "npm"

      - name: Restore cached dependencies
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

      - name: Install dependencies
        run: npm ci

      - name: Verify frozen lockfile
        run: git diff --exit-code -- package-lock.json

      - name: Build application
        run: npm run build

      - name: Run Lighthouse CI
        uses: treosh/lighthouse-ci-action@3e7e23fb74242897f95c0ba9cabad3d0227b9b18 # v12
        with:
          urls: |
            http://localhost:4173
          uploadArtifacts: true
          temporaryPublicStorage: true
        continue-on-error: true