name: CI

on:
  push:
    branches:
      - '**'
    tags-ignore:
      - '**'
  pull_request:

jobs:
  ci:
    runs-on: docker
    env:
      ANDROID_HOME: /opt/android-sdk
      ANDROID_SDK_ROOT: /opt/android-sdk
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: 'zulu'
          java-version: '17'

      - name: Setup Android SDK
        uses: android-actions/setup-android@v3

      - name: Install Android SDK packages
        run: |
          sdkmanager --licenses >/dev/null <<'EOF'
          y
          y
          y
          y
          y
          y
          y
          y
          y
          y
          EOF
          sdkmanager "platform-tools" "platforms;android-36" "build-tools;36.0.0"

      - name: Install jq
        run: |
          set -e
          SUDO=""
          if command -v sudo >/dev/null 2>&1; then
            SUDO="sudo"
          fi
          if command -v apt-get >/dev/null 2>&1; then
            $SUDO apt-get update
            $SUDO apt-get install -y jq
          elif command -v apk >/dev/null 2>&1; then
            $SUDO apk add --no-cache jq
          elif command -v dnf >/dev/null 2>&1; then
            $SUDO dnf install -y jq
          elif command -v yum >/dev/null 2>&1; then
            $SUDO yum install -y jq
          else
            echo "Could not find a supported package manager to install jq"
            exit 1
          fi

      - name: Setup Flutter
        uses: subosito/flutter-action@v2
        with:
          channel: 'stable'

      - name: Trust Flutter SDK git directory
        run: |
          set -e
          FLUTTER_BIN_DIR="$(dirname "$(command -v flutter)")"
          FLUTTER_SDK_DIR="$(cd "$FLUTTER_BIN_DIR/.." && pwd -P)"
          git config --global --add safe.directory "$FLUTTER_SDK_DIR"
          if [ -n "${FLUTTER_ROOT:-}" ]; then
            git config --global --add safe.directory "$FLUTTER_ROOT"
          fi
          git config --global --add safe.directory /opt/hostedtoolcache/flutter/stable-3.41.4-x64 || true

      - name: Verify Android + Flutter toolchain
        run: flutter doctor -v

      - name: Install dependencies
        run: flutter pub get

      - name: Static analysis
        run: flutter analyze --no-pub

      - name: Run tests
        run: flutter test

      - name: Check outdated dependencies
        run: dart pub outdated
        continue-on-error: true

      - name: Trivy filesystem scan
        run: |
          set -e
          SUDO=""
          if command -v sudo >/dev/null 2>&1; then
            SUDO="sudo"
          fi
          if command -v apt-get >/dev/null 2>&1; then
            $SUDO apt-get update
            $SUDO apt-get install -y wget apt-transport-https gnupg lsb-release
            wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | $SUDO tee /usr/share/keyrings/trivy.gpg > /dev/null
            echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | $SUDO tee /etc/apt/sources.list.d/trivy.list
            $SUDO apt-get update
            $SUDO apt-get install -y trivy
          elif command -v apk >/dev/null 2>&1; then
            $SUDO apk add --no-cache trivy || (wget -qO trivy.tar.gz https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.62.1_Linux-64bit.tar.gz && tar xzf trivy.tar.gz trivy && $SUDO mv trivy /usr/local/bin/)
          fi
          trivy filesystem --severity HIGH,CRITICAL --exit-code 0 .
        continue-on-error: true

      - name: Build debug APK
        run: flutter build apk --debug