name: CI

on:
  push:
    branches:
      - '**'
    tags-ignore:
      - '**'

# Cancel superseded runs on the same branch.
concurrency:
  group: ci-${{ github.ref }}
  cancel-in-progress: true

jobs:
  ci:
    runs-on: docker
    env:
      ANDROID_HOME: /opt/android-sdk
      ANDROID_SDK_ROOT: /opt/android-sdk
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: 'zulu'
          java-version: '17'

      - name: Setup Android SDK
        uses: android-actions/setup-android@v3
        with:
          # Default ("tools platform-tools") drags in the Android Emulator
          # (~300 MB) which the build never uses.
          packages: ''

      - name: Setup Android SDK cache
        uses: actions/cache@v4
        with:
          path: /opt/android-sdk
          key: ${{ runner.os }}-android-sdk-37-36.0.0

      - name: Install Android SDK packages
        run: |
          yes | sdkmanager --licenses >/dev/null || true
          sdkmanager \
            "platform-tools" \
            "platforms;android-37.0" \
            "build-tools;36.0.0"

      - name: Setup Gradle cache
        uses: actions/cache@v4
        with:
          path: |
            ~/.gradle/caches
            ~/.gradle/wrapper
          key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties', 'gradle/libs.versions.toml') }}
          restore-keys: |
            ${{ runner.os }}-gradle-

      - name: Grant execute permission for gradlew
        run: chmod +x ./gradlew

      # No --no-daemon: the daemon lives only as long as this job container
      # and lets the following steps skip JVM startup + reconfiguration.
      - name: Lint (debug variant only)
        run: ./gradlew lintDebug

      - name: Unit tests
        run: ./gradlew testDebugUnitTest

      - name: Assemble debug APK
        run: ./gradlew assembleDebug

      - name: Trivy filesystem scan
        if: github.ref == 'refs/heads/main'
        run: |
          set -e
          SUDO=""
          if command -v sudo >/dev/null 2>&1; then
            SUDO="sudo"
          fi
          if command -v apt-get >/dev/null 2>&1; then
            $SUDO apt-get update
            $SUDO apt-get install -y wget apt-transport-https gnupg lsb-release
            wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | $SUDO tee /usr/share/keyrings/trivy.gpg > /dev/null
            echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | $SUDO tee /etc/apt/sources.list.d/trivy.list
            $SUDO apt-get update
            $SUDO apt-get install -y trivy
          fi
          trivy filesystem --severity HIGH,CRITICAL --exit-code 0 .
        continue-on-error: true