name: Code Analysis (JS/Vue)

on:
  pull_request:
  push:
    branches: [ main ]

jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Node versions
        run: |
          node -v
          npm -v

      - name: Install dependencies
        run: npm ci

      - name: Lint
        run: npm run lint

      - name: Unit tests
        run: npm test

      - name: Build
        run: npm run build --if-present

      - name: Semgrep (SAST)
        run: semgrep --config p/default --error .

      - name: npm audit (high+)
        run: npm audit --audit-level=high || true

      - name: OSV-Scanner (SCA)
        run: |
          curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
          chmod +x osv-scanner
          ./osv-scanner --lockfile package-lock.json

      - name: gitleaks (Secrets Scanning)
        run: |
          curl -sSL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_linux_x64.tar.gz \
            | tar -xz gitleaks
          ./gitleaks detect --source . --no-git --redact --exit-code 1