name: Code Analysis (JS/Vue)

on:
  pull_request:
  push:
    branches: [ main ]

jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Node versions
        run: |
          node -v
          npm -v

      - name: Install dependencies
        run: npm ci

      - name: Lint
        run: npm run lint

      - name: Unit tests
        run: npm test

      - name: Build
        run: npm run build --if-present

      - name: Semgrep (SAST)
        run: semgrep --config p/default --error .

      - name: npm audit (high+)
        run: npm audit --audit-level=high || true

      - name: OSV-Scanner (SCA)
        run: |
          curl -L -o osv-scanner https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64
          chmod +x osv-scanner
          ./osv-scanner --lockfile package-lock.json

      - name: gitleaks (Secrets Scanning)
        run: |
          curl -sSL -L https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_linux_x64.tar.gz -o gitleaks.tar.gz
          if [ ! -s gitleaks.tar.gz ] || file gitleaks.tar.gz | grep -q "HTML"; then
            echo "Error: Downloaded file is not a valid archive"
            exit 1
          fi
          tar -xzf gitleaks.tar.gz 2>/dev/null || tar -xf gitleaks.tar.gz || (echo "Failed to extract archive" && exit 1)
          chmod +x gitleaks
          ./gitleaks detect --source . --no-git --redact --exit-code 1
          rm -f gitleaks.tar.gz