# umami-api-client continuous integration
name: umami_api_client_ci
permissions:
  contents: write
  pull-requests: write
  pages: write

# Controls when the action will run.
on:
  # Triggers the workflow on pull request or push (only for the npmjs branch)
  push:
    branches:
      - npmjs
      - main
  pull_request:

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
  build:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    env:
      UMAMI_TEST_HOSTED_SERVER: ${{secrets.UMAMI_SERVER}}
      UMAMI_TEST_HOSTED_DOMAIN: ${{secrets.UMAMI_SITE_DOMAIN}}
      UMAMI_TEST_USER: ${{secrets.UMAMI_USER}}
      UMAMI_TEST_PASSWORD: ${{secrets.UMAMI_PASSWORD}}
      UMAMI_TEST_CLOUD_DOMAIN: ${{secrets.UMAMI_TEST_CLOUD_DOMAIN}}
      UMAMI_TEST_CLOUD_API_KEY: ${{secrets.UMAMI_TEST_CLOUD_API_KEY}}

    strategy:
      matrix:
        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
        node-version: [ 20.x ]

    steps:
      - name: SETUP - Checkout
        uses: actions/checkout@v6

      # https://github.com/pnpm/action-setup
      - name: SETUP - Install pnpm
        uses: pnpm/action-setup@v4.2.0
        with:
          run_install: false

      - name: SETUP - Install Node.js ${{ matrix.node-version }}
        uses: actions/setup-node@v6
        with:
          node-version: ${{ matrix.node-version }}
          cache: 'pnpm'
          cache-dependency-path: pnpm-lock.yaml

      - name: SETUP - Install dependencies
        run: |
          echo "Installing dependencies..."
          pnpm install --frozen-lockfile

      - name: TEST - run ci-tests with c8 code coverage
        run: |
          pnpm run ci-test

      - name: COVERAGE - Report coverage on pull request
        if: github.event_name == 'pull_request'
        continue-on-error: true
        # uses: romeovs/lcov-reporter-action@v0.2.16 # https://github.com/romeovs/lcov-reporter-action/issues/10
        uses: andybelltree/lcov-reporter-action@v1.7.0 # https://github.com/andybelltree/lcov-reporter-action/releases
        with:
          lcov-file: ./coverage/lcov.info
          filter-changed-files: true

      - name: COVERAGE - Deploy tag coverage report on Github Pages
        uses: peaceiris/actions-gh-pages@v4
        if: github.ref == 'refs/heads/main'
        with:
          github_token: ${{ secrets.GH_ACTIONS_TOKEN }}
          publish_branch: gh-pages
          publish_dir: ./coverage/lcov-report
          user_name: 'github-actions[bot]'
          user_email: 'github-actions[bot]@users.noreply.github.com'
          commit_message: ${{ github.event.head_commit.message }}
          force_orphan: true

      - name: CHECK - pnpm audit inline (prod deps only)
        if: ${{ github.actor == 'dependabot[bot]' || !(github.event_name == 'pull_request') }}
        run: |
          pnpm audit --prod --audit-level=high > audit.txt && echo "::info::✅ No vulnerabilities found" || (echo "::warning::❌ Vulnerabilities found";cat audit.txt)

      - name: CHECK - pnpm audit and comment on PR
        if: ${{ github.actor != 'dependabot[bot]' && github.event.pull_request }}
        uses: JamesRobertWiseman/pnpm-audit@v3
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          level: moderate   # 'low'|'moderate'|'high'|'critical'
          fails: false # true to fail the build if vulnerabilities are found
          single_comment: true # true to only post one comment
          inline: true # true to emit audit findings directly in the workflow logs using GitHub annotation syntax

      - name: PACKAGE - PUBLISH - NpmJS package
        if: github.ref == 'refs/heads/npmjs'
        run: |
          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_DEPLOY_TOKEN }}" > .npmrc
          npm whoami # rely on .npmrc
          npm publish