name: Pull Request

on:
  pull_request:
    branches: [main]

env:
  NODE_VERSION: '20'

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - uses: actions/setup-node@v4
      with:
        node-version: ${{ env.NODE_VERSION }}
        cache: npm
    - run: npm ci
    - run: npm run format:check
    - run: npm run lint:check
    - run: npm run typecheck
    - name: Install CLI dependencies
      working-directory: ./cli
      run: npm ci
    - name: Generate combined coverage
      run: ./scripts/combine-coverage.js
      env:
        NODE_ENV: test
    - uses: codecov/codecov-action@v5
      with:
        token: ${{ secrets.CODECOV_TOKEN }}
        directory: ./coverage-combined
        fail_ci_if_error: true

  security:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - run: ./scripts/security/credential-audit.sh
    - uses: trufflesecurity/trufflehog@main
      with:
        path: ./
        base: ${{ github.event.pull_request.base.sha }}
        head: ${{ github.event.pull_request.head.sha }}
        extra_args: --debug --only-verified

  docker:
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.changed_files, 'Dockerfile') || contains(github.event.pull_request.changed_files, 'src/')
    steps:
    - uses: actions/checkout@v4
    - uses: docker/build-push-action@v6
      with:
        context: .
        push: false
        tags: test:latest