# Codacy Security Scan (revised: replaced docker action with codacy-cli-v2 install+analyze)
# - Uses codacy-cli-v2 installer to run analyze when the docker image pre-pull succeeds
# Codacy security scan action usage and parameters, see
# https://github.com/codacy/codacy-analysis-cli-action.
# For more information on Codacy Analysis CLI in general, see
# https://github.com/codacy/codacy-analysis-cli.

name: Codacy Security Scan

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]
  schedule:
    - cron: '44 7 * * 0'

permissions:
  contents: read

jobs:
  codacy-security-scan:
    name: Codacy Security Scan
    runs-on: ubuntu-latest

    env:
      CLI_VERSION: "4.0.0"
      CODACY_CLI_V2_VERSION: ""
      CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
      MAX_PULL_RETRIES: 6
      PULL_RETRY_BASE: 5

    permissions:
      contents: read
      security-events: write
      actions: read

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Check for non-UTF-8 files
        run: |
          find . -type f -exec file --mime {} + | grep -v 'charset=utf-8' || true

      - name: Pre-pull Codacy CLI Docker image
        run: |
          set -euo pipefail
          IMAGE="codacy/codacy-analysis-cli:${CLI_VERSION}"
          echo "CODACY_DOCKER_OK=false" >> $GITHUB_ENV
          for i in $(seq 1 $MAX_PULL_RETRIES); do
            echo "Attempt $i to pull $IMAGE"
            if docker pull "$IMAGE"; then
              echo "Successfully pulled $IMAGE"
              echo "CODACY_DOCKER_OK=true" >> $GITHUB_ENV
              break
            fi
            if [ "$i" -lt "$MAX_PULL_RETRIES" ]; then
              sleep_time=$(( PULL_RETRY_BASE * 2 ** (i - 1) + RANDOM % 5 + 1 ))
              echo "Retrying in $sleep_time seconds..."
              sleep "$sleep_time"
            else
              echo "Failed to pull $IMAGE after $i attempts."
            fi
          done

      - name: Run Codacy CLI v2 (Install and Analyze)
        if: env.CODACY_DOCKER_OK == 'true'
        run: |
          set -euo pipefail
          echo "Installing codacy-cli-v2"
          curl -Ls https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh | bash
          echo "Verifying installation directory"
          ls -alh $HOME/.codacy/bin || { echo "Installation directory does not exist"; exit 1; }
          echo "Adding codacy-cli to PATH"
          export PATH="$HOME/.codacy/bin:$PATH"
          echo "Verifying codacy-cli command"
          which codacy-cli || { echo "codacy-cli not found in PATH"; exit 1; }
          echo "Running codacy-cli analyze"
          codacy-cli analyze --format sarif --output results.sarif \
            --project-token "${CODACY_PROJECT_TOKEN}" --gh-code-scanning-compat --verbose || true

      - name: Run Codacy Analysis CLI (Fallback)
        if: env.CODACY_DOCKER_OK != 'true'
        run: |
          set -euo pipefail
          echo "Fallback to GitHub Releases API"
          RELEASE_URL="https://api.github.com/repos/codacy/codacy-analysis-cli/releases/tags/${CLI_VERSION}"
          RELEASE=$(curl -sS "$RELEASE_URL")
          ASSET_URL=$(echo "$RELEASE" | jq -r '.assets[] | select(.name | test(".*\\.zip$")) | .browser_download_url')
          if [ -z "$ASSET_URL" ]; then
            echo "::error::No suitable asset found"
            exit 1
          fi
          curl -L -o codacy-cli.zip "$ASSET_URL"
          unzip codacy-cli.zip
          ./codacy-analysis-cli analyze --format sarif --output results.sarif \
            --project-token "${CODACY_PROJECT_TOKEN}" --gh-code-scanning-compat --verbose || true

      - name: Upload SARIF results file
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif