name: CI

on:
  pull_request:
  push:
    branches:
      - main

permissions:
  contents: read

jobs:
  go-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: true
      - name: Stub web/dist for go:embed
        run: mkdir -p web/dist && touch web/dist/.gitkeep
      - name: Test
        run: |
          go list ./... | grep -v '/frontend/node_modules/' > /tmp/go-packages.txt
          go test $(cat /tmp/go-packages.txt)

  govulncheck:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-go@v6
        with:
          go-version-file: go.mod
          cache: true
      - name: Stub web/dist for go:embed
        run: mkdir -p web/dist && touch web/dist/.gitkeep
      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
      - name: Run govulncheck
        run: govulncheck ./...

  frontend:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v5
        with:
          node-version-file: .nvmrc
          cache: npm
          cache-dependency-path: frontend/package-lock.json
      - name: Install
        run: npm ci
        working-directory: frontend
      - name: Lint
        run: npm run lint
        working-directory: frontend
      - name: Build
        run: npm run build
        working-directory: frontend
      - name: Audit
        run: npm audit --audit-level=high
        working-directory: frontend