name: PR -> develop

on:
  pull_request:
    branches:
      - main
      - develop

env:
  GITLEAKS_VERSION: "8.30.1"

jobs:

  # ── 1. Secret scan ────────────────────────────────────────────────────────────
  gitleaks:
    name: Scan for secrets (Gitleaks)
    runs-on: stage-gatehouse-ui

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Gitleaks
        run: |
          if command -v gitleaks >/dev/null 2>&1; then
            echo "gitleaks already installed: $(gitleaks version)"
            exit 0
          fi
          curl -sSfL \
            "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
            | tar xz gitleaks
          mv gitleaks /usr/local/bin/gitleaks

      - name: Run secret scan
        # Scan only the commits this PR introduces (base..head), not the whole history.
        run: |
          gitleaks detect --source . \
            --log-opts="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" \
            --exit-code 1 --redact --verbose --log-level debug

  # ── 2. CVE scan ───────────────────────────────────────────────────────────────
  trivy:
    name: Scan for CVEs (Trivy)
    runs-on: stage-gatehouse-ui

    steps:
      - uses: actions/checkout@v4

      - name: Install Trivy
        run: |
          command -v trivy >/dev/null 2>&1 || \
            curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
              | sh -s -- -b /usr/local/bin

      - name: Run filesystem scan
        run: |
          trivy fs \
            --exit-code 1 \
            --severity HIGH,CRITICAL \
            --no-progress \
            .