---
name: Call Gerrit Verify

# yamllint disable-line rule:truthy
on:
  workflow_dispatch:
    inputs:
      GERRIT_BRANCH:
        description: "Branch that change is against"
        required: true
        type: string
      GERRIT_CHANGE_ID:
        description: "The ID for the change"
        required: true
        type: string
      GERRIT_CHANGE_NUMBER:
        description: "The Gerrit number"
        required: true
        type: string
      GERRIT_CHANGE_URL:
        description: "URL to the change"
        required: true
        type: string
      GERRIT_EVENT_TYPE:
        description: "Type of Gerrit event"
        required: true
        type: string
      GERRIT_PATCHSET_NUMBER:
        description: "The patch number for the change"
        required: true
        type: string
      GERRIT_PATCHSET_REVISION:
        description: "The revision sha"
        required: true
        type: string
      GERRIT_PROJECT:
        description: "Project in Gerrit"
        required: true
        type: string
      GERRIT_REFSPEC:
        description: "Gerrit refspec of change"
        required: true
        type: string
    secrets:
      GERRIT_SSH_PRIVKEY:
        description: "SSH Key for the authorized user account"
        required: true

concurrency:
  # yamllint disable-line rule:line-length
  group: gerrit-verify-${{ github.workflow }}-${{ github.event.inputs.GERRIT_BRANCH}}-${{ github.event.inputs.GERRIT_CHANGE_ID || github.run_id }}
  cancel-in-progress: true

jobs:
  prepare:
    runs-on: ubuntu-latest
    steps:
      - name: Clear votes
        # yamllint disable-line rule:line-length
        uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
        with:
          host: ${{ vars.GERRIT_SERVER }}
          username: ${{ vars.GERRIT_SSH_USER }}
          key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
          known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
          gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
          gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
          vote-type: clear
          comment-only: true
      - name: Allow replication
        run: sleep 10s

  actionlint:
    needs: prepare
    runs-on: ubuntu-latest
    steps:
      - name: Gerrit Checkout
        # yamllint disable-line rule:line-length
        uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
        with:
          gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
          gerrit-project: ${{ inputs.GERRIT_PROJECT }}
          gerrit-url: ${{ vars.GERRIT_URL }}
          delay: "0s"
      - name: Download actionlint
        id: get_actionlint
        # yamllint disable-line rule:line-length
        run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
        shell: bash
      - name: Check workflow files
        run: ${{ steps.get_actionlint.outputs.executable }} -color
        shell: bash

  # run pre-commit tox env separately to get use of more parallel processing
  pre-commit:
    needs: prepare
    runs-on: ubuntu-latest
    steps:
      - name: Gerrit Checkout
        # yamllint disable-line rule:line-length
        uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
        with:
          gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
          gerrit-project: ${{ inputs.GERRIT_PROJECT }}
          gerrit-url: ${{ vars.GERRIT_URL }}
          delay: "0s"
      # yamllint disable-line rule:line-length
      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
        with:
          python-version: "3.11"
      - name: Run static analysis and format checkers
        run: pipx run pre-commit run --all-files --show-diff-on-failure

  checkov-scan:
    needs: prepare
    runs-on: ubuntu-latest
    steps:
      - name: Gerrit Checkout
        # yamllint disable-line rule:line-length
        uses: lfit/checkout-gerrit-change-action@54d751e8bd167bc91f7d665dabe33fae87aaaa63 # v0.9
        with:
          gerrit-refspec: ${{ inputs.GERRIT_REFSPEC }}
          gerrit-project: ${{ inputs.GERRIT_PROJECT }}
          gerrit-url: ${{ vars.GERRIT_URL }}
          delay: "0s"
          submodules: "true"
      - name: Checkov GitHub Action
        uses: bridgecrewio/checkov-action@v12
        with:
          output_format: cli,sarif
          output_file_path: console,results.sarif

  vote:
    if: ${{ always() }}
    needs: [prepare, actionlint, pre-commit, checkov-scan]
    runs-on: ubuntu-latest
    steps:
      - name: Get conclusion
        uses: im-open/workflow-conclusion@e4f7c4980600fbe0818173e30931d3550801b992 # v2.2.3
      - name: Set vote
        # yamllint disable-line rule:line-length
        uses: lfit/gerrit-review-action@9627b9a144f2a2cad70707ddfae87c87dce60729 # v0.8
        with:
          host: ${{ vars.GERRIT_SERVER }}
          username: ${{ vars.GERRIT_SSH_USER }}
          key: ${{ secrets.GERRIT_SSH_PRIVKEY }}
          known_hosts: ${{ vars.GERRIT_KNOWN_HOSTS }}
          gerrit-change-number: ${{ inputs.GERRIT_CHANGE_NUMBER }}
          gerrit-patchset-number: ${{ inputs.GERRIT_PATCHSET_NUMBER }}
          vote-type: ${{ env.WORKFLOW_CONCLUSION }}
          comment-only: true