name: 🚦 Security & Quality Gate

on:
  pull_request:
    types: [opened, edited, synchronize, reopened]
    branches: [develop, master]
  workflow_dispatch:
  push:
    branches: [develop]

permissions:
  contents: read

jobs:
  validate_pr_title:
    name: "📝 Validate PR Title"
    if: github.event_name == 'pull_request'
    runs-on: ubuntu-24.04
    permissions:
      pull-requests: write
      contents: read
    steps:
      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
        id: lint_pr_title
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
        if: always() && (steps.lint_pr_title.outputs.error_message != null)
        with:
          header: pr-title-lint-error
          message: |
            Hey there and thank you for opening this pull request! 👋🏼
            We require pull request titles to follow the [Conventional Commits specification](https://www.conventionalcommits.org/en/v1.0.0/).

            **Error details:**
            ```
            ${{ steps.lint_pr_title.outputs.error_message }}
            ```

      - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
        with:
          header: pr-title-lint-error
          delete: true

  dependency-review:
    name: 🔍 Vulnerable Dependencies
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    steps:
      - name: Checkout Repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          fetch-depth: 0

      - name: Dependency Review
        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
        with:
          fail-on-severity: high
          base-ref: ${{ github.event.pull_request.base.sha || 'develop' }}
          head-ref: ${{ github.event.pull_request.head.sha || github.ref }}

  expo-doctor:
    name: 🚑 Expo Doctor Check
    if: false
    runs-on: ubuntu-24.04
    steps:
      - name: 🛒 Checkout repository
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          submodules: recursive
          fetch-depth: 0

      - name: 🍞 Setup Bun
        uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0
        with:
          bun-version: latest

      - name: 📦 Install dependencies (bun)
        run: bun install --frozen-lockfile

      - name: 🚑 Run Expo Doctor
        run: bun expo-doctor

  code_quality:
    name: "🔍 Lint & Test (${{ matrix.command }})"
    runs-on: ubuntu-24.04
    strategy:
      fail-fast: false
      matrix:
        command:
          - "lint"
          - "check"
          - "format"
          - "typecheck"

    steps:
      - name: "📥 Checkout PR code"
        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          ref: ${{ github.event.pull_request.head.sha || github.sha }}
          submodules: recursive
          fetch-depth: 0

      - name: "🟢 Setup Node.js"
        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version: '24.x'

      - name: "🍞 Setup Bun"
        uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0
        with:
          bun-version: latest

      - name: "📦 Install dependencies"
        run: bun install --frozen-lockfile

      - name: "🚨 Run ${{ matrix.command }}"
        run: bun run ${{ matrix.command }}