quality.yml

name: Code Quality Checks

on:
  pull_request: { }
  push:
    branches: [ main, develop ]

permissions: {}

# Enrich gradle.properties for CI/CD
env:
  GRADLE_OPTS: -Dorg.gradle.jvmargs="-Xmx3072m -Dfile.encoding=UTF-8 -XX:+HeapDumpOnOutOfMemoryError -XX:MaxMetaspaceSize=1g" -Dkotlin.daemon.jvm.options="-Xmx2560m" -Dkotlin.incremental=false
  CI_GRADLE_ARG_PROPERTIES: --stacktrace -PpreDexEnable=false --max-workers 2 --no-daemon

jobs:
  check:
    name: Project Check Suite
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Run code quality check suite
        run: ./tools/check/check_code_quality.sh

  # Knit for all the modules (https://github.com/Kotlin/kotlinx-knit)
  knit:
    name: Knit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Use JDK 21
        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '21'
      - name: Configure gradle
        uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
        with:
          cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
      - name: Run knit
        run: |
          ./gradlew knitCheck $CI_GRADLE_ARG_PROPERTIES

  # Check the project: ktlint, detekt, lint
  lint:
    name: Android Linter
    runs-on: ubuntu-latest
    # Allow all jobs on main and develop. Just one per PR.
    concurrency:
      group: ${{ github.ref == 'refs/heads/main' && format('lint-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('lint-develop-{0}', github.sha) || format('lint-{0}', github.ref) }}
      cancel-in-progress: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Use JDK 21
        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '21'
      - name: Configure gradle
        uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
        with:
          cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
      - name: Run ktlint
        run: |
          ./gradlew ktlintCheck $CI_GRADLE_ARG_PROPERTIES --continue
      - name: Run detekt
        if: always()
        run: |
          ./gradlew detekt $CI_GRADLE_ARG_PROPERTIES
      - name: Run lint
        # Not always, if ktlint or detekt fail, avoid running the long lint check.
        run: |
          ./gradlew vector-app:lintGplayRelease $CI_GRADLE_ARG_PROPERTIES
          ./gradlew vector-app:lintFdroidRelease $CI_GRADLE_ARG_PROPERTIES
      - name: Upload reports
        if: always()
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: linting-report
          path: |
            */build/reports/**/*.*
      - name: Prepare Danger
        if: always()
        run: |
          npm install --save-dev @babel/core
          npm install --save-dev @babel/plugin-transform-flow-strip-types
          yarn add danger-plugin-lint-report --dev
      - name: Danger lint
        if: always()
        uses: danger/danger-js@67ed2c1f42fd2fc198cc3c14b43c8f83351f4fe9 # 13.0.5
        with:
          args: "--dangerfile ./tools/danger/dangerfile-lint.js"
        env:
          DANGER_GITHUB_API_TOKEN: ${{ secrets.DANGER_GITHUB_API_TOKEN }}
          # Fallback for forks
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  # Gradle dependency analysis using https://github.com/autonomousapps/dependency-analysis-android-gradle-plugin
  dependency-analysis:
    name: Dependency analysis
    runs-on: ubuntu-latest
    # Allow all jobs on main and develop. Just one per PR.
    concurrency:
      group: ${{ github.ref == 'refs/heads/main' && format('dep-main-{0}', github.sha) || github.ref == 'refs/heads/develop' && format('dep-develop-{0}', github.sha) || format('dep-{0}', github.ref) }}
      cancel-in-progress: true
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Use JDK 21
        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: 'temurin' # See 'Supported distributions' for available options
          java-version: '21'
      - name: Configure gradle
        uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
        with:
          cache-read-only: ${{ github.ref != 'refs/heads/develop' }}
      - name: Dependency analysis
        run: ./gradlew dependencyCheckAnalyze $CI_GRADLE_ARG_PROPERTIES
      - name: Upload dependency analysis
        if: always()
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: dependency-analysis
          path: build/reports/dependency-check-report.html

  zizmor:
    name: Run zizmor
    runs-on: ubuntu-latest
    permissions:
      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0