---
name: tox

on:
  push: # only publishes pushes to the main branch to TestPyPI
    branches: # any integration branch but not tag
      - "main"
  pull_request:
    branches:
      - "main"

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

env:
  FORCE_COLOR: 1 # tox, pytest, ansible-lint
  PY_COLORS: 1

jobs:
  pre:
    name: pre
    runs-on: ubuntu-22.04
    outputs:
      matrix: ${{ steps.generate_matrix.outputs.matrix }}
    steps:
      - name: Determine matrix
        id: generate_matrix
        uses: coactions/dynamic-matrix@v1
        with:
          min_python: "3.9"
          max_python: "3.11"
          other_names: |
            lint
            pkg
            hook
            docs
            schemas
            eco
            py-devel
          platforms: linux,macos
  test-action:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Self test for ansible-lint@${{ github.action_ref || 'main' }}
        uses: ./
        with:
          # basically we only lint linter own configuration, which should be passing.
          args: .ansible-lint
  build:
    name: ${{ matrix.name }}
    runs-on: ${{ matrix.os || 'ubuntu-22.04' }}
    needs:
      - pre
      - test-action
    defaults:
      run:
        shell: ${{ matrix.shell || 'bash'}}
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.pre.outputs.matrix) }}
      # max-parallel: 5
      # The matrix testing goal is to cover the *most likely* environments
      # which are expected to be used by users in production. Avoid adding a
      # combination unless there are good reasons to test it, like having
      # proof that we failed to catch a bug by not running it. Using
      # distribution should be preferred instead of custom builds.
    env:
      # vars safe to be passed to wsl:
      WSLENV: FORCE_COLOR:PYTEST_REQPASS:TOXENV:GITHUB_STEP_SUMMARY
      # Number of expected test passes, safety measure for accidental skip of
      # tests. Update value if you add/remove tests.
      PYTEST_REQPASS: 805
    steps:
      - name: Activate WSL1
        if: "contains(matrix.shell, 'wsl')"
        uses: Vampire/setup-wsl@v2

      - name: MacOS workaround for https://github.com/actions/virtual-environments/issues/1187
        if: ${{ matrix.os == 'macOS-latest' }}
        run: |
          sudo sysctl -w net.link.generic.system.hwcksum_tx=0
          sudo sysctl -w net.link.generic.system.hwcksum_rx=0

      - uses: actions/checkout@v3
        with:
          fetch-depth: 0 # needed by setuptools-scm
          submodules: true

      - name: Set pre-commit cache
        uses: actions/cache@v3
        if: ${{ matrix.passed_name == 'lint' }}
        with:
          path: |
            ~/.cache/pre-commit
          key: pre-commit-${{ matrix.name || matrix.passed_name }}-${{ hashFiles('.pre-commit-config.yaml') }}

      - name: Set ansible cache(s)
        uses: actions/cache@v3
        with:
          path: |
            .cache/eco
            examples/playbooks/collections/ansible_collections
            ~/.cache/ansible-compat
            ~/.ansible/collections
            ~/.ansible/roles
          key: ${{ matrix.name || matrix.passed_name }}-${{ hashFiles('tools/test-eco.sh', 'requirements.yml', 'examples/playbooks/collections/requirements.yml') }}

      - name: Set up Python ${{ matrix.python_version || '3.9' }}
        if: "!contains(matrix.shell, 'wsl')"
        uses: actions/setup-python@v4
        with:
          cache: pip
          python-version: ${{ matrix.python_version || '3.9' }}

      - uses: actions/setup-node@v3
        with:
          node-version: 18
          cache: "npm"
          cache-dependency-path: test/schemas/package-lock.json

      - name: Run ./tools/test-setup.sh
        run: ./tools/test-setup.sh

      - name: Install tox
        run: |
          python3 -m pip install --upgrade pip
          python3 -m pip install --upgrade "tox>=4.0.0"

      - name: Log installed dists
        run: python3 -m pip freeze --all

      - name: Initialize tox envs ${{ matrix.passed_name }}
        run: python3 -m tox --notest --skip-missing-interpreters false -vv -e ${{ matrix.passed_name }}
        timeout-minutes: 5 # average is under 1, but macos can be over 3

      # sequential run improves browsing experience (almost no speed impact)
      - name: tox -e ${{ matrix.passed_name }}
        run: python3 -m tox -e ${{ matrix.passed_name }}

      - name: Combine coverage data
        if: ${{ startsWith(matrix.passed_name, 'py') }}
        # produce a single .coverage file at repo root
        run: tox -e coverage

      - name: Upload coverage data
        if: ${{ startsWith(matrix.passed_name, 'py') }}
        uses: codecov/codecov-action@v3
        with:
          name: ${{ matrix.passed_name }}
          fail_ci_if_error: false # see https://github.com/codecov/codecov-action/issues/598
          token: ${{ secrets.CODECOV_TOKEN }}
          verbose: true # optional (default = false)

      - name: Archive logs
        uses: actions/upload-artifact@v3
        with:
          name: logs.zip
          path: .tox/**/log/
        # https://github.com/actions/upload-artifact/issues/123
        continue-on-error: true

      - name: Report failure if git reports dirty status
        run: |
          git checkout HEAD -- src/ansiblelint/schemas/__store__.json
          if [[ -n $(git status -s) ]]; then
            # shellcheck disable=SC2016
            echo -n '::error file=git-status::'
            printf '### Failed as git reported modified and/or untracked files\n```\n%s\n```\n' "$(git status -s)" | tee -a "$GITHUB_STEP_SUMMARY"
            exit 99
          fi
        # https://github.com/actions/toolkit/issues/193
  codeql:
    name: codeql
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write

    strategy:
      fail-fast: false
      matrix:
        language: ["python"]

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
          # By default, queries listed here will override any specified in a config file.
          # Prefix the list here with "+" to use these queries and those in the config file.

          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
          # queries: security-extended,security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@v2

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2
        with:
          category: "/language:${{matrix.language}}"

  check: # This job does nothing and is only used for the branch protection
    if: always()
    permissions:
      pull-requests: write # allow codenotify to comment on pull-request

    needs:
      - build
      - test-action

    runs-on: ubuntu-latest

    steps:
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@release/v1
        with:
          jobs: ${{ toJSON(needs) }}

      - name: Check out src from Git
        uses: actions/checkout@v3

      - name: Notify repository owners about lint change affecting them
        uses: sourcegraph/codenotify@v0.6.4
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # https://github.com/sourcegraph/codenotify/issues/19
        continue-on-error: true