stages:
  - test
  - scan

cache:
  paths:
    - .sonar/cache
    - .cache

# ======================================================
# 🧪 Step 1: Unit Test + Coverage
# ======================================================
unit_test:
  stage: test
  image: golang:1.23
  services:
    - name: redis:7-alpine
      alias: redis
  variables:
    REDIS_HOST: redis
    REDIS_PORT: 6379
  script:
    - echo "🧪 Menjalankan unit test..."
    - go mod tidy
    - go test ./... -coverprofile=coverage.out || true
    - go tool cover -func=coverage.out | tail -n 1
  artifacts:
    when: always
    paths:
      - coverage.out
    expire_in: 1 week
  only:
    - devops-ec2

# ======================================================
# 🔒 Step 2: Security Scan (Gosec)
# ======================================================
gosec_scan:
  stage: scan
  image: golang:1.24
  script:
    - apt-get update && apt-get install -y jq
    - go install github.com/securego/gosec/v2/cmd/gosec@latest
    - echo "🔍 Menjalankan scan keamanan dengan gosec..."
    - gosec -fmt=json -out=gosec-report.json ./... || true
    - echo "📄 Jumlah issue ditemukan:" && cat gosec-report.json | jq '.Issues | length'
    # Konversi hasil gosec ke format SonarQube
    - |
      jq -r '.Issues[] | {
        engineId: "gosec",
        ruleId: .rule_id,
        primaryLocation: {
          message: .details,
          filePath: .file,
          textRange: {startLine: .line}
        },
        type: "VULNERABILITY",
        severity: (if .severity == "HIGH" then "CRITICAL" elif .severity == "MEDIUM" then "MAJOR" else "MINOR" end)
      }' gosec-report.json | jq -s '{issues: .}' > gosec-generic-report.json
  artifacts:
    when: always
    paths:
      - gosec-report.json
      - gosec-generic-report.json
    expire_in: 1 week
  allow_failure: false
  only:
    - devops-ec2

# ======================================================
# 📊 Step 3: SonarQube Analysis
# ======================================================
sonarqube_analysis:
  stage: scan
  image: sonarsource/sonar-scanner-cli:latest
  script:
    - apk add --no-cache jq
    - echo "🚀 Mengirim analisis ke SonarQube..."
    - |
      sonar-scanner \
        -Dsonar.projectKey=mbu-lti-backend \
        -Dsonar.projectName="MBU LTI Backend" \
        -Dsonar.sources=. \
        -Dsonar.host.url=https://status.mbugroup.id/sonar \
        -Dsonar.login=sqp_57fbffb8337608c331091dd1544569df613a2d3f \
        -Dsonar.go.coverage.reportPaths=coverage.out \
        -Dsonar.externalIssuesReportPaths=gosec-generic-report.json \
        -Dsonar.sourceEncoding=UTF-8 \
        -Dsonar.verbose=true
  dependencies:
    - unit_test
    - gosec_scan
  artifacts:
    when: always
    paths:
      - .scannerwork
      - coverage.out
      - gosec-generic-report.json
    expire_in: 1 week
  only:
    - devops-ec2