name: RN APK Build

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      # ---------------- JAVA (Gradle + SonarScanner need JDK on Ubuntu) ----------------
      - name: Setup Java
        uses: actions/setup-java@v4
        with:
          distribution: temurin
          java-version: 17
          cache: gradle

      # ---------------- NODE ----------------
      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: 20
          cache: npm

      - name: Install dependencies
        run: npm ci

      # ---------------- TRIVY (filesystem scan; avoid trivy-action — it pulls actions/cache node24) ----------------
      - name: Install Trivy
        run: |
          mkdir -p "${HOME}/bin"
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "${HOME}/bin" v0.70.0
          echo "${HOME}/bin" >> "${GITHUB_PATH}"
          trivy --version

      - name: Trivy filesystem scan
        run: |
          trivy fs -f json -o report.json \
            --skip-dirs node_modules,android/.gradle,android/build,ios/Pods,ios/build,.git \
            --exit-code 0 \
            .

      # - name: Upload Trivy report
      #   uses: actions/upload-artifact@v3
      #   with:
      #     name: trivy-fs-report
      #     path: report.json

      # ---------------- SONARQUBE ----------------
      # In Gitea: Settings → Secrets → SONAR_TOKEN (and optionally SONAR_URL).
      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@v6
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL:  ${{ secrets.SONAR_URL }}

      # ---------------- ANDROID SDK (required on Ubuntu: ANDROID_HOME / sdk.dir) ----------------
      - name: Setup Android SDK
        uses: android-actions/setup-android@v3
        with:
          packages: >-
            tools platform-tools
            platforms;android-36
            build-tools;36.0.0
            ndk;27.1.12297006

      - name: Point Gradle to the SDK
        run: |
          printf 'sdk.dir=%s\n' "${ANDROID_SDK_ROOT}" > android/local.properties
          cat android/local.properties

      - name: Grant Gradle execute permission
        run: chmod +x android/gradlew

      # ---------------- BUILD APK ----------------
      - name: Build Release APK
        run: |
          cd android
          ./gradlew assembleRelease --stacktrace --info

      # ---------------- VERIFY APK ----------------
      - name: Check APK Output
        run: |
          ls -R android/app/build/outputs/apk

      # ---------------- SAVE TO VM ----------------
      - name: Save APK to VM folder
        run: |
          mkdir -p /home/azureuser/builds
          cp android/app/build/outputs/apk/release/*.apk /home/azureuser/builds/

      # ---------------- VERIFY FINAL ----------------
      - name: Verify APK in VM
        run: |
          ls -l /home/azureuser/builds

      # ---------------- (OPTIONAL) ARTIFACT ----------------
      - name: Upload APK (optional)
        uses: actions/upload-artifact@v3
        with:
          name: app-release
          path: android/app/build/outputs/apk/release/*.apk