performics_dev/.gitea/workflows/azure-pipelines.yml

name: RN APK Build

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      # ---------------- JAVA (Gradle + SonarScanner need JDK on Ubuntu) ----------------
      # - name: Setup Java
        # uses: actions/setup-java@v4
        # with:
        #   distribution: temurin
        #   java-version: 17
        #   cache: gradle

      # ---------------- NODE ----------------
      # - name: Setup Node
      #   uses: actions/setup-node@v4
      #   with:
      #     node-version: 20
      #     cache: npm

      - name: Install dependencies
        run: npm ci

      # ---------------- TRIVY (filesystem scan; avoid trivy-action — it pulls actions/cache node24) ----------------
      # - name: Install Trivy
      #   run: |
      #     mkdir -p "${HOME}/bin"
      #     curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "${HOME}/bin" v0.70.0
      #     echo "${HOME}/bin" >> "${GITHUB_PATH}"
      #     "${HOME}/bin/trivy" --version

      # Use "${HOME}/bin/trivy" — act/Gitea may not prepend GITHUB_PATH before the next step.
      # Gitea only orchestrates the job; checkout + report.json live on the runner machine (this server), not on the Gitea host.
      - name: Trivy filesystem scan
        run: |
          "${HOME}/bin/trivy" fs -f json -o report.json \
            --skip-dirs node_modules,android/.gradle,android/build,ios/Pods,ios/build,.git \
            --exit-code 0 \
            .
          report_path="${GITHUB_WORKSPACE:-$(pwd)}/report.json"
          echo "Runner host: $(hostname)"
          echo "report.json (on this runner, under job workspace): ${report_path}"
          ls -la report.json
          mkdir -p /home/azureuser/builds
          cp -f report.json /home/azureuser/builds/trivy-report.json
          echo "Persistent copy (survives after job workspace is removed): /home/azureuser/builds/trivy-report.json"

      - name: Upload Trivy report to MongoDB
        run: node /home/azureuser/uploadJSONMongoDB/scripts/upload-report-to-mongodb.js

      # - name: Upload Trivy report
      #   uses: actions/upload-artifact@v3
      #   with:
      #     name: trivy-fs-report
      #     path: report.json

      # ---------------- SONARQUBE ----------------
      # In Gitea: Settings → Secrets → SONAR_TOKEN (and optionally SONAR_URL).
      - name: SonarQube Scan
        uses: SonarSource/sonarqube-scan-action@v6
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL:  ${{ secrets.SONAR_URL }}

      # ---------------- ANDROID SDK (required on Ubuntu: ANDROID_HOME / sdk.dir) ----------------
      - name: Setup Android SDK
        uses: android-actions/setup-android@v3
        with:
          packages: >-
            tools platform-tools
            platforms;android-36
            build-tools;36.0.0
            ndk;27.1.12297006

      - name: Point Gradle to the SDK
        run: |
          printf 'sdk.dir=%s\n' "${ANDROID_SDK_ROOT}" > android/local.properties
          cat android/local.properties

      - name: Grant Gradle execute permission
        run: chmod +x android/gradlew

      # ---------------- BUILD APK ----------------
      - name: Build Release APK
        run: |
          cd android
          ./gradlew assembleRelease --stacktrace --info

      # ---------------- VERIFY APK ----------------
      - name: Check APK Output
        run: |
          ls -R android/app/build/outputs/apk

      # ---------------- SAVE TO VM ----------------
      - name: Save APK to VM folder
        run: |
          mkdir -p /home/azureuser/builds
          cp android/app/build/outputs/apk/release/*.apk /home/azureuser/builds/

      # ---------------- VERIFY FINAL ----------------
      - name: Verify APK in VM
        run: |
          ls -l /home/azureuser/builds

      # ---------------- (OPTIONAL) ARTIFACT ----------------
      - name: Upload APK (optional)
        uses: actions/upload-artifact@v3
        with:
          name: app-release
          path: android/app/build/outputs/apk/release/*.apk