when:
  event: [push, pull_request, manual]
  branch: [dev, stage, main]

matrix:
  include:
    - PLATFORM: arm64
      TAG_SUFFIX: arm
    # - PLATFORM: amd64
    #   TAG_SUFFIX: amd

labels:
  platform: ${PLATFORM}

steps:
  - name: lint-format
    image: mcr.microsoft.com/dotnet/sdk:10.0
    commands:
      - dotnet format Azaion.AdminApi.sln --verify-no-changes --verbosity diagnostic

  - name: unit-tests
    image: mcr.microsoft.com/dotnet/sdk:10.0
    commands:
      - dotnet restore Azaion.AdminApi.sln
      - dotnet test Azaion.AdminApi.sln --no-restore --configuration Release --logger "console;verbosity=normal" --logger "trx;LogFileName=test-results.trx" --results-directory /app/test-results

  - name: deps-audit
    image: mcr.microsoft.com/dotnet/sdk:10.0
    commands:
      # Security audit recommendation 13: fail the build on any High or Critical
      # vulnerable dependency. The grep returns non-zero when no match is found,
      # which we want to treat as success — hence the explicit inversion.
      - dotnet restore Azaion.AdminApi.sln
      - dotnet list Azaion.AdminApi.sln package --vulnerable --include-transitive 2>&1 | tee deps-audit.log
      - if grep -E "^\s+>\s+\S+\s+\S+\s+\S+\s+(High|Critical)\s*$" deps-audit.log; then echo "Vulnerable High/Critical dependency found"; exit 1; fi

  - name: e2e-tests
    image: docker
    commands:
      # Mirrors scripts/run-tests.sh: drop volumes from any prior run so the DB
      # init scripts re-run on a clean data dir, then run compose to completion.
      - docker compose -f docker-compose.test.yml down -v --remove-orphans
      - docker compose -f docker-compose.test.yml up --build --abort-on-container-exit --exit-code-from e2e-consumer
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

  - name: e2e-cleanup
    image: docker
    when:
      status: [success, failure]
    commands:
      - docker compose -f docker-compose.test.yml down -v --remove-orphans
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock