name: Build and Scan with JFrog

on:
  push:
    branches: [ "main", "develop" ]
  pull_request:
    branches: [ "main" ]

jobs:
  build-and-scan:
    runs-on: ubuntu-latest

    # Environment variables for consistent build naming across all steps
    env:
      JFROG_CLI_BUILD_NAME: jesseh-spring-petclinic
      JFROG_CLI_BUILD_NUMBER: ${{ github.run_id }}

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: '17'

      # Installs and configures the JFrog CLI with your Artifactory server details
      - name: Setup JFrog CLI
        uses: jfrog/setup-jfrog-cli@v4
        env:
          JF_URL: ${{ secrets.JF_RT_URL }}
          JFROG_CLI_RELEASES_REPO: https://soleng.jfrog.io/artifactory/jesseh-maven-dev-virtual/
          JFROG_CLI_EXTRACTORS_REMOTE: https://soleng.jfrog.io/artifactory/jesseh-maven-dev-virtual/
          JF_GIT_TOKEN: ${{ secrets.GH_TOKEN }}
          JF_USER: ${{ secrets.ARTIFACTORY_USERNAME }}
          JF_PASSWORD: ${{ secrets.ARTIFACTORY_IDENTITY_TOKEN }}

      # Configures Maven to resolve all dependencies from your Artifactory instance
      # Configures Maven to resolve all dependencies from your Artifactory instance
      - name: Configure Maven Repositories
        run: |
          jf mvnc \
            --repo-resolve-releases=jesseh-maven-dev-virtual \
            --repo-resolve-snapshots=jesseh-maven-dev-virtual

      # Automatically fixes any code formatting issues to prevent build failures
      - name: Apply Java Formatting
        run: mvn spring-javaformat:apply

      # Wraps the Maven command to resolve dependencies and collect build-info
      - name: Build Application with Maven
        run: |
          jf mvn clean install -DskipTests=true

      # "Shift-left" scan for fast feedback on source code and dependencies
      - name: Run JFrog SAST & SCA Audit
        run: |
          jf audit --sast --fail=true --project "jesseh"

      # This is your original, working login action. It correctly handles the full URL.
      - name: Login to JFrog Docker Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ secrets.JF_RT_URL }}
          username: ${{ secrets.ARTIFACTORY_USERNAME }}
          password: ${{ secrets.ARTIFACTORY_IDENTITY_TOKEN }}
      
      # Defines the full image name using the registry from your secrets
      - name: Login to JFrog Docker Repo
        uses: docker/login-action@v3
        with:
          registry: ${{ secrets.JF_RT_URL }}
          username: ${{ secrets.ARTIFACTORY_USERNAME }}
          password: ${{ secrets.ARTIFACTORY_IDENTITY_TOKEN }}

      - name: Build Docker Image
        run: |
          docker build -t soleng.jfrog.io/jesseh-docker-dev-local/spring-petclinic:${{ github.run_id }} .

      # Pushes the image using JFrog CLI to add the Docker layers to the build-info
      - name: Push Docker Image
        run: |
          jf docker push soleng.jfrog.io/jesseh-docker-dev-local/spring-petclinic:${{ github.run_id }}

      # Publishes all collected build information to Artifactory
      - name: Publish Build Info
        run: |
          jf rt build-publish

      # Final, comprehensive security scan on the entire build record
      - name: Scan Build with Xray
        run: |
          jf bs --fail=false --vuln