name: "DevSecOps Enterprise Pipeline"
on:
  push:
    branches: [ main ]

jobs:
  security-gate-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Code
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      # ==========================================
      # STAGE 1: STATIC SECURITY TESTING (SAST, SCA)
      # ==========================================

      # 1.1. Secret Scanning: Detect hardcoded secrets and credentials
      - name: Gitleaks Scan
        run: |
          curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp
          /tmp/gitleaks protect --source . --verbose --redact --staged --exit-code 1

      # 1.2. Software Composition Analysis (SCA): Check for infrastructure vulnerabilities
      - name: Scan Docker Image Vulnerabilities (Trivy)
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
          trivy image --severity HIGH,CRITICAL nginx:alpine

      # 1.3. Static Application Security Testing (SAST): Source code quality and security
      - name: SonarQube Analysis
        run: |
          curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip
          unzip -q sonar-scanner.zip
          ./sonar-scanner-5.0.1.3006-linux/bin/sonar-scanner \
            -Dsonar.projectKey=website-test \
            -Dsonar.sources=. \
            -Dsonar.host.url=http://51.89.40.2:9000 \
            -Dsonar.token=${{ secrets.SONAR_TOKEN }} \
            -Dsonar.qualitygate.wait=true

      # ==========================================
      # STAGE 2: DYNAMIC TEST ENVIRONMENT
      # ==========================================

      - name: Provision Ephemeral Sandbox
        run: |
          # Remove any residual sandbox containers
          docker rm -f website-test-sandbox || true
          
          # Deploy sandbox. Using Docker internal network prevents external exposure.
          docker run -d --name website-test-sandbox nginx:alpine
          
          # Copy the current codebase to the sandbox container
          docker cp index.html website-test-sandbox:/usr/share/nginx/html/index.html
          
          # Allow Nginx service to initialize
          sleep 5

      # ==========================================
      # STAGE 3: DYNAMIC APPLICATION SECURITY TESTING
      # ==========================================

      - name: OWASP ZAP Baseline Scan
        run: |
          # Initialize test report directory
          mkdir -p qatests
          
          # PREVENTIVE CLEANUP: Ensure no leftover containers or volumes exist
          docker rm -f zap-scanner || true
          docker volume rm zap-reports || true
          
          # Create a managed Docker volume to prevent host/runner path conflicts
          docker volume create zap-reports
          
          # Execute ZAP scan mounting the managed volume. 
          # The '-I' flag ensures the pipeline doesn't fail on warnings.
          docker run --user root --name zap-scanner \
            --link website-test-sandbox:website-test-sandbox \
            -v zap-reports:/zap/wrk/:rw \
            -t ghcr.io/zaproxy/zaproxy:stable zap-baseline.py \
            -t http://website-test-sandbox \
            -r report.html \
            -I || true
          
          # Extract the HTML report from the ZAP container to the runner workspace
          docker cp zap-scanner:/zap/wrk/report.html qatests/report.html
          
          # Teardown ZAP container and volume to free up resources
          docker rm -f zap-scanner || true
          docker volume rm zap-reports || true

      # Ensure sandbox is destroyed even if previous DAST steps fail
      - name: Teardown Ephemeral Sandbox
        if: always()
        run: |
          docker rm -f website-test-sandbox || true

      # ==========================================
      # STAGE 4: PRODUCTION DEPLOYMENT
      # ==========================================

      - name: Hardened Production Deployment
        run: |
          # Create a backup of the current production state
          docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
          
          # Clear the production directory and deploy the approved artifact
          docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*"
          docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
          
          # Apply strict file system permissions (Hardening)
          docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
          docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
          
          # Healthcheck: Verify local response from the production container
          docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1

      # ==========================================
      # STAGE 5: ARTIFACT MANAGEMENT & REPORTING
      # ==========================================
      
      - name: Publish ZAP Report to Production Web Server
        if: always()
        run: |
          # Host the report directly on the Nginx container to bypass Gitea's artifact download bug
          # Accessible at: http://51.89.40.2:8080/zap-report.html
          docker cp qatests/report.html website-test-backend:/usr/share/nginx/html/zap-report.html || true
          docker exec website-test-backend chmod 444 /usr/share/nginx/html/zap-report.html || true

      - name: Archive ZAP Report (Raw HTML)
        if: always()
        uses: actions/upload-artifact@v3
        with:
          name: owasp-zap-report
          # Upload the raw HTML file to Gitea Artifacts
          path: qatests/report.html

      - name: Pipeline Status Notification
        if: always()
        run: |
          echo "Pipeline finished with status: ${{ job.status }}"