.github/workflows/ci.yml

# This workflow runs the tests across Linux, Mac, Windows

name: KX VS Code CI Testing

on:
  push:
    branches-ignore:
      - dev
      - main
  pull_request:
    branches:
      - dev
      - main

jobs:
  test:
    strategy:
      matrix:
        os: [macos-latest, ubuntu-latest, windows-latest]
    runs-on: ${{ matrix.os }}

    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Install Node.js
        uses: actions/setup-node@v3
        with:
          node-version: 16.x
      - run: npm ci
      - run: xvfb-run -a npm test
        if: runner.os == 'Linux'
      - run: npm test
        if: runner.os != 'Linux'

  app-sec:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout source code
        uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - name: Install Node.js
        uses: actions/setup-node@v3
        with:
          node-version: 16.x

      - name: Install dependencies
        run: yarn install

      - name: Generate code coverage reports
        run: xvfb-run -a npm run coverage

      - name: Code coverage summary
        uses: irongut/CodeCoverageSummary@v1.3.0
        with:
          filename: ./coverage-reports/cobertura-coverage.xml
          format: markdown
          hide_branch_rate: true
          hide_complexity: true
          thresholds: "30 80"
          output: "both"

      - name: Add Coverage PR Comment
        uses: marocchino/sticky-pull-request-comment@v2
        if: github.event_name == 'pull_request'
        with:
          recreate: true
          path: code-coverage-results.md

      - name: Write Coverage to Job Summary
        run: cat code-coverage-results.md >> $GITHUB_STEP_SUMMARY

      - name: SonarCloud Scan
        uses: sonarsource/sonarqube-scan-action@master
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

      - name: Snyk scan for all vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}

      - name: Snyk scan for high or critical vulnerabilities
        uses: snyk/actions/node@master
        env:
          SNYK_TOKEN: ${{ secrets.pink_snyk_api_key }}
        with:
          args: --severity-threshold=high