# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-maven

name: Java CI with Maven

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
        cache: maven

    - name: Build with Maven
      run: mvn -B package
      working-directory: main

    # Generate dependency graph explicitly
    - name: Generate dependency graph
      run: mvn -B com.github.ferstl:depgraph-maven-plugin:4.0.1:graph
      working-directory: main

    # Upload the packaged JAR file as an artifact
    - name: Upload package artifact
      uses: actions/upload-artifact@v4
      with:
        name: package
        path: main/target/*.jar # Upload only the JAR

    # Upload the generated dependency graph so you can inspect it
    - name: Upload dependency graph artifact
      uses: actions/upload-artifact@v4
      with:
        name: dependency-graph
        path: main/target/dependency-graph.dot # Upload the specific graph file

  test-and-coverage:
    runs-on: ubuntu-latest
    needs: build # Make it dependent on the build job to ensure code compiles
    
    steps:
    - uses: actions/checkout@v4

    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
        cache: maven

    - name: Run tests and generate coverage report
      # 'verify' runs all tests. 'jacoco:report' generates the coverage report.
      # This assumes you have the JaCoCo plugin configured in your pom.xml
      run: mvn -B verify jacoco:report
      working-directory: main

    - name: Upload coverage report
      # This uploads the HTML coverage report as an artifact
      uses: actions/upload-artifact@v4
      with:
        name: code-coverage-report
        path: main/target/site/jacoco/ # Path to the JaCoCo HTML report

  security-scan:
    # NEW JOB: This job runs GitHub's CodeQL to find security vulnerabilities.
    # It runs in parallel with other jobs.
    runs-on: ubuntu-latest
    
    # Required permissions for CodeQL to write results
    permissions:
      security-events: write # for github/codeql-action/analyze
      actions: read # for github/codeql-action/init

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: 'java' # Specify the language to analyze

    - name: Build project for CodeQL
      # CodeQL needs to monitor the build process.
      # We skip tests here (-DskipTests) because we only need the compiled code
      # for static analysis, and tests are run in the 'test-and-coverage' job.
      run: mvn -B clean package -DskipTests
      working-directory: main

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3

  dependency-review:
    # NEW JOB: This job checks for vulnerable dependencies on Pull Requests.
    # It prevents merging PRs that introduce known vulnerabilities.
    runs-on: ubuntu-latest
    
    # This job only needs to run on pull requests
    if: github.event_name == 'pull_request'
    
    permissions:
      contents: read # To read dependency files

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        
      - name: Dependency Review
        uses: actions/dependency-review-action@v4