name: Elixir
on:
  workflow_call:

jobs:
  unit-test:
    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: ./elixir
    permissions:
      checks: write
    env:
      MIX_ENV: test
      POSTGRES_HOST: localhost
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-postgres
      - uses: ./.github/actions/setup-elixir
        with:
          mix_env: ${{ env.MIX_ENV }}
      - name: Compile Application
        run: mix compile --warnings-as-errors
      - name: Setup Database
        run: |
          mix ecto.create
          mix ecto.migrate
      - name: Run Tests
        env:
          E2E_DEFAULT_WAIT_SECONDS: 20
          CI_ASSERT_RECEIVE_TIMEOUT_MS: 250
        run: |
          mix_test="mix test --warnings-as-errors --exclude flaky:true --exclude acceptance:true"
          $mix_test || $mix_test --failed
      - name: Test Report
        uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2.1.1
        if:
          ${{ github.event.pull_request.head.repo.full_name == github.repository
          && (success() || failure()) }}
        with:
          name: Elixir Unit Test Report
          path: elixir/_build/test/lib/*/test-junit-report.xml
          reporter: java-junit

  type-check:
    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: ./elixir
    env:
      # We need to set MIX_ENV to dev to make sure that we won't type-check our test helpers
      MIX_ENV: dev
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-elixir
        id: setup-beam
        with:
          mix_env: ${{ env.MIX_ENV }}
      - name: Compile Application
        run: mix compile --warnings-as-errors
      - uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        name: Restore PLT cache
        id: plt_cache
        with:
          path: elixir/priv/plts
          key: dialyzer-ubuntu-24.04-${{ runner.arch }}-${{ steps.setup-beam.outputs.elixir-version }}-${{ steps.setup-beam.outputs.otp-version }}-${{ hashFiles('elixir/mix.lock') }}
          # This will make sure that we can incrementally build the PLT from older cache and save it under a new key
          restore-keys: |
            dialyzer-ubuntu-24.04-${{ runner.arch }}-${{ steps.setup-beam.outputs.elixir-version }}-${{ steps.setup-beam.outputs.otp-version }}-
      - name: Create PLTs
        if: ${{ steps.plt_cache.outputs.cache-hit != 'true' }}
        run: mix dialyzer --plt
      - uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        if: ${{ github.ref_name == 'main' }}
        name: Save PLT cache
        with:
          key: ${{ steps.plt_cache.outputs.cache-primary-key }}
          path: elixir/priv/plts
      - name: Run Dialyzer
        run: mix dialyzer --format dialyxir

  static-analysis:
    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: ./elixir
    env:
      MIX_ENV: test
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-elixir
        with:
          mix_env: ${{ env.MIX_ENV }}
      - name: Compile Application
        run: mix compile --force --warnings-as-errors
      - name: Check Formatting
        run: mix format --check-formatted
      - name: Check For Retired Packages
        run: mix hex.audit
      - name: Check For Vulnerable Packages
        run: mix deps.audit
      - name: Run Sobelow vulnerability scanner for web app
        working-directory: ./elixir/apps/web
        run: mix sobelow --skip
      - name: Run Credo
        run: mix credo --strict
      - name: Check for unused deps
        run: mix deps.unlock --check-unused

  migrations-and-seed-test:
    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: ./elixir
    env:
      MIX_ENV: dev
      POSTGRES_HOST: localhost
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-postgres
      - uses: ./.github/actions/setup-elixir
        with:
          mix_env: ${{ env.MIX_ENV }}
      - name: Compile
        run: mix compile --warnings-as-errors
      - name: Create Database
        run: mix ecto.create
      - name: Migrate DB to base ref and seed
        run: |
          git fetch --depth=1 origin ${{ github.base_ref }}
          git checkout ${{ github.base_ref }}
          mix deps.get
          mix ecto.migrate
          mix ecto.seed
      # Then checkout current ref and rerun migrations
      - name: Run new migrations
        run: |
          git checkout ${{ github.sha }}
          mix deps.get
          mix ecto.migrate
          mix ecto.reset
          mix ecto.migrate
          mix ecto.seed

  acceptance-test:
    name: acceptance-test-${{ matrix.MIX_TEST_PARTITION }}
    permissions:
      checks: write
    runs-on: ubuntu-24.04
    defaults:
      run:
        working-directory: ./elixir
    env:
      MIX_ENV: test
      POSTGRES_HOST: localhost
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      MIX_TEST_PARTITIONS: 1
    strategy:
      fail-fast: ${{ github.event_name == 'merge_group' }}
      matrix:
        MIX_TEST_PARTITION: [1]
    services:
      vault:
        image: vault:1.12.2
        env:
          VAULT_ADDR: "http://127.0.0.1:8200"
          VAULT_DEV_ROOT_TOKEN_ID: "firezone"
        ports:
          - 8200:8200/tcp
        options: --cap-add=IPC_LOCK
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - uses: ./.github/actions/setup-postgres
      - uses: nanasess/setup-chromedriver@e93e57b843c0c92788f22483f1a31af8ee48db25 # v2.3.0
      - run: |
          export DISPLAY=:99
          chromedriver --url-base=/wd/hub &
          sudo Xvfb -ac :99 -screen 0 1280x1024x24 > /dev/null 2>&1 &
      - uses: ./.github/actions/setup-elixir
        with:
          mix_env: ${{ env.MIX_ENV }}
      - uses: ./.github/actions/setup-node
        with:
          npmjs-token: ${{ secrets.NPMJS_TOKEN }}
          lockfile-dir: ./elixir/apps/web/assets
      - name: Compile Application
        run: mix compile --warnings-as-errors
      - name: Install Front-End Dependencies
        run: |
          cd apps/web
          mix assets.setup
      - name: Build Web Assets
        run: |
          cd apps/web
          mix assets.build
      # Run tests
      - name: Setup Database
        run: |
          mix ecto.create
          mix ecto.migrate
      - name: Run Acceptance Tests
        env:
          MIX_TEST_PARTITION: ${{ matrix.MIX_TEST_PARTITION }}
          E2E_DEFAULT_WAIT_SECONDS: 20
        run: |
          mix test --only acceptance:true \
                   --partitions=${{ env.MIX_TEST_PARTITIONS }} \
                   --no-compile \
                   --no-archives-check \
                   --no-deps-check \
              || pkill -f chromedriver \
              || mix test --only acceptance:true --failed \
              || pkill -f chromedriver \
              || mix test --only acceptance:true --failed
      - name: Save Screenshots
        if:
          ${{ github.event.pull_request.head.repo.full_name == github.repository
          && always() }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: screenshots-${{ matrix.MIX_TEST_PARTITION }}
          path: elixir/apps/web/screenshots
      - name: Test Report
        uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2.1.1
        if:
          ${{ github.event.pull_request.head.repo.full_name == github.repository
          && (success() || failure()) }}
        with:
          name: Elixir Acceptance Test Report
          path: elixir/_build/test/lib/*/test-junit-report.xml
          reporter: java-junit