name: Scan

on:
  workflow_dispatch:
  push:
    branches:
      - "main"
      - "rc"
      - "hotfix-rc"
  pull_request:
    types: [opened, synchronize, reopened]
    branches-ignore:
      - "main"
  pull_request_target:
    types: [opened, synchronize, reopened]
    branches:
      - "main"

permissions: {}

jobs:
  check-run:
    name: Check PR run
    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
    permissions:
      contents: read

  sast:
    name: Checkmarx
    uses: bitwarden/gh-actions/.github/workflows/_checkmarx.yml@main
    needs: check-run
    secrets:
      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
    permissions:
      contents: read
      pull-requests: write
      security-events: write
      id-token: write

  quality:
    name: Sonar
    uses: bitwarden/gh-actions/.github/workflows/_sonar.yml@main
    needs: check-run
    secrets:
      AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
    permissions:
      contents: read
      pull-requests: write
      id-token: write
    with:
      sonar-test-inclusions: "**/*.spec.ts"
      sonar-exclusions: "**/*.spec.ts"