# @format

name: Vulnerability Check
on:
  pull_request:
    branches:
      - master

permissions:
  contents: read # to fetch code (actions/checkout)

jobs:
  vulncheck:
    name: Analysis
    runs-on: ubuntu-latest
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@v3
      - name: Set up Go
        uses: actions/setup-go@v3
        with:
          go-version: 1.22.4
          check-latest: true
      - name: Get official govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest
        shell: bash
      - name: Run govulncheck
        run: govulncheck ./...
        shell: bash

  react-code-known-vulnerabilities:
    name: "React Code Has No Known Vulnerable Deps"
    runs-on: ubuntu-latest
    strategy:
      matrix:
        go-version: [ 1.22.4 ]
        os: [ ubuntu-latest ]
    steps:
      - name: Check out code
        uses: actions/checkout@v3
      - name: Read .nvmrc
        id: node_version
        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
      - name: Enable Corepack
        run: corepack enable
      - uses: actions/setup-node@v3
        with:
          node-version: ${{ env.NVMRC }}
      - name: Checks for known security issues with the installed packages
        working-directory: ./web-app
        continue-on-error: false
        run: |
          # Ignore "pdfjs-dist" advisory, because it's a dependency
          # of "react-pdf" that cannot be upgraded. Because the
          # "isEvalSupported" value is always set to "false", it
          # isn't a security problem. See also
          # - https://github.com/wojtekmaj/react-pdf/issues/1789
          # - https://github.com/wojtekmaj/react-pdf/discussions/1786
          # - https://www.npmjs.com/advisories/1097244    
          yarn npm audit --recursive --environment production --no-deprecations