ci-main-pull-request.yml

# CI pipeline for all application types on main and release branches
#
# use stubs/ci-main-pull-request-stub.yml in your repo to call this common action using workflow_call
#
# performs the following actions:
# 1. run source code complexity checks (SCC) using scc
# 2. run language-specific pre-compilation checks (e.g., gosec, rubocop, etc.)
# 3. run language-agnostic pre-compilation checks (e.g., OWASP dependency or top 10 checks,trufflehog)
# 4. run security static application security tests (SAST, e.g. Sonar or BlackDuck Polaris)
# 5. run source composition analysis (SCA) scans (e.g., dependabot, blackduck)
# 6. run build and packaging steps (e.g., go build, cargo build, etc.)
# 7. run unit tests (e.g., go test, cargo test, etc.) - integration tests are in CD pipeline
# 7. run security DAST tests and scans (e.g., Veracode or BlackDuck coverity)
# 8. generate software bill-of-materials (SBOM) using SPDX format and lookup licenses (GitHub SBOM, Micrsosoft SBOM, license_scout, and/or BlackDuck SBOM)
# 
# See DEV-README.md for more details on the steps and how to use this action, or the confluence page at <TODO: URL>
#
# secrets required (by step)
# SonarQube 
# SONAR_TOKEN (repository level)
# SONAR_HOST_URL (organization level)
# AKEYLESS_JWT_ID (organization level, for creation of Azure firewall rules)

# BlackDuck SAST/Polaris
# POLARIS_ACCESS_TOKEN (organization level)
# POLARIS_SERVER_URL (organization level)

# BlackDuck SCA/SBOM, Sbominator
# BLACKDUCK_SBOM_URL (organization level)
# BLACKDUCK_SCA_TOKEN (organization level)

# Custom repository properties (view these in the repo Settings > Code & Automation > Custom Properties)
# - GABuildLanguage (the primary language used in compilation and testing in GitHub Actions. select from go, ruby, erlang, rust)
# - GABuildProfile (a build profile to be used when building an application using GitHub Actions. This is experimental and will determine build, unit test paths by type of application (e.g., CLI, standard container, web API, etc.) in combination with GABuildLanguage
# - lifecycle (the current status of the repo in terms of level of engagement with the contents: indeterminate, active, inactive, under-review, in-process)
# - primaryApplication (the primary application of which this repo is a component. Which product owner is responsible for maintaining this repo? indeterminate, automate, chef-360, chef-server, chef-test-kitchen-enterprise, chef-workstation, chef-client, haabitt, inspec, non-product, online-services, other)
# - standardizationWorkflow (standardize, indtrminate, etc.)

name: CI flow containing PR checks for main & release, v2

on:
  workflow_call:
    inputs:
      visibility:
        description: 'Visibility of the repository'
        required: false
        type: string
        default: 'public' # (private, public, or internal) TODO: should be removed, we know this from github.event.repository.visibility
      go-private-modules:
        description: 'GOPRIVATE for Go private modules'
        required: false
        type: string
        default: 'github.com/progress-platform-services/*'
      version:
        description: 'Version of the project'
        required: false
        type: string
        default: '1.0.0'
      detect-version-source-type:  # options include "none" (do not detect), "file", "github-tag" or "github-release"
        description: 'flag to determine how to detect version dynamically'
        required: false
        type: string
        default: 'none'
      detect-version-source-parameter:  # use for file name
        required: false
        type: string
        default: ''
      perform-complexity-checks: 
        description: 'Perform complexity checks with SCC'
        required: false
        type: boolean
        default: true
      scc-output-filename:
        description: 'Name of the SCC complexity output file artifact, do not add file extension'
        required: false
        type: string
        default: 'scc-complexity'
      perform-language-linting:
        description: 'Perform language-specific linting and pre-compilation checks'
        required: false
        type: boolean
        default: true
      perform-trufflehog-scan:
        description: 'Perform trufflehog scan'
        required: false
        type: boolean
        default: true
      perform-trivy-scan:
        description: 'Perform Trivy scan'
        required: false
        type: boolean
        default: true
        
      build:
        description: 'CI Build (language-specific)'
        required: false
        type: boolean
        default: true
      unit-tests:
        description: 'Run unit tests (language-specific)'
        required: false
        type: boolean
        default: true

      perform-blackduck-polaris:
        description: 'Perform BlackDuck Polaris (SAST) scan'
        required: false
        type: boolean
        default: false
      polaris-application-name:
        description: 'Polaris application name, one of these {Chef-Agents | Chef-Automate | Chef-Chef360 | Chef-Habitat | Chef-Infrastructure-Server | Chef-Shared-Services}'
        required: false
        type: string
      polaris-project-name:
        description: 'Polaris project name, typically the application name, followed by - and the repository name, for example Chef-Chef360-chef-vault'
        required: false
        default: "${{ github.event.repository.name }}"
        type: string    
      # polaris-server-url:
      #   # should be obsolete with POLARIS_SERVER_URL secret
      #   description: 'Polaris server URL'
      #   required: false
      #   default: 'https://polaris.blackduck.com'
      #   type: string
      polaris-working-directory:
        # NEW IN 1.0.7
        description: 'Working directory for the scan, defaults to . but usually lang-dependent like ./src'
        required: false
        default: '.'
        type: string
      polaris-config-path:
        # NEW IN 1.0.7
        description: 'Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml'
        required: false
        default: ''
        type: string
      polaris-coverity-config-path:
        # NEW IN 1.0.7
        description: 'Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml'
        required: false
        default: ''
        type: string
      polaris-coverity-build-command:
        # NEW IN 1.0.7
        description: 'Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install"'
        required: false
        default: ''
        type: string
      polaris-coverity-clean-command:
        # NEW IN 1.0.7
        description: 'Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean"'
        required: false
        default: ''
        type: string
      polaris-coverity-args:
        # NEW IN 1.0.7
        description: 'Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make'
        required: false
        default: ''
        type: string
      polaris-detect-search-depth:
        # NEW IN 1.0.7 
        description: 'Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan'
        required: false
        default: ''
        type: string
      polaris-detect-args:
        # NEW IN 1.0.7
        description: 'Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true"'
        required: false
        default: ''
        type: string
      polaris-assessment-mode:
        # NEW IN 1.0.7
        description: 'Assessment mode (CI or SOURCE_UPLOAD)'
        required: false
        default: 'CI'
        type: string
      wait-for-scan:
        # NEW IN 1.0.7
        description: 'Wait for scan completion'
        required: false
        default: true
        type: boolean

      perform-sonarqube-scan: 
        description: 'Perform basic SonarQube scan'
        required: false
        type: boolean
        default: true
      perform-docker-scan:
        description: 'Perform Docker scan of Dockerfile and built images in chef360 and other containerized applications'
        required: false
        type: boolean
        default: false
      build-profile: 
        description: 'Build profile for SonarQube - application specific path'
        required: false
        type: string
        default: 'cli'
      report-unit-test-coverage: 
        description: 'Perform unit tests and report coverage to SonarQube'
        required: false
        type: boolean
        default: true
      report-to-atlassian-dashboard: 
        description: 'Report Sonar test coverage and other metrics to Atlassian dashboard (Irfans QA dashboard)'
        required: false
        type: boolean
        default: true     
      quality-product-name:
        description: 'Product name for quality reporting (Chef360, Courier, Inspec)'
        required: false
        type: string
        default: 'Chef360'
      quality-sonar-app-name:
        description: 'Sonar application name for quality reporting'
        required: false
        type: string
        default: 'YourSonarAppName'
      quality-testing-type:
        description: 'Testing type for quality reporting (Unit, Integration, e2e, api, Performance, Security)'
        required: false
        type: string
        default: 'Integration'
      quality-service-name:
        description: 'Service or repository name for quality reporting'
        required: false
        type: string
        default: 'YourServiceOrRepoName'
      quality-junit-report:
        description: 'Path to JUnit report for quality reporting'
        required: false
        type: string
        default: 'path/to/junit/report'
      package-binaries:
        description: 'Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA)'
        required: false
        type: boolean
        default: true
      habitat-build:
        description: 'Create Habitat packages'
        required: false
        type: boolean
        default: true
      publish-habitat-packages:
        # NEW IN 1.0.7
        description: 'Publish Habitat packages to Builder'
        required: false
        type: boolean
        default: false
      publish-habitat-hab_package:
        # NEW IN 1.0.7
        description: "Chef Habitat package to install (e.g., core/nginx)"
        required: false
        type: string
        default: "core/nginx"
        # TODO: detect from plan file if not provided
      publish-habitat-hab_version:
        # NEW IN 1.0.7
        description: "Chef Habitat package version (optional)"
        required: false
        type: string
      publish-habitat-hab_release:
        # NEW IN 1.0.7
        description: "Chef Habitat package release (optional)"
        required: false
        type: string
      publish-habitat-hab_channel:
        # NEW IN 1.0.7
        description: "Chef Habitat package channel (e.g., stable, base, base-2025); default is stable"
        required: false
        type: string
        default: "stable"
      publish-habitat-hab_auth_token:
        # NEW IN 1.0.7
        required: false
        type: string
        # TODO: use secret if not provided
      publish-habitat-runner_os:
        description: "Runner OS to use (ubuntu-latest or windows-latest)"
        type: string
        # TODO: these should be options: ubuntu-latest, windows-latest, both, and add MacOS support
        required: false
        default: ubuntu-latest
      habitat-grype-scan:
        # NEW IN 1.0.7
        description: 'Scan built Habitat packages with Grype for vulnerabilities'
        required: false
        type: boolean
        default: false
      publish-packages:
        description: 'Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores)'
        required: false
        type: boolean
        default: true
      generate-sbom:
        description: 'Generate software bill-of-materials (SPDX SBOM)'
        required: false
        type: boolean
        default: true
      export-github-sbom:
        description: 'Export SBOM to GitHub'
        required: false
        type: boolean
        default: true
      perform-blackduck-sca-scan: # combined with generate sbom below, also needs version above
        description: 'Perform BlackDuck SCA scan'
        required: false
        type: boolean
        default: false
      blackduck-project-group-name:
        description: 'BlackDuck project group name, typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services'
        required: false
        type: string
        default: 'Chef' 
      blackduck-project-name:
        description: 'BlackDuck project name, typically the repository name'
        required: false
        type: string
        default: ${{ github.event.repository.name }}
      polaris-blackduck-executable: 
        # TODO: this will be obsolete with built-in polaris in action
        description: 'Path to BlackDuck polaris executable after build or download step'
        required: false
        type: string
        default: 'path/to/blackduck/binary'
      polaris-executable-detect-path: 
        description: 'Additions to $PATH for BlackDuck polaris to find executable'
        required: false
        type: string
        default: 'path/to/detect'
      generate-msft-sbom:
        description: 'Generate SBOM using MSFT tools'
        required: false
        type: boolean
        default: true
      license_scout:
        description: 'Run license scout for license compliance'
        required: false
        type: boolean
        default: true
      udf1:
        description: 'User defined flag 1'
        required: false
        type: string
        default: 'default'
      udf2:
        description: 'User defined flag 2'
        required: false
        type: string
        default: 'default'
      udf3:
        description: 'User defined flag 3'
        required: false
        type: string
        default: 'default'
      
      #no longer used
      language:
        description: 'Build language (Go, Ruby, Rust, etc.)'
        required: false
        type: string
        default: 'ruby'  # TODO: should be removed, we know this from custom repository properties
      generate-blackduck-sbom:  # obsolete
        description: 'Generate SBOM using BlackDuck polaris (OBSOLETE, use perform-blackduck-sca-scan instead)'
        required: false
        type: boolean
        default: false 
        
env:
  REPO_VISIBILITY: ${{ github.event.repository.visibility }}
  REPO_NAME: ${{ github.event.repository.name }}
  PIPELINE_VERSION: '1.0.7'  # version of this CI pipeline
  PRIMARY_APPLICATION: 'default'   # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder)
  GA_BUILD_LANGUAGE: ${{ inputs.language}}  # Custom repo property [GABuildLanguage]: go, ruby, erlang, rust (replaces Language input)
  GA_BUILD_PROFILE: ${{ inputs.build-profile }}   # Custom repo property [GABuildProfile]: TBD
  # APP_VERSION: $(cat VERSION) 
  FILE_PREFIX: $(echo "${{ github.repository }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
  DEFAULT_FILE_EXTENSION: ".json"
  DEFAULT_SEPARATOR: "-"

jobs:
  precompilation-checks:
    name: 'Pre-compilation checks'
    runs-on: ubuntu-latest
    steps:
      - name: 'Detect environment variables from repository custom properties'
      # GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]'
        run: |
          response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values) 

          # | jq -r '.primaryApplication.value')
          # custom_property_value=$(curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/repos/${{ github.repository }}/properties/values" ) 
          # echo "chef-application-name=$custom_property_value" >> $GITHUB_ENV
          # #  | jq -r '.primary-application.value') 

          primaryApplication=$(echo "$response" | jq -r '.[] | select(.property_name=="primaryApplication") | .value')
          GABuildLanguage=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildLanguage") | .value')
          GABuildProfile=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildProfile") | .value')
          
          # echo $response 
          # response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values | jq -r '.GABuildLanguage.value')
          # echo $response 
          # response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values | jq -r '.GABuildProfile.value')
          # echo $response 

          # custom_property_value=$(curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
          #   "https://api.github.com/repos/${{ github.repository }}/properties/values" | jq -r '.ga-build-language.value') 
          # echo "chef-ga-build-language=$custom_property_value" >> $GITHUB_ENV

          # custom_property_value=$(curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
          #   "https://api.github.com/repos/${{ github.repository }}/properties/values" | jq -r '.ga-build-profile.value') 
          # echo "chef-ga-build-profile=$custom_property_value" >> $GITHUB_ENV
          
          echo "PRIMARY APP... $primaryApplication"
          echo "BUILD LANG... $GABuildLanguage"
          echo "BUILD PROFILE... $GABuildProfile"
          
          echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV

          echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV
          echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV
          # echo "chef-ga-build-language=${{ env.GA_BUILD_LANGUAGE }}" >> $GITHUB_ENV
          # echo "chef-ga-build-profile=${{ env.GA_BUILD_PROFILE }}" >> $GITHUB_ENV
        continue-on-error: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
          
      - name: 'Echo version of pipeline and inputs'
        run: |
          echo "CI pipeline execution plan for [$REPO_NAME] version $PIPELINE_VERSION"
          echo "  Repository visibility set to $REPO_VISIBILITY [ ${{ inputs.visibility }} ]"
          echo "  Repository belongs to application $PRIMARY_APPLICATION"
          echo "  Build language set to $GA_BUILD_LANGUAGE [ input: ${{ inputs.language }} ]"
          echo "  Build profile set to $GA_BUILD_PROFILE"
          echo "  GOPRIVATE for Go private modules set to ${{ inputs.go-private-modules }}"
          echo "** PRE-CHECKS ***********************************************"
          if [ ${{ inputs.perform-complexity-checks }} ]; then
            echo "  Perform complexity checks set to ${{ inputs.perform-complexity-checks }}"
            echo "  SCC output filename set to ${{ inputs.scc-output-filename }} "
          fi
          if [ ${{ inputs.perform-language-linting }} ]; then
            echo "  Perform language-specific linting set to ${{ inputs.perform-language-linting }}"
          fi
          echo "** SECURITY *************************************************"
          if [ ${{ inputs.perform-trufflehog-scan }} ]; then
            echo "  Perform trufflehog scan set to ${{ inputs.perform-trufflehog-scan }}"
          fi
          if [ ${{ inputs.perform-trivy-scan }} ]; then
            echo "  Perform Trivy scan set to ${{ inputs.perform-trivy-scan }}"
          fi
          if [ ${{ inputs.perform-blackduck-polaris }} ]; then
            echo "  Perform BlackDuck polaris scan set to ${{ inputs.perform-blackduck-polaris }}"
            echo "  Polaris application name set to ${{ inputs.polaris-application-name }}"
            echo "  Polaris project name set to ${{ inputs.polaris-project-name }}"
          fi
          echo "** BUILD AND UNIT TEST *************************************"
          if [ ${{ inputs.build }} ]; then
            echo "  BUILD set to ${{ inputs.build }}"
            echo "  Language set to ${{ env.GA_BUILD_LANGUAGE }} "
            echo "  passed in as LANGUAGE = ${{ inputs.language }}"
          fi
          if [ ${{ inputs.unit-tests }} ]; then
            echo "  Unit tests set to ${{ inputs.unit-tests }}"
          fi
          echo "** SONAR ***************************************************"
          echo "  Perform SonarQube scan set to ${{ inputs.perform-sonarqube-scan }}"
          echo "  Perform Sonar build set to ${{ inputs.build }}"
          echo "  Sonar unit test inclusion set to ${{ inputs.report-unit-test-coverage }}"
          echo "** DEV DASHBOARD *******************************************"
          echo "  Report to Atlassian dashboard set to ${{ inputs.report-to-atlassian-dashboard }}"
          echo "  Quality product name set to ${{ inputs.quality-product-name }}"
          echo "** PACKAGING ***********************************************"
          echo "  Package binaries set to ${{ inputs.package-binaries }}"
          echo "  Habitat build set to ${{ inputs.habitat-build }}"
          echo "  Publish packages set to ${{ inputs.publish-packages }}"
          echo "** SBOM ****************************************************"
          if [ ${{ inputs.generate-sbom }} ]; then
            echo "  Generate SBOM set to ${{ inputs.generate-sbom }}"
            echo "  SBOM application version set to ${{ inputs.version }}"
            echo "    SBOM version detection type set to ${{ inputs.detect-version-source-type }} (if version not specified)"
            echo "    SBOM file name set to ${{ inputs.detect-version-source-parameter }} (if detection type is [file])"
            echo "  Export SBOM from GitHub set to ${{ inputs.export-github-sbom }}"
            if [ ${{ inputs.perform-blackduck-sca-scan }} ]; then
              echo "  Perform BlackDuck SCA scan set to ${{ inputs.perform-blackduck-sca-scan }}"
              echo "    output will be located at https://progresssoftware.app.blackduck.com/api/project-groups/fc6da208-79a9-4c47-a14d-6cfdf26bcfd5 (Chef)"
              echo "    BlackDuck project group name set to ${{ inputs.blackduck-project-group-name }}"
              echo "    BlackDuck project name set to ${{ inputs.blackduck-project-name }}"
              echo "    Polaris BlackDuck executable set to ${{ inputs.polaris-blackduck-executable }}"
              echo "    Polaris executable detect path set to ${{ inputs.polaris-executable-detect-path }}"
            fi
            echo "    Generate BlackDuck SBOM set to ${{ inputs.generate-blackduck-sbom }} OBSOLETE, NO EFFECT"
            echo "  Generate MSFT SBOM set to ${{ inputs.generate-msft-sbom }}"
            echo "  License scout set to ${{ inputs.license_scout }}"
          fi
          echo "** USER DEFINED FLAGS ***************************************"
          if [ -n "$${{ inputs.udf1 }}" ]; then  # or == 'true' or = " some value" or -z (empty string)
            echo "  UDF1 set to ${{ inputs.udf1 }}"
          fi
          if [ -n "$${{ inputs.udf2 }}" ]; then 
            echo "  UDF1 set to ${{ inputs.udf2 }}"
          fi
          if [ -n "$${{ inputs.udf3 }}" ]; then  
            echo "  UDF1 set to ${{ inputs.udf3 }}"
          fi
          echo "*************************************************************"
        # echo "The job_id is: $GITHUB_JOB"   
        # echo ${{ secrets.GITHUB_TOKEN }} DO NOT ECHO THIS

        # also echo when used - go-private-modules, quality-sonar-app-name, quality-testing-type, quality-service-name, quality-junit-report
      
  checkout:
    name: 'Checkout repository'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

  generate-filename-slug:
    name: Generate a simple slug based on repo and date for use in any output artifacts
    runs-on: ubuntu-latest
    steps:
    - name: Generate Filename Prefix and full JSON file name as environment variables for later steps
      run: |
        FILE_PREFIX=$(echo "${{ github.repository }}${{ env.DEFAULT_SEPARATOR }}${{ github.ref_name }}${{ env.DEFAULT_SEPARATOR }}" | sed 's|/|-|g')-$(date +%Y%m%d%H%M%S)
        echo "FILE_PREFIX=${FILE_PREFIX}" >> $GITHUB_ENV
      # FILE_NAME=$(echo "${{ env.FILE_PREFIX }}${{ env.DEFAULT_SEPARATOR }}${{ env.DEFAULT_FILE_NAME }}${{ env.DEFAULT_FILE_EXTENSION }}")
      
  scc:
    name: 'Source code complexity checks'
    if: ${{ inputs.perform-complexity-checks == true }}
    uses: chef/common-github-actions/.github/workflows/scc.yml@main
    needs: checkout
    with:
      outputfilename: ${{ inputs.scc-output-filename }}
     
# TODO: make three separate flows, by language with all steps (as oposed to one file per step with language-branching in each)
# language specific tests (gosec, rubocop, linters, etc.)
# ${{ inputs.language == 'rust' && inputs.perform-language-linting == true }}
# TODO: note you cannot do a conditional on the job, only on the step if using an ENV VAR
  language-specific-checks:
    name: 'Language-specific pre-compilation steps and linting'  
    if: inputs.perform-language-linting 
    runs-on: ubuntu-latest
    needs: checkout
    steps:
      - name: echo language
        run: |
          echo "Build language is set to ${{ env.GA_BUILD_LANGUAGE }}"
          echo "Build language passed in ${{ inputs.language }}"
      - name: Rust language checks
        if: inputs.language == 'rust' # env.GA_BUILD_LANGUAGE 
        run: echo 'crate linter'
        # https://github.com/rust-lang/rust-clippy
        # cargo clippy --all-targets --all-features -- -D warnings
    
      - name: Ruby language checks
        if: inputs.language == 'ruby'
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.4'
          bundler-cache: true # runs 'bundle install' and caches installed gems automatically
        # generate gemfile.lock (TODO: move this below to OWASP)
      - name: RuboCop Lint
        if: inputs.language == 'ruby'
        run: |
          echo 'ruby linter'
        # gem install rubocop
        # rubocop --format=github --display-cop-names --extra-details --force-exclusion .
        # bundle install
        # - name: 'Bundler Audit'
        #   if: ${{ inputs.language == 'Ruby' && inputs.perform-complexity-checks == true }}
        #   uses: andrewmcodes/bundler-audit-action@main
        #   env:
        #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        # TODO: get with Marc/Prajakta on this sequence for Ruby uses: chef/common-github-actions/.github/workflows/rubocop.yml@main
        # TODO: this is also not certified, craete a copy in .github/actions - https://github.com/marketplace/actions/bundler-audit-action
        # Bundler Audit Action is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.

      - name: Go language checks
        if: inputs.language == 'go'
        uses: actions/setup-go@v5
        with: 
          go-version: '1.24'
          check-latest: true
      - name: Configure git for private Go modules
        if: inputs.language == 'go'
        env:
          GOPRIVATE: ${{ inputs.go-private-modules }}
        run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
      - name: Go linting and security checks  
        if: inputs.language == 'go'
        run: echo "Running Go linting and security checks"
      # TODO: THESE DO NOT RUN IN CHEF ORG - need to create copies in common-github-actions/.github/actions/
      # we can download and install them manually here if needed
      # ERROR ON WORKFLOW: The actions golangci/golangci-lint-action@v6, dominikh/staticcheck-action@v1, and securego/gosec@master are not allowed in chef/arch-sample-cli because all actions must be from a repository owned by your enterprise, created by GitHub, verified in the GitHub Marketplace, or match one of the patterns: chef/*, chef/.github, chef/.github/workflows/*.
      # - name: Run golangci-lint
      #   if: env.GA_BUILD_LANGUAGE == 'go'
      #   uses: golangci/golangci-lint-action@v6
      #   with:
      #     version: latest
      #     args: --timeout=5m
      # - name: Run staticcheck
      #   if: env.GA_BUILD_LANGUAGE == 'go'
      #   uses: dominikh/staticcheck-action@v1
      #   with:
      #     version: latest
      # - name: Run Gosec Security Scanner
      #   uses: securego/gosec@master
      #   with:
      #     args: ./...

        # TO GET OUTPUT AS ARTIFACT go install github.com/securego/gosec/v2/cmd/gosec@latest
        # gosec ./... >> ./bin/gosec.out

        # https://go.googlesource.com/vuln - govulncheck is same as BlackDuck SCA backend, redundant to add it here

  language-agnostic-checks:
    name: 'Language-agnostic pre-compilation steps'
    if: inputs.perform-language-linting 
    runs-on: ubuntu-latest
    needs: checkout
    steps:
      - name: Language agnostic checks (OWASP dep check)
        run: echo "placeholder"
        #     - name: 'Language-agnostic pre-compilation steps (OWASP dependency check)'  
        #       uses: dependency-check/Dependency-Check_Action@main
        # TODO: Dependency Check is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation
        # create a copy in common-github-actions/.github/actions/owasp-dependency-check.yml
        # https://github.com/marketplace/actions/dependency-check & https://owasp.org/www-project-dependency-check/ 
        #     and flags at https://jeremylong.github.io/DependencyCheck/dependency-check-cli/arguments.html
        # - name: 'OWASP dependency check'
        #   uses: dependency-check/Dependency-Check_Action@v4.0.0
        #   with:
        #     project: ${{ github.event.repository.name }} 
        #       with:
        #         project: $REPO_NAME
        #         path: '.'
        #         format: 'JSON'
        # # out: 'reports' # this is the default, no need to specify unless you wish to override it
        #         args: >
        #           --enableRetired
        #           --prettyPrint
        # - name: Upload Test results
        #   uses: actions/upload-artifact@v4
        #   with:
        #     name: OWASP dependency check report
        #     path: ${{github.workspace}}/reports
        # TODO: add flag --failOnCVSS 7
        # TODO: integrate with SonarQube
        # TODO: correct artifact upload names like Sonu's in sbom.yml
              
  ################################################################################################################
  #
  #    Security source and repo secret scans
  #
  ################################################################################################################
  
  # # security scans
  run-trufflehog:
    name: 'Trufflehog scan'
    if: ${{ inputs.perform-trufflehog-scan }}
    uses: chef/common-github-actions/.github/workflows/trufflehog.yml@main
    needs: checkout
  run-trivy:
    name: 'Trivy scan'
    if: ${{ inputs.perform-trivy-scan }}
    uses: chef/common-github-actions/.github/workflows/trivy.yml@main
    needs: checkout
    with:
      version: ${{ inputs.version }}
  
      # run-srcclr:
  #   if: ${{ inputs.perform-srcclr-scan == true }}
  #   uses: chef/common-github-actions/.github/workflows/srcclr.yml@main
  #   needs: run-scc

  # run-veracode-sca:
  #   if: ${{ inputs.perform-veracode-sca-scan == true }}
  #   uses: chef/common-github-actions/.github/workflows/veracode-sca.yml@main
  #   needs: run-scc
  #   secrets: inherit
    
  
  # ################################################################################################################
  # #
  # #    Build and packaging steps
  # #
  # ################################################################################################################
  
  ci-build:
    name: 'Build/compilation and unit tests (CI)'
    if : ${{ inputs.build == true }}
    needs: checkout
    timeout-minutes: 40 # Maximum allowed minutes for GitHub-hosted runners (6 hours = 360 minutes)
    runs-on: ubuntu-latest
    # TODO: make this matrix strategy, and allow language compiler version overrides
    steps:
      - name: 'Build language: ${{ inputs.language }}'
        run: |
          echo "Building application in language ${{ env.GA_BUILD_LANGUAGE }}"
          echo " passed in with ${{ inputs.language }}"
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: 'Go build'
        if: ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }}
        run: |
          ls
          pwd
          go mod tidy
          go build -o ./bin/${{ env.REPO_NAME }} .
      - name: 'Go unit tests'
        if: ${{ inputs.language == 'go' && inputs.unit-tests == true && inputs.build-profile == 'cli' }}
        run: |
          go test -v ./...
#   run: go test -v -coverprofile="coverage.out" ./... and upload artifact!
      #     - name: Build for Rust binary
      #       if: ${{ env.GA_BUILD_LANGUAGE == 'rust' }}  
      #       run: echo 'hello world'
      #       # cargo build --release --target-dir ./bin

      #     - name: Build for Ruby binary 
      # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem
      # https://bundler.io/man/bundle-install.1.html
      - name: 'Set up Ruby'
        if: ${{ inputs.language == 'ruby' }}
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: '3.4'
          bundler-cache: true
      - name: 'Ruby build'
        if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }}        
        run: |
          mkdir -p vendor
          if [ -f "Gemfile.lock" ]; then
            bundle install --deployment
          else
            echo "No .gemlock file found, creating it now"
            bundle install --path vendor/bundle --deployment
          fi
          bundle exec rake build
      
   
    # - name: Configure git for private modules
    #   env:
    #     GOPRIVATE: github.com/progress-platform-services/*
    #   run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
    
  # TODO: dynamic version detection stepswith new flags ${{ detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
      # AND ${{ detect-version-source-parameter: '' # use for file name}}
# version: ${{ github.workflow.env.APP_VERSION }}
      # version: ${{ needs.set-app-version.outputs.app-version }}
      
      # if you have a version file, you can read it in to an environment variable with
  #     - name: Set variables
  #       run: |
  #         VER=$(cat VERSION)
  #         echo "VERSION=$VER" >> $GITHUB_ENV
  #   then ${{ env.VERSION }}
  
  set-application-version:
    runs-on: ubuntu-latest
    name: 'Detect SBOM version for application'
    if: (inputs.version == '') && (inputs.detect-version-source-parameter != '') 
    needs: ci-build
    steps:
      - name: Detect SBOM version
        run: |
          echo "placeholder for setting version"
          echo ${{ inputs.version }}
          echo ${{ inputs.detect-version-source-parameter }}
          echo ${{ inputs.detect-version-source-type }}
    # outputs:
    #   app-version: ${{ steps.set-app-version.outputs.version }} # Map the step's output to the job's output
    # steps:
    #   - name: Checkout code
    #     uses: actions/checkout@v6
    #   - name: Set application version from file
    #     id: set-app-version
    #     run: |
    #       VERSION=$(cat VERSION) # cat VERSION works
    #       echo "APP_VERSION=$VERSION" >> $GITHUB_ENV

    #       echo "env.APP_VERSION = ${{ env.APP_VERSION }}"

    #       VERSION=$(cat VERSION)
    #       echo "two $VERSION"
    #       echo "VERSION=$VERSION" >> $GITHUB_ENV
    #       echo "$VERSION is the shell variable" 
    #       echo "Setting version to ${{ github.env.VERSION }} [$VERSION]"
    #       echo "version=$VERSION" >> $GITHUB_OUTPUT

    # if "latest-tag" then use action to get latest tag or ${{ github.event.release.tag_name }}
      # - name: Get latest tag
      #   uses: actions-ecosystem/action-get-latest-tag@v1
      #   id: latest_tag
      # - name: Use the latest tag
      #   run: echo "The latest tag is ${{ steps.latest_tag.outputs.tag }}"

  # ################################################################################################################
  # #
  # #    Unit tests and code quality checks
  # #
  # ################################################################################################################
  
  ci-unit-test: # FROM CHEF-VAULT
  # TODO: add language-specific unit tests
    name: 'Unit tests'
    if: ${{ inputs.unit-tests == true && success() && inputs.language == 'Ruby' }}
    needs:  ci-build
    strategy:
      fail-fast: false
      matrix:
        os-version: [ubuntu-latest, ubuntu-22.04, macos-latest]   # ubuntu-22.04 was original chef-vault
        ruby-version: ['3.4'] # '2.7', '3.1', 
    runs-on: ${{ matrix.os-version }}
    steps:
      - uses: actions/checkout@v6
      - name: Set up ruby version
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: ${{ matrix.ruby-version }}
          bundler-cache: true
      - name: run specs
        run: bundle exec rake spec --trace
      # - name: Simplecov Report
      #   uses: aki77/simplecov-report-action@v1  # TODO: archived action - replace with another simplecov 
      #   with:
      #     token: ${{ secrets.GITHUB_TOKEN }}
      #     failedThreshold: 90
      #     resultPath: coverage/.last_run.json

  #   runs-on: ubuntu-latest
  #   needs: ci-package-binary
  #   name: 'CI unit tests'
  #   steps:
  #     - name: Build for Rust binary
  #       if: ${{ inputs.language == 'Rust' }}
  #       run: echo 'hello world'
  #       # cargo test --target-dir ./bin OR
  # - name: Run cargo-tarpaulin
  # shell: bash
  # run: |
  #   RUN_MODE=local cargo tarpaulin --ignore-tests --all-features --release --out Lcov
  #   sonar-scanner -Dcommunity.rust.lcov.reportPaths=lcov.info -Dsonar.login=${{ secrets.SONAR_TOKEN }}

  #     - name: Build for Ruby binary
  #       if: ${{ inputs.language == 'Ruby' }}
  #       run: echo 'hello world'
  #       # bundle exec rake test
  #       # bundle exec rake test:unit
  #       # bundle exec rake test:integration
  #       # bundle exec rake test:unit:rubocop

  #     - name: Build for Go binary
  #       if: ${{ inputs.language == 'Go' }}
  #       run: echo 'hello world'
  #       # go test -v ./... > ./bin/test.out

   # - name: Upload test coverage artifact
    #   uses: actions/upload-artifact@v4
    #   with:
    #     # Name of the artifact to upload.
    #     name: test-coverage.out
    #     # A file, directory or wildcard pattern that describes what to upload
    #     path: test/unittest/coverage.out
         
  # ################################################################################################################
  # #
  # #    Security SAST tests and scans (SonarQube and Blackduck SAST)
  # #
  # ################################################################################################################
  
  Sonar-public-repo:
    name: 'PUBLIC Sonar SAST scan'
    needs: ci-build
    if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'public'}}
    uses: chef/common-github-actions/.github/workflows/sonarqube-public-repo.yml@main
    secrets: inherit
    permissions:
      id-token: write
      contents: read
    with:
      perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
      build-profile: ${{ inputs.build-profile }}
      language: ${{ inputs.language }}
      report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
      report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
      quality-product-name: ${{ inputs.quality-product-name }}
      quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
      quality-testing-type: ${{ inputs.quality-testing-type }}
      quality-service-name: ${{ inputs.quality-service-name }}
      quality-junit-report: ${{ inputs.quality-junit-report }}
      visibility: ${{ inputs.visibility }}
      go-private-modules: ${{ inputs.go-private-modules }}
      udf1: ${{ inputs.udf1 }}
      udf2: ${{ inputs.udf2 }}
      udf3: ${{ inputs.udf3 }}
        
  Sonar-private-repo:
    name: 'PRIVATE Sonar scan (inline)'
    if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'private'}}
    needs: ci-build
    # was uses: chef/common-github-actions/.github/workflows/sonarqube-private-repo.yml@main
    runs-on: ubuntu-latest
    steps:
    - name: SonarQube Scan
      if: ${{ inputs.visibility == 'private' }}
      uses: sonarsource/sonarqube-scan-action@v5.3.1
      continue-on-error: true
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        
  Sonar-internal-repo:
    name: 'INTERNAL Sonar scan'
    if: ${{ inputs.perform-sonarqube-scan == true && inputs.visibility == 'internal'}}
    # was if: ${{ inputs.perform-sonarqube-scan == true && success() && inputs.visibility == 'internal'}}
    needs: ci-build
    uses: chef/common-github-actions/.github/workflows/sonarqube-internal-repo.yml@main
    secrets: inherit
    permissions:
      id-token: write
      contents: read
    with:
      perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
      build-profile: ${{ inputs.build-profile }}
      language: ${{ inputs.language }}
      report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
      report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
      quality-product-name: ${{ inputs.quality-product-name }}
      quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
      quality-testing-type: ${{ inputs.quality-testing-type }}
      quality-service-name: ${{ inputs.quality-service-name }}
      quality-junit-report: ${{ inputs.quality-junit-report }}
      visibility: ${{ inputs.visibility }}
      go-private-modules: ${{ inputs.go-private-modules }}
      udf1: ${{ inputs.udf1 }}
      udf2: ${{ inputs.udf2 }}
      udf3: ${{ inputs.udf3 }}
      
  # TODO: add new flags to BLACKDUCK ${{ polaris-blackduck-executable }} && ${{ polaris-executable-detect-path }}

  # NOW THE LATEST COMMUNITY - https://github.com/prgs-community/githubactions-securityscans/blob/main/polaris/action.yml 
  # # updated to https://documentation.blackduck.com/bundle/bridge/page/documentation/c_download.html#polaris-download
  # # https://github.com/marketplace/actions/black-duck-security-scan
  # NOT USED - from https://documentation.blackduck.com/bundle/bridge/page/documentation/t_github-polaris-quickstart.html
  # parameters @ https://documentation.blackduck.com/bundle/bridge/page/documentation/c_github-polaris.html
  # internal confluence https://progresssoftware.atlassian.net/wiki/spaces/TCE/pages/1010336076/Polaris#Examples
  #   and https://progresssoftware.atlassian.net/wiki/spaces/TCE/pages/1010303415/Polaris+-+Github+Actions+Templates
  # chef-vault at https://polaris.blackduck.com/portfolio/portfolios/8b7ad6f7-6dcb-49ec-bded-bfc4f190d4f8/portfolio-items/fe369baf-11d2-4989-bcb7-045577856dcc/projects/2460eabd-d033-48a1-a378-6cadd49be6d1/tests/sast?branchId=a6d2c02a-05f8-4557-bfa1-c40e9337ee5d
  BlackDuck-Polaris-SAST:
    # branding: applied at action.yml level, not workflow, see https://docs.github.com/en/actions/reference/workflows-and-actions/metadata-syntax#branding
    #   icon: 'shield'
    #   color: 'red'
    if: ${{ inputs.perform-blackduck-polaris == true }}
    runs-on: ubuntu-latest
    needs: checkout # TODO: fix set-application-version
    steps:
      - name: Starting Black Duck Polaris scan
        run: |
          echo "Starting Polaris SAST scan"
          echo "Below variable should be https://polaris.blackduck.com"
          echo "POLARIS_SERVER_URL: ${{ secrets.POLARIS_SERVER_URL }}"
          echo "Polaris application name: ${{ inputs.polaris-application-name }}"
          echo "Polaris project name: ${{ inputs.polaris-project-name }}"
          echo "POLARIS_ACCESS_TOKEN: ${{ secrets.POLARIS_ACCESS_TOKEN }}"
        continue-on-error: true
        # other polaris/coverity flags (unused): working-directory, config-path, coverity-config-path, coverity-build-command, coverity-clean-command, coverity-args,
        #   detect-search-depth, detect-args, assessment-mode, source-archive, source-excludes, preserve-symlinks, wait-for-scan, mark-build-status:, pr-comment-severities, diagnostic

      - name: Check input variables
        run: |
          if [[ -z "${{ inputs.polaris-application-name }}" ]] || [[ -z "${{ inputs.polaris-project-name }}" ]]; then
              echo "Polaris application name and project name must be set"
              exit 1
          fi
      
      - name: BlackDuck Polaris scan
        uses: blackduck-inc/black-duck-security-scan@v2
        # copied from uses: prgs-community/githubactions-securityscans/polaris@v0.5 in https://github.com/prgs-community/githubactions-securityscans/blob/main/polaris/README.md
        # uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 # 2.0.0 - Jan's version
        with:
          ### SCANNING: Required fields
          polaris_server_url: ${{ secrets.POLARIS_SERVER_URL }} # https://polaris.blackduck.com
          polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
          polaris_application_name: "${{ inputs.polaris-application-name }}"  
          # project name schema: <Solution>-<Product>-<Module If Applicable>-<Optional Numeric Suffix If Needed>
          polaris_project_name: ${{ inputs.polaris-project-name }}  # typically GitHub repo name 
          polaris_assessment_types: "SAST" # or "CI" or "SOURCE_UPLOAD", a license type
          # new in 1.0.7, OPTIONAL FIELDS
          project_directory: ${{ inputs.polaris-working-directory }}
          detect_config_path: ${{ inputs.polaris-config-path != '' && inputs.polaris-config-path || null}}
          coverity_config_path: ${{ inputs.polaris-coverity-config-path != '' && inputs.polaris-coverity-config-path || null }}
          coverity_build_command: ${{ inputs.polaris-coverity-build-command != '' && inputs.polaris-coverity-build-command || null }}
          coverity_clean_command: ${{ inputs.polaris-coverity-clean-command != '' && inputs.polaris-coverity-clean-command || null }}
          coverity_args: ${{ inputs.polaris-coverity-args != '' && inputs.polaris-coverity-args || null }}
          detect_search_depth: ${{ inputs.polaris-detect-search-depth != '' && inputs.polaris-detect-search-depth || null }}
          detect_args: ${{ inputs.polaris-detect-args != '' && inputs.polaris-detect-args || null }}
          polaris_assessment_mode: ${{ inputs.polaris-assessment-mode }}
          # TODO: warning in GA - polaris_assessment_mode is deprecated. Use polaris_test_sast_location=remote and/or polaris_test_sca_location=remote for source upload scans instead.
          polaris_waitForScan: 'true' #  ${{ inputs.polaris-wait-for-scan }} # defaults to true - is this a boolean or string?
          # not yet enabled from https://github.com/prgs-community/githubactions-securityscans/blob/main/polaris/README.md 
          # project_source_archive: ${{ inputs.polaris-source-archive != '' && inputs.polaris-source-archive || null }}
          # project_source_excludes: ${{ inputs.polaris-source-excludes != '' && inputs.polaris-source-excludes || null }}
          # project_source_preserveSymLinks: ${{ inputs.polaris-preserve-symlinks }}
          # include_diagnostics: ${{ inputs.polaris-diagnostic }}
          # mark_build_status: ${{ inputs.polaris-mark-build-status != '' && inputs.polaris-mark-build-status || null }}
          # pr-comment-severities: "CRITICAL,HIGH"
          github_token: ${{ secrets.GITHUB_TOKEN }}
          
          # options from Jan's (FlowMon. GitLab)
          #   polaris_prComment_enabled: ${{ github.event_name == 'pull_request' && 'true' || 'false' }}
          #   polaris_prComment_severities: "CRITICAL,HIGH"
          # from Blackduck page at https://polaris.blackduck.com/portfolio/portfolios/8b7ad6f7-6dcb-49ec-bded-bfc4f190d4f8/portfolio-items/fe369baf-11d2-4989-bcb7-045577856dcc/projects
          #   SARIF report parameters
          #   polaris_reports_sarif_create: true
          #   polaris_upload_sarif_report: true
          # Mark build status if policy violating issues are found
          #   mark_build_status: 'success'
        continue-on-error: true
       
  ################################################################################################################
  #
  #    TODO: Add packaging steps – rpm, deb, MSI, dpkg + signing + SHA
  #
  ################################################################################################################
  package-binary:
    name: 'Creating packaged binaries'
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.package-binaries == true }}
    needs: ci-build
    steps:
      - name: 'Create packaged binaries'
        run: echo "Creating packaged binaries"
  # TODO: add flag for any params needed

  ################################################################################################################
  #
  #    TODO: Add habitat build steps from plan.sh for various packages/platforms/machine archs, optionally publish to Builder, then optionally test with grype
  #
  ################################################################################################################  
  habitat-build:
    name: 'Creating Habitat packages'
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.habitat-build == true }}
    needs: package-binary
    steps:
      - name: 'Create Habitat packages'
        run: echo "Creating Habitat packages"
  # TODO: add flag for any params needed
  habitat-publish:
    name: 'Publishing Habitat packages to Builder'
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.publish-habitat-packages == true }}
    needs: habitat-build
    steps:
      - name: 'Publishing Habitat packages to Builder'
        run: echo "Publishing Habitat packages to Builder"
  habitat-grype-scan-linux:
    # this workflow installs a specified Chef Habitat package and runs a Grype security scan against it.
    # It supports multiple OS runners (Linux, Windows, MacOS) and allows dynamic input of package details.
    # The results of the Grype scan are uploaded as artifacts for further analysis.

    # Example hab pkg install command:
    # hab pkg install core/7zip/24.09/20250708070501 --channel base-2025 --auth HAB_PERSONAL_ACCESS_TOKEN 
    # -z, --auth <AUTH_TOKEN>            Authentication token for Builder [env: HAB_AUTH_TOKEN=]
    #     --binlink-dir <BINLINK_DIR>    Binlink all binaries from installed package(s) into BINLINK_DIR [env: HAB_BINLINK_DIR=]  [default: /bin]
    # -u, --url <BLDR_URL>               Specify an alternate Builder endpoint. If not specified, the value will be taken from the HAB_BLDR_URL environment variable if defined. (default: https://bldr.habitat.sh)
    # -c, --channel <CHANNEL>            Install from the specified release channel [env: HAB_BLDR_CHANNEL=]  [default: stable]

    # Example hab pkg download command (we do not use this in the workflow but it's here for reference; allows --target):
    # hab pkg download core/nginx/<VERSION>/<RELEASE> \
    # --channel stable \  
    # --target x86_64-linux \
    # --download-directory /tmp/habitat_packages
    name: 'Grype scan of Habitat packages'
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.habitat-grype-scan == true && inputs.publish-habitat-runner_os == 'ubuntu-latest' }}
    # TODO: make this a matrix operation 
    needs: habitat-publish
    steps:
      - name: Install Chef Habitat (MacOS and Linux)
        run: |
          curl https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.sh | sudo bash

      - name: Configure Habitat (MacOS and Linux)
        run: |
          # Add Habitat to PATH (for current session and future steps if needed, though install.sh usually handles symlinks)
          echo "/hab/bin" >> $GITHUB_PATH
          
          # Accept the license
          echo "HAB_LICENSE=accept-no-persist" >> $GITHUB_ENV
          
          # Create the necessary directory structure for license file
          sudo mkdir -p /hab/accepted-licenses/
          sudo touch /hab/accepted-licenses/habitat

      - name: Install Grype (Linux and MacOS)
        continue-on-error: true
        run: |
          curl -sSfL https://get.anchore.io/grype | sh -s -- -b /usr/local/bin

      - name: Install Habitat Package under test (example core/nginx on MacOS and Linux)
        run: |
          PACKAGE="${{ inputs.publish-habitat-hab_package }}"
          if [ -n "${{ inputs.publish-habitat-hab_version }}" ]; then
            PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_version }}"
          fi
          if [ -n "${{ inputs.publish-habitat-hab_release }}" ]; then
            PACKAGE="${PACKAGE}/${{ inputs.publish-habitat-hab_release }}"
          fi
          
          INSTALL_CMD="sudo hab pkg install ${PACKAGE}"
          
          if [ -n "${{ inputs.publish-habitat-hab_channel }}" ]; then
            INSTALL_CMD="${INSTALL_CMD} --channel ${{ inputs.publish-habitat-hab_channel }}"
          fi
          
          AUTH_TOKEN="${{ inputs.publish-habitat-hab_auth_token }}"
          if [ -z "${AUTH_TOKEN}" ]; then
            AUTH_TOKEN="${{ secrets.HAB_PUBLIC_BLDR_PAT }}"
            echo "Using token from repository secret"
          else
            echo "Using token from workflow input"
          fi
          # if [ -n "${AUTH_TOKEN}" ]; then
          #   INSTALL_CMD="${INSTALL_CMD} --auth ${AUTH_TOKEN}"
          # fi
          
          echo "Installing: ${INSTALL_CMD}"
          eval ${INSTALL_CMD}

      - name: Run Grype Scan on Habitat Package
        timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
        run: |
          # Find the installed package path. 'hab pkg path' returns the path to the latest installed version.
          PKG_PATH=$(hab pkg path ${{ inputs.publish-habitat-hab_package }})
          # run grype in runner
          grype dir:$PKG_PATH --name ${{ inputs.publish-habitat-hab_package }} 
          # run grype to output to file (which is uploaded to the job as an artifact)
          OUTPUT_FILE="grype-results-ubuntu-${{ inputs.publish-habitat-hab_package }}.txt"
          OUTPUT_FILE="${OUTPUT_FILE//\//-}"
          echo $OUTPUT_FILE
          grype dir:$PKG_PATH --name ${{ inputs.publish-habitat-hab_package }} > $OUTPUT_FILE
          echo "OUTPUT_FILE=$OUTPUT_FILE" >> $GITHUB_ENV
          
      - name: Upload Grype Scan Results
        uses: actions/upload-artifact@v4
        with:
          name: grype-results-ubuntu-${{ env.OUTPUT_FILE }}
          path: ${{ env.OUTPUT_FILE }}

  habitat-grype-scan-windows:
    name: 'Grype scan of Habitat packages (Windows)'
    runs-on: windows-latest
    if: ${{ success() && inputs.habitat-grype-scan == true && inputs.publish-habitat-runner_os == 'windows-latest' }}
    # TODO: make this a matrix operation 
    needs: habitat-publish
    steps:
      - name: Install Chef Habitat (Windows)
        run: |
          choco install habitat

          # Set-ExecutionPolicy Bypass -Scope Process -Force;
          # [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
          # iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/habitat-sh/habitat/main/components/hab/install.ps1'))
          # $env:PATH += ";~\bin\hab-1.6.1245-20250905141844-x86_64-windows"
          # Write-Host "one"
          # ls ~/bin
          # Write-Host "two"
          # ls c:/users/runneradmin/bin
          # Write-Host "three"
          # ls c:/hab
          # ls "~\bin\hab-1.6.1245-20250905141844-x86_64-windows"
          
          # Write-Host "end"
          hab --version
      
      - name: Configure Habitat (Windows)
        run: |
          # Accept the license
          echo "HAB_LICENSE=accept-no-persist" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
          
          # Create the necessary directory structure for license file
          New-Item -ItemType Directory -Force -Path "C:\hab\accepted-licenses"
          New-Item -ItemType File -Force -Path "C:\hab\accepted-licenses\habitat"
          
      - name: Install Grype (Windows)
        continue-on-error: true
        run: |
          $ErrorActionPreference = 'Stop'
          # Download and install Grype for Windows
          $grypeVersion = (Invoke-RestMethod -Uri "https://api.github.com/repos/anchore/grype/releases/latest").tag_name
          $grypeUrl = "https://github.com/anchore/grype/releases/download/$grypeVersion/grype_$($grypeVersion.TrimStart('v'))_windows_amd64.zip"
          $grypeZip = "$env:TEMP\grype.zip"
          $grypeDir = "$env:TEMP\grype"
          
          # Download Grype
          Invoke-WebRequest -Uri $grypeUrl -OutFile $grypeZip
          
          # Extract Grype
          Expand-Archive -Path $grypeZip -DestinationPath $grypeDir -Force
          
          # Add Grype to PATH for subsequent steps
          echo "$grypeDir" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
          
          # Verify installation
          & "$grypeDir\grype.exe" version

      - name: Install Habitat Package under test (Windows)
        run: |
          $Package = "${{ inputs.publish-habitat-hab_package }}"
          if ("${{ inputs.publish-habitat-hab_version }}" -ne "") {
            $Package = "${Package}/${{ inputs.publish-habitat-hab_version }}"
          }
          if ("${{ inputs.publish-habitat-hab_release }}" -ne "") {
            $Package = "${Package}/${{ inputs.publish-habitat-hab_release }}"
          }
          
          $InstallCmd = "hab pkg install ${Package}"
          
          if ("${{ inputs.publish-habitat-hab_channel }}" -ne "") {
            $InstallCmd = "${InstallCmd} --channel ${{ inputs.publish-habitat-hab_channel }}"
          }
          
          $AuthToken = "${{ inputs.publish-habitat-hab_auth_token }}"
          if ([string]::IsNullOrEmpty($AuthToken)) {
            $AuthToken = "${{ secrets.HAB_PUBLIC_BLDR_PAT }}"
            Write-Host "Using token from repository secret"
          } else {
            Write-Host "Using token from workflow input"
          }
          # if (-not [string]::IsNullOrEmpty($AuthToken)) {
          #   $InstallCmd = "${InstallCmd} --auth ${AuthToken}"
          # }
          
          Write-Host "Installing: ${InstallCmd}"
          Invoke-Expression $InstallCmd

      - name: Run Grype Scan on Habitat Package (Windows)
        timeout-minutes: 15 # Sets a 15-minute timeout for this specific step
        run: |
          # Find the installed package path. 'hab pkg path' returns the path to the latest installed version.
          $PkgPath = hab pkg path ${{ inputs.publish-habitat-hab_package }}
          # run grype in runner
          grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }}
          # run grype to output to file (which is uploaded to the job as an artifact)
          $OutputFile = "grype-results-windows-${{ inputs.publish-habitat-hab_package }}.txt"
          $OutputFile = $OutputFile -replace '/', '-'
          Write-Host $OutputFile
          grype dir:$PkgPath --name ${{ inputs.publish-habitat-hab_package }} | Out-File -FilePath $OutputFile -Encoding utf8
          echo "OUTPUT_FILE=$OutputFile" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
                
      - name: Upload Grype Scan Results
        uses: actions/upload-artifact@v4
        with:
          name: grype-results-windows-${{ env.OUTPUT_FILE }}
          path: ${{ env.OUTPUT_FILE }}

  ################################################################################################################
  #
  #    TODO: Add binary publishing steps – container from Dockerfile to ECR, go-releaser binary to releases page, 
  #       omnibus to artifactory, gems, choco, homebrew, other app stores
  #
  ################################################################################################################
  publish:
    name: 'Publishing packages'
    runs-on: ubuntu-latest
    if: ${{ success() && inputs.publish-packages == true }}
    needs: habitat-build
    steps:
      - name: 'Publishing packages'
        run: echo "Publishing packages"
  # TODO: add flag for any params needed

  ################################################################################################################
  #
  #    Create software bill-of-materials (SBOM) using SPDX format
  #
  ################################################################################################################
  generate-sbom:
    name: 'Generating SBOM'
    if: ${{ inputs.generate-sbom == true }}
    uses: chef/common-github-actions/.github/workflows/sbom.yml@main
    needs: ci-build
    secrets: inherit
    with:
      version: ${{ inputs.version }}
      export-github-sbom: ${{ inputs.export-github-sbom }}
      perform-blackduck-sca-scan: ${{ inputs.perform-blackduck-sca-scan }}
      # generate-blackduck-sbom: ${{ inputs.generate-blackduck-sbom }}  # obsolete, remove TODO
      blackduck-project-group-name: ${{ inputs.blackduck-project-group-name }}
      blackduck-project-name: ${{ inputs.blackduck-project-name }}
      generate-msft-sbom: ${{ inputs.generate-msft-sbom }}
      license_scout: ${{ inputs.license_scout }}
      go-private-modules: ${{ inputs.go-private-modules }}

  quality-dashboard:
    name: 'Reporting to quality dashboard'
    needs: generate-sbom
    secrets: inherit
    permissions:
      id-token: write
      contents: read
    if: ${{ inputs.report-to-atlassian-dashboard == true && success() }}
    uses: chef/common-github-actions/.github/workflows/irfan-quality-dashboard.yml@main
    with:
      perform-build: ${{ inputs.build }} # was ${{ inputs.perform-sonar-build }}
      build-profile: ${{ inputs.build-profile }}
      language: ${{ inputs.language }}
      report-unit-test-coverage: ${{ inputs.report-unit-test-coverage }}
      report-to-atlassian-dashboard: ${{ inputs.report-to-atlassian-dashboard }}
      quality-product-name: ${{ inputs.quality-product-name }}
      quality-sonar-app-name: ${{ inputs.quality-sonar-app-name }}
      quality-testing-type: ${{ inputs.quality-testing-type }}
      quality-service-name: ${{ inputs.quality-service-name }}
      quality-junit-report: ${{ inputs.quality-junit-report }}
      visibility: ${{ inputs.visibility }}
      go-private-modules: ${{ inputs.go-private-modules }}
      udf1: ${{ inputs.udf1 }}
      udf2: ${{ inputs.udf2 }}
      udf3: ${{ inputs.udf3 }}