---
# ci-sync: 2026-05-30T01:27:24Z
# Homelab CI — Docker/heavy lane (git-ci-02)
name: CI

on:
  push:
    branches: [master, main]
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  skip-ci-check:
    runs-on: [homelab, self-hosted, linux]
    container:
      image: node:20-bookworm
    outputs:
      should-skip: ${{ steps.check.outputs.skip }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 1
      - id: check
        run: |
          SKIP=0
          BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
          MSG="${GITHUB_EVENT_HEAD_COMMIT_MESSAGE:-$(git log -1 --pretty=%B 2>/dev/null || true)}"
          echo "$BRANCH" "$MSG" | grep -qi '@skipci' && SKIP=1
          echo "skip=$SKIP" >> $GITHUB_OUTPUT

  docker-ci:
    needs: skip-ci-check
    if: needs.skip-ci-check.outputs.should-skip != '1'
    runs-on: [homelab, self-hosted, linux, heavy, docker]
    steps:
      - uses: actions/checkout@v4

      - name: Hadolint
        run: |
          shopt -s globstar nullglob
          found=0
          for f in Dockerfile docker/**/Dockerfile */Dockerfile; do
            [ -f "$f" ] || continue
            found=1
            docker run --rm -i hadolint/hadolint < "$f"
          done
          [ "$found" -eq 1 ] || echo "No Dockerfile — skip hadolint"

      - name: Trivy config scan (advisory)
        run: |
          docker run --rm -v "$PWD:/repo" aquasec/trivy:latest config /repo || true

  secret-scan:
    needs: skip-ci-check
    if: needs.skip-ci-check.outputs.should-skip != '1'
    runs-on: [homelab, self-hosted, linux, heavy]
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Gitleaks
        run: |
          docker run --rm -v "$PWD:/repo" ghcr.io/gitleaks/gitleaks:latest \
            detect --source /repo --no-banner --redact