name: 'MCP: Container Checks'

on:
  push:
    branches:
      - 'master'
      - 'v5.*'
  pull_request:
    branches:
      - 'master'
      - 'v5.*'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

env:
  MCP_WORKING_DIR: ./mcp_server
  IMAGE_NAME: prowler-mcp

jobs:
  mcp-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check if Dockerfile changed
        id: dockerfile-changed
        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
        with:
          files: mcp_server/Dockerfile

      - name: Lint Dockerfile with Hadolint
        if: steps.dockerfile-changed.outputs.any_changed == 'true'
        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
        with:
          dockerfile: mcp_server/Dockerfile

  mcp-container-build-and-scan:
    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ${{ matrix.runner }}
    strategy:
      matrix:
        include:
          - platform: linux/amd64
            runner: ubuntu-latest
            arch: amd64
          - platform: linux/arm64
            runner: ubuntu-24.04-arm
            arch: arm64
    timeout-minutes: 30
    permissions:
      contents: read
      security-events: write
      pull-requests: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # zizmor: ignore[artipacked]
          persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch

      - name: Check for MCP changes
        id: check-changes
        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
        with:
          files: mcp_server/**
          files_ignore: |
            mcp_server/README.md
            mcp_server/CHANGELOG.md

      - name: Set up Docker Buildx
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

      - name: Build MCP container for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
        with:
          context: ${{ env.MCP_WORKING_DIR }}
          push: false
          load: true
          platforms: ${{ matrix.platform }}
          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
          cache-from: type=gha,scope=${{ matrix.arch }}
          cache-to: type=gha,mode=max,scope=${{ matrix.arch }}

      - name: Scan MCP container with Trivy for ${{ matrix.arch }}
        if: steps.check-changes.outputs.any_changed == 'true'
        uses: ./.github/actions/trivy-scan
        with:
          image-name: ${{ env.IMAGE_NAME }}
          image-tag: ${{ github.sha }}-${{ matrix.arch }}
          fail-on-critical: 'false'
          severity: 'CRITICAL'