# This action works transparently on both Blacksmith and GitHub-hosted runners.
# Blacksmith runners benefit from transparent caching and optional Docker layer caching.
# GitHub-hosted runners use standard GitHub Actions caching.

name: 'Node.js Build Setup'
description: 'Configures Node.js with pnpm, installs Aikido SafeChain for supply chain protection, installs dependencies, enables Turborepo caching, (optional) sets up Docker layer caching, and builds the project or an optional command.'

inputs:
  node-version:
    description: 'Node.js version to use. Pinned to 24.14.1 by default for reproducible builds.'
    required: false
    default: '24.14.1'
  enable-docker-cache:
    description: 'Whether to set up Blacksmith Buildx for Docker layer caching (Blacksmith runners only).'
    required: false
    default: 'false'
  build-command:
    description: 'Command to execute for building the project or an optional command. Leave empty to skip build step.'
    required: false
    default: 'pnpm build'
  install-command:
    description: 'Command to execute for installing project dependencies. Leave empty to skip install step.'
    required: false
    default: 'pnpm install --frozen-lockfile'

runs:
  using: 'composite'
  steps:
    - name: Setup pnpm
      uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0

    - name: Setup Node.js
      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
      with:
        node-version: ${{ inputs.node-version }}
        cache: 'pnpm'

    # To avoid setup-node cache failure.
    # see: https://github.com/actions/setup-node/issues/1137
    - name: Verify PNPM Cache Directory
      shell: bash
      run: |
        PNPM_STORE_PATH="$( pnpm store path --silent )"
        if [ ! -d "$PNPM_STORE_PATH" ]; then
            mkdir -p "$PNPM_STORE_PATH"
        fi

    - name: Configure SafeChain
      shell: bash
      run: |
        # SafeChain only reads configs from this directory https://github.com/AikidoSec/safe-chain#configuration-options-1
        mkdir -p "$HOME/.safe-chain"
        cp "${{ github.action_path }}/safe-chain.config.json" "$HOME/.safe-chain/config.json"

    - name: Install Aikido SafeChain
      run: |
        VERSION="1.5.1"
        EXPECTED_SHA256="7c910fff717649c86cc8ca960e6c054d3734da2d660050e3bcfc54029e3b485b"
        node .github/scripts/retry.mjs --attempts 3 --delay 10 -- \
          curl -fsSL -o install-safe-chain.sh "https://github.com/AikidoSec/safe-chain/releases/download/${VERSION}/install-safe-chain.sh"
        echo "${EXPECTED_SHA256}  install-safe-chain.sh" | sha256sum -c -
        sh install-safe-chain.sh --ci
        rm install-safe-chain.sh
      shell: bash

    - name: Install Dependencies
      if: ${{ inputs.install-command != '' }}
      env:
        INSTALL_COMMAND: ${{ inputs.install-command }}
      run: |
        $INSTALL_COMMAND
      shell: bash

    - name: Configure Turborepo Cache
      uses: rharkor/caching-for-turbo@0abc2381e688c4d2832f0665a68a01c6e82f0d6c # v2.3.11

    - name: Setup Docker Builder for Docker Cache (Blacksmith)
      if: ${{ inputs.enable-docker-cache == 'true' && contains(runner.name, 'blacksmith') }}
      uses: useblacksmith/setup-docker-builder@ef12d5b165b596e3aa44ea8198d8fde563eab402 # v1.4.0

    - name: Setup Docker Builder (GitHub fallback)
      if: ${{ inputs.enable-docker-cache == 'true' && !contains(runner.name, 'blacksmith') }}
      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

    - name: Build Project
      if: ${{ inputs.build-command != '' }}
      env:
        BUILD_COMMAND: ${{ inputs.build-command }}
      run: |
        $BUILD_COMMAND --summarize
        node .github/scripts/send-build-stats.mjs || true
        node .github/scripts/send-docker-stats.mjs || true
      shell: bash