name: Coverage

on:
  schedule:
    - cron: '0 0 * * 0'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  update-coverage:
    runs-on: [ self-hosted, public, linux, x64 ]
    permissions:
      contents: write
    environment: release
    env:
      PYTHON_VERSION: "3.8"
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
        with:
          token: ${{ secrets.GH_PAT_SECRET }}
      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4  # v5
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
      - name: Set up Python ${{ env.PYTHON_VERSION }}
        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f  # v4
        with:
          python-version: ${{ env.PYTHON_VERSION }}
      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Install pipenv
        run: |
          python -m pip install --no-cache-dir --upgrade pipenv
      - name: Install dependencies
        run: |
          # remove venv, if exists
          pipenv --rm || true
          pipenv --python ${{ env.PYTHON_VERSION }}
          pipenv install --dev
          pipenv run pip install pytest
      - name: Test with pytest
        run: |
          pipenv run pytest --cov-report term --cov=checkov tests
          pipenv run python -m coverage_badge -o coverage.svg -f
          git commit -m "Update coverage" coverage.svg || echo "No changes to commit"