.github/workflows/compass-manager.yaml

name: Compass Manager

on:
  push:
    branches:
      - main
    tags:
      - '[0-9]+.[0-9]+.[0-9]+'
      - '[0-9]+.[0-9]+.[0-9]+-*'
    paths-ignore:
      - .reuse
      - hack/
      - LICENSES/
      - LICENSE
      - .gitignore
      - "**.md"

  pull_request_target:
    types: [opened, synchronize, reopened]
    paths-ignore:
      - .reuse
      - hack/
      - LICENSES/
      - LICENSE
      - .gitignore
      - "**.md"

permissions:
  id-token: write # This is required for requesting the JWT token
  contents: read # This is required for actions/checkout

jobs:
  setup:
    permissions:
      contents: read
    runs-on: ubuntu-latest
    outputs:
      tag: ${{ steps.tag.outputs.tag }}
      code: ${{ steps.detect-files.outputs.code_any_changed }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - id: tag
        if: github.event_name == 'push' && github.ref_type == 'tag'
        run: echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
      - name: Detect files
        id: detect-files
        uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78
        with:
          files_yaml: |
            code:
              - ./**.go
              - ./go.mod
              - ./go.sum

  unit-tests:
    permissions:
      contents: read
    needs: setup
    if: needs.setup.outputs.code == 'true'
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Set up go environment
      uses: actions/setup-go@v4
      with:
        cache-dependency-path: go.sum
        go-version-file: go.mod
    - name: Run unit tests
      run: make test | tee test.log
    - name: Upload test logs artifact
      uses: actions/upload-artifact@v4
      if: success() || failure()
      with:
        name: test.log
        path: test.log

  trivy:
    permissions:
      contents: read
    runs-on: "ubuntu-20.04"
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Install trivy
        run: |
          mkdir ./trivy
          curl -L https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar xvz --directory=./trivy
          ./trivy/trivy --version

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.24.0
        with:
          scan-type: 'fs'
          scan-ref: '.'

          exit-code: 1
          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
          ignore-unfixed: false
          timeout: '5m0s'
          vuln-type: 'os,library'

          format: json
          output: 'trivy-results.json'

      - name: Convert results
        if: success() || failure()
        run: |
          ./trivy/trivy convert -f table -o trivy-results.txt trivy-results.json
          ./trivy/trivy convert -f sarif -o trivy-results.sarif trivy-results.json

      - name: Upload Trivy scan results to GitHub Security tab
        if: (success() || failure()) && github.ref == 'refs/heads/main'
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

      - name: Upload trivy table
        if: success() || failure()
        uses: actions/upload-artifact@v4
        with:
          name: trivy-results.txt
          path: trivy-results.txt
      

  build-image:
    needs: setup
    uses: kyma-project/test-infra/.github/workflows/image-builder.yml@main # Usage: kyma-project/test-infra/.github/workflows/image-builder.yml@main
    with:
      name: compass-manager
      dockerfile: Dockerfile
      context: .
      tags: ${{ needs.setup.outputs.tag }}

  summary:
    runs-on: ubuntu-latest
    needs: [setup, build-image, unit-tests, trivy]
    if: success() || failure()
    steps:
      - name: "Download test log"
        uses: actions/download-artifact@v4
        with:
          name: test.log
      - name: "Download trivy log"
        uses: actions/download-artifact@v4
        with:
          name: trivy-results.txt
      - name: "Generate summary"
        run: |
          {
            echo '# Compass Manager'
            echo '## Trivy'
            echo '```txt'
            cat trivy-results.txt
            echo '```'
            echo '## Test Log'
            echo '```'
            cat test.log
            echo '```'
            echo '## Images'
            echo '```json'
            echo '${{ needs.build-image.outputs.images }}' | jq
            echo '```'
          } >> $GITHUB_STEP_SUMMARY