Add TiCS code quality check on every PR and at night (#207)

* Add TiCS code quality check on every PR

* Nightly code scans

.github/workflows/cron-jobs.yaml

@@ -0,0 +1,116 @@
+name: Security and quality nightly scan
+
+on:
+  schedule:
+    - cron: '0 10 * * *'
+
+jobs:
+  TICS:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # Latest branches
+          - { branch: main }
+
+    steps:
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{matrix.branch}}
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.21"
+      - name: go mod download
+        working-directory: src/k8s
+        run: go mod download
+      - name: TICS scan
+        run: |
+          export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }}
+
+          set -x
+          # Install python dependencies
+          pip install -r tests/e2e/requirements-test.txt
+          pip install -r tests/e2e/requirements-dev.txt
+
+          cd src/k8s
+
+          # TICS requires us to have the test results in cobertura xml format under the
+          # directory use below
+          hack/static-go-test.sh -v ./pkg/... -coverprofile=coverage.txt --cover 
+          go install github.com/boumenot/gocover-cobertura@latest
+          gocover-cobertura < coverage.txt > coverage.xml
+          mkdir .coverage
+          mv ./coverage.xml ./.coverage/
+
+          # Install the TICS and staticcheck
+          go install honnef.co/go/tools/cmd/[email protected]
+          . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
+
+          # We need to have our project built
+          # We load the dqlite libs here instead of doing through make because TICS
+          # will try to build parts of the project itself
+          sudo add-apt-repository -y ppa:dqlite/dev
+          sudo apt install dqlite-tools libdqlite-dev -y
+          make clean
+          go build -a ./...
+
+          TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $HOME/work/k8s-snap/k8s-snap/
+          tar -cvzf tics-logs.tar.gz /tmp/tics
+          mv tics-logs.tar.gz ../../
+
+      - name: Uploading TICS logs
+        uses: actions/upload-artifact@v4
+        with:
+          name: tics-logs.tar.gz
+          path: tics-logs.tar.gz
+
+  Trivy:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # Latest branches
+          - { branch: main, channel: latest/edge }
+          # Stable branches
+          # Add branches to test here
+
+    steps:
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{matrix.branch}}
+      - name: Setup Trivy vulnerability scanner
+        run: |
+          mkdir -p sarifs
+          VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}');
+          wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
+          tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-k8s-repo-scan--results.sarif"
+          severity: "MEDIUM,HIGH,CRITICAL"
+      - name: Gather Trivy repo scan results
+        run: |
+          cp trivy-k8s-repo-scan--results.sarif ./sarifs/
+      - name: Run Trivy vulnerability scanner on the snap
+        run: |
+          snap download k8s --channel ${{ matrix.channel }}
+          mv ./k8s*.snap ./k8s.snap
+          unsquashfs k8s.snap
+          ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
+      - name: Get HEAD sha
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          echo "head_sha=$SHA" >> "$GITHUB_ENV"
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "sarifs"
+          sha: ${{ env.head_sha }}
+          ref: refs/heads/${{matrix.branch}}

.github/workflows/tics.yaml

@@ -0,0 +1,16 @@
+name: Code quality
+
+on: [pull_request]
+
+jobs:
+  TICS:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: TICS GitHub Action
+        uses: tiobe/tics-github-action@v2
+        with:
+          projectName: k8s-snap
+          ticsConfiguration: ${{ secrets.TICS }}
+          ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }}
+          installTics: true