From b04ba03c8a8e2528842767d0b92f9fcdf1e911eb Mon Sep 17 00:00:00 2001
From: Konstantinos Tsakalozos <kos.tsakalozos@canonical.com>
Date: Fri, 8 Mar 2024 20:36:33 +0200
Subject: [PATCH] Add TiCS code quality check on every PR and at night (#207)

* Add TiCS code quality check on every PR

* Nightly code scans
---
 .github/workflows/cron-jobs.yaml | 116 +++++++++++++++++++++++++++++++
 .github/workflows/security.yaml  |  55 ---------------
 .github/workflows/tics.yaml      |  16 +++++
 3 files changed, 132 insertions(+), 55 deletions(-)
 create mode 100644 .github/workflows/cron-jobs.yaml
 delete mode 100644 .github/workflows/security.yaml
 create mode 100644 .github/workflows/tics.yaml

diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml
new file mode 100644
index 000000000..c4c6dab8f
--- /dev/null
+++ b/.github/workflows/cron-jobs.yaml
@@ -0,0 +1,116 @@
+name: Security and quality nightly scan
+
+on:
+  schedule:
+    - cron: '0 10 * * *'
+
+jobs:
+  TICS:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # Latest branches
+          - { branch: main }
+
+    steps:
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{matrix.branch}}
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.21"
+      - name: go mod download
+        working-directory: src/k8s
+        run: go mod download
+      - name: TICS scan
+        run: |
+          export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }}
+
+          set -x
+          # Install python dependencies
+          pip install -r tests/e2e/requirements-test.txt
+          pip install -r tests/e2e/requirements-dev.txt
+
+          cd src/k8s
+
+          # TICS requires us to have the test results in cobertura xml format under the
+          # directory use below
+          hack/static-go-test.sh -v ./pkg/... -coverprofile=coverage.txt --cover 
+          go install github.com/boumenot/gocover-cobertura@latest
+          gocover-cobertura < coverage.txt > coverage.xml
+          mkdir .coverage
+          mv ./coverage.xml ./.coverage/
+
+          # Install the TICS and staticcheck
+          go install honnef.co/go/tools/cmd/staticcheck@v0.4.7
+          . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/')
+
+          # We need to have our project built
+          # We load the dqlite libs here instead of doing through make because TICS
+          # will try to build parts of the project itself
+          sudo add-apt-repository -y ppa:dqlite/dev
+          sudo apt install dqlite-tools libdqlite-dev -y
+          make clean
+          go build -a ./...
+
+          TICSQServer -project k8s-snap -tmpdir /tmp/tics -branchdir $HOME/work/k8s-snap/k8s-snap/
+          tar -cvzf tics-logs.tar.gz /tmp/tics
+          mv tics-logs.tar.gz ../../
+
+      - name: Uploading TICS logs
+        uses: actions/upload-artifact@v4
+        with:
+          name: tics-logs.tar.gz
+          path: tics-logs.tar.gz
+
+  Trivy:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          # Latest branches
+          - { branch: main, channel: latest/edge }
+          # Stable branches
+          # Add branches to test here
+
+    steps:
+      - name: Checking out repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{matrix.branch}}
+      - name: Setup Trivy vulnerability scanner
+        run: |
+          mkdir -p sarifs
+          VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}');
+          wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
+          tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-k8s-repo-scan--results.sarif"
+          severity: "MEDIUM,HIGH,CRITICAL"
+      - name: Gather Trivy repo scan results
+        run: |
+          cp trivy-k8s-repo-scan--results.sarif ./sarifs/
+      - name: Run Trivy vulnerability scanner on the snap
+        run: |
+          snap download k8s --channel ${{ matrix.channel }}
+          mv ./k8s*.snap ./k8s.snap
+          unsquashfs k8s.snap
+          ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
+      - name: Get HEAD sha
+        run: |
+          SHA="$(git rev-parse HEAD)"
+          echo "head_sha=$SHA" >> "$GITHUB_ENV"
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "sarifs"
+          sha: ${{ env.head_sha }}
+          ref: refs/heads/${{matrix.branch}}
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
deleted file mode 100644
index 1657eb1f3..000000000
--- a/.github/workflows/security.yaml
+++ /dev/null
@@ -1,55 +0,0 @@
-name: Security scan
-
-on:
-  schedule:
-    - cron: '0 10 * * *'
-
-jobs:
-  scan:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        include:
-          # Latest branches
-          - { branch: main, channel: latest/edge }
-          # Stable branches
-          # Add branches to test here
-
-    steps:
-      - name: Checking out repo
-        uses: actions/checkout@v4
-        with:
-          ref: ${{matrix.branch}}
-      - name: Setup Trivy vulnerability scanner
-        run: |
-          mkdir -p sarifs
-          VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print  substr($NF, 1, length($NF)-1)}');
-          wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz
-          tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: "fs"
-          ignore-unfixed: true
-          format: "sarif"
-          output: "trivy-k8s-repo-scan--results.sarif"
-          severity: "MEDIUM,HIGH,CRITICAL"
-      - name: Gather Trivy repo scan results
-        run: |
-          cp trivy-k8s-repo-scan--results.sarif ./sarifs/
-      - name: Run Trivy vulnerability scanner on the snap
-        run: |
-          snap download k8s --channel ${{ matrix.channel }}
-          mv ./k8s*.snap ./k8s.snap
-          unsquashfs k8s.snap
-          ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
-      - name: Get HEAD sha
-        run: |
-          SHA="$(git rev-parse HEAD)"
-          echo "head_sha=$SHA" >> "$GITHUB_ENV"
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "sarifs"
-          sha: ${{ env.head_sha }}
-          ref: refs/heads/${{matrix.branch}}
diff --git a/.github/workflows/tics.yaml b/.github/workflows/tics.yaml
new file mode 100644
index 000000000..332cb32cd
--- /dev/null
+++ b/.github/workflows/tics.yaml
@@ -0,0 +1,16 @@
+name: Code quality
+
+on: [pull_request]
+
+jobs:
+  TICS:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: TICS GitHub Action
+        uses: tiobe/tics-github-action@v2
+        with:
+          projectName: k8s-snap
+          ticsConfiguration: ${{ secrets.TICS }}
+          ticsAuthToken: ${{ secrets.TICSAUTHTOKEN }}
+          installTics: true