.github/workflows/build.yaml

name: "build"
on: [push, pull_request]
env:
  TRIVY_VERSION: 0.48.3
  BUILDKIT_VERSION: 0.12.4
  BATS_VERSION: 1.10.0
permissions: read-all
jobs:
  build:
    name: build
    runs-on: ubuntu-latest
    strategy:
      matrix:
        test-type: ["buildx", "buildkit-container", "custom-socket"]
    steps:
      - name: Setup BATS
        uses: mig4/setup-bats@af9a00deb21b5d795cabfeaa8d9060410377686d # v1.2.0
        with:
          bats-version: ${{ env.BATS_VERSION }}

      - name: Check out code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Install Trivy
        run: |
          curl -fsSL -o trivy.tar.gz https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
          tar -zxvf trivy.tar.gz
          cp trivy /usr/local/bin/

      - name: Generate trivy vuln report for opa image
        run: |
          trivy image --vuln-type os --ignore-unfixed -f json -o /tmp/opa.0.46.0.json docker.io/openpolicyagent/opa:0.46.0

      - name: Get latest copa version
        run: |
          latest_tag=$(curl --retry 5 -s "https://api.github.com/repos/project-copacetic/copacetic/releases/latest" | jq -r '.tag_name')
          version=${latest_tag:1}
          echo "Copa version: $version"
          echo "COPA_VERSION=$version" >> $GITHUB_ENV

      - name: Install Copa
        run: |
          curl --retry 5 -fsSL -o copa.tar.gz https://github.com/project-copacetic/copacetic/releases/download/v${COPA_VERSION}/copa_${COPA_VERSION}_linux_amd64.tar.gz
          tar -zxvf copa.tar.gz
          cp copa /usr/local/bin/

      - name: Run Buildkit container
        if: matrix.test-type == 'buildkit-container'
        run : |
          docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:v${{ env.BUILDKIT_VERSION }} --addr tcp://0.0.0.0:8888

      - name: Set up Docker
        if: matrix.test-type == 'custom-socket'
        uses: crazy-max/ghaction-setup-docker@v3
        with:
          daemon-config: |
            {
            "debug": true,
            "experimental": true,
                "features": {
                "containerd-snapshotter": true
                }
            }

      - name: Bats Test
        run: |
          set -ex
          export SOCKET="/var/run/docker.sock"

          if [ "${{ matrix.test-type }}" = "custom-socket" ]; then
            url=$(docker context inspect | jq -r .[0].Endpoints.docker.Host)
            SOCKET=$(echo "$url" | awk -F// '{print $2}')
          fi

          docker build --build-arg copa_version=${COPA_VERSION} -t copa-action .
          docker run --net=host \
            --mount=type=bind,source=/tmp,target=/data \
            --mount=type=bind,source="$SOCKET",target=/var/run/docker.sock \
            --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT \
            --name=copa-action \
            copa-action 'docker.io/openpolicyagent/opa:0.46.0' 'opa.0.46.0.json' '0.46.0-patched' '10m' "${{ matrix.test-type }}" 'openvex' 'output.json'
          
          docker -c "setup-docker-action" save -o patched.tar openpolicyagent/opa:0.46.0-patched
          bats --print-output-on-failure ./test/test.bats