.github/workflows/ci.yaml

name: CI

on:
  pull_request:
    branches: [ 'stable/**' ]
    types: [ 'opened', 'reopened', 'synchronize' ]
  workflow_dispatch:

permissions:
  contents: read

jobs:
  build:
    name: Build
    runs-on: ${{ matrix.RUNNER }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - PLATFORM: amd64
            ARCH: x86_64
            RUNNER: self-hosted-amd64-1cpu
          - PLATFORM: arm64
            ARCH: aarch64
            RUNNER: self-hosted-arm64-1cpu
    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2

      - name: Build image
        run: make ARCHS=${{ matrix.ARCH }} PLATFORMS=${{ matrix.PLATFORM }} BUILDX_ARGS=--load build

      - name: Save image
        run: docker save -o node-${{ matrix.ARCH }}.tar docker.io/wallarm/node:test

      - name: Cache image
        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b
        with:
          retention-days: 1
          name: node-${{ matrix.ARCH }}.tar
          path: node-${{ matrix.ARCH }}.tar

  test:
    name: Test
    runs-on: ${{ matrix.RUNNER }}
    env:
      ## US preset
      #env_code: ingress-us1
      #CLIENT_ID: 7119
      ## EU preset
      env_code: ingress
      CLIENT_ID: 5
    needs:
      - build
    strategy:
      matrix:
        case: [ single, split ]
        ARCH: [ x86_64, aarch64 ]
        include:
          - ARCH: x86_64
            RUNNER: self-hosted-amd64-2cpu
          - ARCH: aarch64
            RUNNER: self-hosted-arm64-2cpu
      fail-fast: false
    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.0.2

      - name: Import secrets
        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
        id: secrets
        with:
          exportEnv: false
          url: ${{ secrets.VAULT_URL }}
          role: ${{ secrets.VAULT_ROLE }}
          method: kubernetes
          path: kubernetes-ci
          secrets: |
            kv-gitlab-ci/data/github/${{ env.env_code }} api_token ;
            kv-gitlab-ci/data/github/${{ env.env_code }} api_host ;
            kv-gitlab-ci/data/github/${{ env.env_code }} api_preset ;
            kv-gitlab-ci/data/github/${{ env.env_code }} user_token ;
            kv-gitlab-ci/data/github/${{ env.env_code }} webhook_uuid ;
            kv-gitlab-ci/data/github/${{ env.env_code }} webhook_api_key ;
            kv-gitlab-ci/data/github/${{ env.env_code }} allure_server_token ;
            kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_name ;
            kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds token_secret ;
            kv-gitlab-ci/data/github/shared/smoke-tests-registry-creds registry_name ;

      - name: Login
        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446
        with:
          registry: ${{ steps.secrets.outputs.registry_name }}
          username: ${{ steps.secrets.outputs.token_name }}
          password: ${{ steps.secrets.outputs.token_secret }}

      - name: Load cache
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
        with:
          name: node-${{ matrix.ARCH }}.tar

      - name: Load images
        run: docker load -i node-${{ matrix.ARCH }}.tar

      - name: Run test
        env:
          ALLURE_PROJECT_ID: 10
          ALLURE_UPLOAD_REPORT: true
          ALLURE_TOKEN: ${{ steps.secrets.outputs.ALLURE_SERVER_TOKEN }}
          ALLURE_ENVIRONMENT_ARCH: ${{ matrix.ARCH }}
          USER_TOKEN: ${{ steps.secrets.outputs.user_token }}
          WALLARM_API_TOKEN: ${{ steps.secrets.outputs.api_token }}
          WALLARM_API_HOST: ${{ steps.secrets.outputs.api_host }}
          WALLARM_API_PRESET: ${{ steps.secrets.outputs.api_preset }}
          WEBHOOK_API_KEY: ${{ steps.secrets.outputs.webhook_api_key }}
          WEBHOOK_UUID: ${{ steps.secrets.outputs.webhook_uuid }}
          ARCH: ${{ matrix.ARCH }}
        run: make ${{ matrix.case }}

      - name: Upload logs
        if: always()
        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
        with:
          retention-days: 5
          name: node-logs-${{ matrix.ARCH }}-${{ matrix.case }}.tar.gz
          path: node-logs-${{ matrix.ARCH }}-${{ matrix.case }}.tar.gz

  scan:
    name: Vulnerability scanner
    runs-on: self-hosted-amd64-1cpu
    permissions:
      pull-requests: write
    needs:
      - build
    env:
      ARCH: x86_64
    steps:
      - name: Load cache
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
        with:
          name: node-${{ env.ARCH }}.tar

      - name: Import secrets
        uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
        id: secrets
        with:
          exportEnv: false
          url: ${{ secrets.VAULT_URL }}
          role: ${{ secrets.VAULT_ROLE }}
          method: kubernetes
          path: kubernetes-ci
          secrets: |
            kv-gitlab-ci/data/github/shared/dockerhub-creds user | DOCKERHUB_USER ;
            kv-gitlab-ci/data/github/shared/dockerhub-creds password | DOCKERHUB_PASSWORD ;

      - name: Docker Scout
        uses: docker/scout-action@v1
        with:
          command: compare,cves
          image: archive://node-${{ env.ARCH }}.tar
          to: docker.io/wallarm/node:latest
          ignore-unchanged: false
          only-severities: critical,high
          write-comment: true
          github-token: ${{ secrets.GITHUB_TOKEN }}
          dockerhub-user: ${{ steps.secrets.outputs.DOCKERHUB_USER }}
          dockerhub-password: ${{ steps.secrets.outputs.DOCKERHUB_PASSWORD }}