.github/workflows/build-checks.yaml

name: build-checks

on:
  pull_request:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/setup-go@v5
        with:
          go-version: "1.23"

      - name: setup env
        run: |
          echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
        shell: bash

      - uses: actions/checkout@v4
      - run: |
          make install-golangci-lint
          echo "golangci-lint path: $(which golangci-lint)"
          make lint build

  test:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/setup-go@v5
        with:
          go-version: "1.23"

      - name: setup env
        run: |
          echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
        shell: bash

      - uses: actions/checkout@v4

      - run: make ginkgo test

  scan:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          exit-code: '1'
          scanners: 'vuln'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  # summary jobs, these jobs will only run if all the other jobs have succeeded
  validate-pr-tests:
    runs-on: ubuntu-latest
    needs:
      - build
      - test
      - scan
    steps:
      - run: echo "All PR tests passed"

  # this job will validate that the validation did not fail and that all pr-tests succeed
  # it is used for the github branch protection rule
  validate-success:
    runs-on: ubuntu-latest
    needs:
      - validate-pr-tests
    if: always()
    steps:
      # https://docs.github.com/en/actions/learn-github-actions/contexts#needs-context
      # if the validate-pr-tests job was not successful, this job will fail
      - name: fail if validate-pr-tests job was not successful
        if: needs.validate-pr-tests.result != 'success'
        run: exit 1
      # if the validate-pr-tests job was successful, this job will succeed
      - name: succeed if validate-pr-tests job succeeded
        if: needs.validate-pr-tests.result == 'success'
        run: echo "Validation succeeded"