.github/workflows/ci.yml

name: ci

on:
  push:
    branches:
      - 'main'
    tags:
      - 'v*'
  pull_request:
    branches:
      - 'main'

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  build_jars:
    name: Build Jars
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up JDK 21
        uses: actions/setup-java@v4
        with:
          distribution: zulu
          java-version: 21
          cache: maven

      - name: Build javaagent binaries
        run: mvn -s .github/workflows/maven-settings.xml clean install -B -V -U -f javaagents/pom.xml

      - name: Upload JARs
        uses: actions/upload-artifact@v4
        with:
          name: java-agents
          path: javaagents/download/target/javaagent/*.jar
          if-no-files-found: error
          retention-days: 3

  audit:
    name: Audit
    needs:
      - build_jars
    runs-on:
      labels: steadybit_runner_ubuntu_latest_4cores_16GB
    timeout-minutes: 60
    env:
      sonar_available: ${{ secrets.SONAR_TOKEN  != '' && 'true' || 'false' }}
      snyk_available: ${{ secrets.SNYK_TOKEN  != '' && 'true' || 'false' }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Download JARs
        uses: actions/download-artifact@v4
        with:
          name: java-agents
          path: javaagents/download/target/javaagent

      - uses: actions/setup-go@v5
        with:
          go-version: '1.23'

      - name: Set up JDK 21
        uses: actions/setup-java@v4
        with:
          distribution: zulu
          java-version: 21
          cache: maven

      - uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      # we want to run minikube in kvm so we need this and the large runners.
      - name: Enable KVM group perms
        run: |
          echo 'KERNEL=="kvm", GROUP="kvm", MODE="0666", OPTIONS+="static_node=kvm"' | sudo tee /etc/udev/rules.d/99-kvm4all.rules
          sudo udevadm control --reload-rules
          sudo udevadm trigger --name-match=kvm
          sudo apt-get update
          sudo apt-get install -y libvirt-clients libvirt-daemon-system libvirt-daemon virtinst bridge-utils qemu-user-static qemu-system-x86
          sudo usermod -a -G kvm,libvirt $USER

      - name: Audit
        run: |
          go mod download
          minikube config set WantUpdateNotification false
          minikube config set cpus max
          minikube config set memory 8g
          #exec in a new sell for the group change to take effect
          go version
          sudo -u $USER env PATH=$PATH make audit

      - name: "[release] Snyk test"
        if: ${{ startsWith(github.ref, 'refs/tags/') && env.snyk_available == 'true' }}
        uses: snyk/actions/golang@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high --project-name=${{ github.repository }} --target-reference=${{ github.ref_name }}
          command: test

      - name: SonarCloud Scan
        if: ${{ env.sonar_available == 'true' }}
        uses: SonarSource/sonarcloud-github-action@v4.0.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

      - name: "[release] SonarCloud Quality Gate check"
        if: ${{ startsWith(github.ref, 'refs/tags/') && env.sonar_available == 'true' }}
        uses: sonarsource/sonarqube-quality-gate-action@v1.1.0
        timeout-minutes: 5
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

  build-images:
    name: Build Docker Images
    needs: [audit]
    runs-on: ubuntu-latest
    timeout-minutes: 60
    permissions:
      contents: read
      packages: write
    outputs:
      version: ${{ steps.meta.outputs.version }}
      deployer_available: ${{ secrets.PAT_TOKEN_EXTENSION_DEPLOYER  != '' }}
      version_bump_available: ${{ vars.VERSION_BUMPER_APPID != '' && secrets.VERSION_BUMPER_SECRET  != '' }}
    env:
      snyk_available: ${{ secrets.SNYK_TOKEN  != '' && 'true' || 'false' }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3

      - name: Log in to the container registry
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository }}

      - name: Download JARs
        uses: actions/download-artifact@v4
        with:
          name: java-agents
          path: javaagents/download/target/javaagent

      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: ./
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64,linux/arm64
          build-args: |
            BUILD_SNAPSHOT=${{ !startsWith(github.ref, 'refs/tags/') }}
            NAME=${{ github.repository }}
            VERSION=${{ steps.meta.outputs.version }}
            REVISION=${{ github.sha }}

  snyk-test:
    name: "Snyk Test ${{ startsWith(github.ref, 'refs/tags/') && '- If this breaks for CVEs, you need to revoke the published image (and move latest tag)!' || '' }}"
    uses: steadybit/extension-kit/.github/workflows/reusable-snyk-scan.yml@main
    needs: [build-images]
    with:
      command: test
      container_image: ghcr.io/${{ github.repository }}:latest
    secrets:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

  snyk-monitor:
    name: "[Release] Snyk Monitor latest"
    uses: steadybit/extension-kit/.github/workflows/reusable-snyk-scan.yml@main
    if: ${{ startsWith(github.ref, 'refs/tags/') }}
    needs: [build-images]
    with:
      command: monitor
      container_image: ghcr.io/${{ github.repository }}:latest
      target_ref: latest
    secrets:
      SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

  build-packages:
    name: Build Linux Packages
    needs: [audit]
    permissions:
      contents: 'read'
      id-token: 'write'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Download JARs
        uses: actions/download-artifact@v4
        with:
          name: java-agents
          path: javaagents/download/target/javaagent

      - uses: actions/setup-go@v5
        with:
          go-version: '1.23'

      - name: Export GPG key
        run: |
          mkdir -p gpg
          echo -n "${{ secrets.MAVEN_GPG_PRIVATE_KEY }}" > gpg.key

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6
        with:
          distribution: goreleaser
          version: latest
          args: release --clean ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }} ${{ github.event_name == 'pull_request' && '--skip sign' || '' }}
        env:
          NFPM_KEY_FILE: gpg.key
          NFPM_DEFAULT_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSWORD }}
          GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}

      - name: Google Auth
        id: auth
        uses: 'google-github-actions/auth@v2'
        with:
          token_format: 'access_token'
          project_id: ${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_ID }}
          service_account: ${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_SA }}
          workload_identity_provider: ${{ secrets.GCP_ARTIFACT_REGISTRY_IDENTITY_PROVIDER }}

      - uses: google-github-actions/setup-gcloud@v2
        with:
          version: latest

      - name: "[build] Upload packages to gcp internal repositories"
        if: github.event_name != 'pull_request'
        working-directory: ./dist
        run: |
          for deb in $(find * -name '*.deb'); do
            ERROR=$(gcloud artifacts apt upload deb-dev --location=${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_LOCATION }} --source=$deb 2>&1) || {
              echo "$ERROR"
              if echo "$ERROR" | grep -q 'updated packages must bear a new version'; then
                echo "The package is already uploaded. Continuing..."
              else
                echo "Package installation failed for a different reason."
                exit 1
              fi
            }
          done
          for rpm in $(find * -name '*.rpm'); do
            ERROR=$(gcloud artifacts yum upload yum-dev --location=${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_LOCATION }} --source=$rpm 2>&1) || {
              echo "$ERROR"
              if echo "$ERROR" | grep -q 'updated packages must bear a new version'; then
                echo "The package is already uploaded. Continuing..."
              else
                echo "Package installation failed for a different reason."
                exit 1
              fi
            }
          done

      - name: "[release] Upload packages to gcp public repositories"
        if: ${{ startsWith(github.ref, 'refs/tags/') }}
        working-directory: ./dist
        run: |
          for deb in $(find * -name '*.deb'); do
            ERROR=$(gcloud artifacts apt upload deb-public --location=${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_LOCATION }} --source=$deb 2>&1) || {
              echo "$ERROR"
              if echo "$ERROR" | grep -q 'updated packages must bear a new version'; then
                echo "The package is already uploaded. Continuing..."
              else
                echo "Package installation failed for a different reason."
                exit 1
              fi
            }
          done
          for rpm in $(find * -name '*.rpm'); do
            ERROR=$(gcloud artifacts yum upload yum-public --location=${{ vars.GCP_ARTIFACT_REGISTRY_PROJECT_LOCATION }} --source=$rpm 2>&1) || {
              echo "$ERROR"
              if echo "$ERROR" | grep -q 'updated packages must bear a new version'; then
                echo "The package is already uploaded. Continuing..."
              else
                echo "Package installation failed for a different reason."
                exit 1
              fi
            }
          done

  test-helm-charts:
    name: "Test Helm Charts"
    runs-on: ubuntu-latest
    needs: [audit]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          version: v3.12.2

      - name: Add dependency chart repos
        run: |
          helm repo add steadybit https://steadybit.github.io/helm-charts

      - uses: actions/setup-python@v5
        with:
          python-version: "3.10"

      - name: Add unit testing plugin
        run: |
          helm plugin install https://github.com/helm-unittest/helm-unittest.git

      - name: Run unit tests
        run: make charttesting

      - name: Set up chart-testing
        uses: helm/chart-testing-action@v2.7.0

      - name: Run chart-testing (lint)
        run: ct lint --config chartTesting.yaml

  bump-chart-version:
    name: Bump Chart Patch Version on main branch
    needs: [build-images]
    if: needs.build-images.outputs.version_bump_available && startsWith(github.ref, 'refs/tags/')
    runs-on: ubuntu-latest
    timeout-minutes: 60
    permissions:
      contents: write
    steps:
      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ vars.GH_APP_STEADYBIT_APP_ID }}
          private-key: ${{ secrets.GH_APP_STEADYBIT_PRIVATE_KEY }}

      - uses: actions/checkout@v4
        with:
          ref: main
          fetch-depth: 0
          token: ${{ steps.app-token.outputs.token }}

      # this commit will effectively cause another run of the workflow which then actually performs the helm chart release
      - run: |
          npm install -g semver
          make chart-bump-version APP_VERSION="${{ needs.build-images.outputs.version }}"
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
          git commit -am "chore: update helm chart version"
          git push

  release-helm-chart:
    name: "Release Helm Chart"
    runs-on: ubuntu-latest
    needs: [test-helm-charts]
    if: github.ref == 'refs/heads/main'

    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"

      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          version: v3.12.2

      - name: Add dependency chart repos
        run: |
          helm repo add steadybit https://steadybit.github.io/helm-charts

      - name: Run chart-releaser
        uses: helm/chart-releaser-action@v1.7.0
        with:
          charts_dir: charts
          mark_as_latest: false
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

  trigger-test-environment-updates:
    name: Trigger test environment updates
    if: github.ref == 'refs/heads/main' && needs.build-images.outputs.deployer_available
    needs: [build-images]
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      - uses: benc-uk/workflow-dispatch@v1
        with:
          ref: main
          workflow: extension-restart.yml
          repo: steadybit/extension-deployer
          inputs: '{"extension":"${{ github.repository }}","version":"${{ needs.build-images.outputs.version }}","revision":"${{ github.sha }}"}'
          token: ${{ secrets.PAT_TOKEN_EXTENSION_DEPLOYER }}