.github/workflows/pr-checks.yaml

# SPDX-License-Identifier: Apache-2.0
# Copyright 2024 Authors of SentryFlow

name: PR checks

on:
  pull_request:
    types: [ opened, reopened, synchronize, ready_for_review ]
    paths-ignore:
      - '**.md'
      - 'docs/**'
      - 'LICENSE'

permissions: read-all

jobs:
  license:
    name: License
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./sentryflow
    steps:
      - uses: actions/checkout@v4

      - name: Check License Header
        uses: apache/skywalking-eyes@v0.6.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  static-checks:
    name: Static checks
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./sentryflow
    steps:
      - uses: actions/checkout@v4

      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version: '1.22'

      - name: go fmt
        run: make fmt

      - name: Lint
        uses: golangci/golangci-lint-action@v6
        with:
          working-directory: ./sentryflow
          version: v1.60.3
          args: --timeout=10m --out-format=line-number
          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778

  go-sec:
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: ./sentryflow
    permissions:
      security-events: write
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4

      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        with:
          # we let the report trigger content trigger a failure using the GitHub Security features.
          args: '-no-fail -fmt sarif -out results.sarif ./...'

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

  build-sentryflow-image:
    name: Build SentryFlow container image
    runs-on: ubuntu-latest
    timeout-minutes: 20
    defaults:
      run:
        working-directory: ./sentryflow
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Build image
        run: make image

      - name: Scan image
        uses: anchore/scan-action@v4
        with:
          image: "docker.io/5gsec/sentryflow:latest"
          severity-cutoff: critical
          output-format: sarif