.github/workflows/test-build.yml

name: Test & Build
on: push

jobs:
  test:
    name: Test
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: 1.x
          check-latest: true

      - name: Get dependencies
        run: |
          go get -v -t -d ./...

      - name: Vet
        run: go vet ./...

      # get .golangci.yml from github.com/overmindtech/golangci-lint_config
      - name: Get .golangci.yml from github.com/overmindtech/golangci-lint_configs
        run: |
          curl -sfL https://raw.githubusercontent.com/overmindtech/golangci-lint_config/main/.golangci.yml -o .golangci.yml

      - name: golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
          version: v1.60.1
          args: --timeout 3m
          skip-cache: true # the linters require all code generation and dependecies to be present, but the cache implementation completely falls over when there is already existing content. See https://github.com/golangci/golangci-lint-action/issues/23, https://github.com/golangci/golangci-lint-action/issues/863, https://github.com/golangci/golangci-lint-action/issues/984

      - name: Test
        run: go test ./...

  scan-container:
    name: Scan Container
    runs-on: depot-ubuntu-24.04
      # this is for container scanning with aws inspector
    permissions:
      id-token: write   # This is required for requesting the JWT
      contents: read    # This is required for actions/checkout@v2

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # also fetch tags and branches for `git describe`

      - uses: depot/setup-action@v1

      - name: Build Docker image
        uses: depot/build-push-action@v1
        with:
          project: xnsnw3m20t
          context: .
          file: "build/package/Dockerfile"
          push: false
          tags: app:latest
          load: true

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-region: "eu-west-2"
          role-to-assume: "${{ secrets.AWS_INSPECTOR_ROLE }}"

      - name: Invoke Amazon Inspector Scan
        id: inspector
        uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@main
        with:
          artifact_type: 'container'
          artifact_path: 'app:latest'
          display_vulnerability_findings: "enabled"
          sbomgen_version: "latest"

  build:
    name: Build
    runs-on: ubuntu-latest
    if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }}
    needs:
      - test
      - scan-container
    permissions:
      contents: read # required for checkout
      id-token: write # mint AWS credentials through OIDC
      packages: write

    strategy:
      fail-fast: false
      matrix:
        include:
          - dockerfile: Dockerfile
            image_name: source-template

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/overmindtech/${{ matrix.image_name }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up Docker Buildx
        id: setup-builder
        uses: docker/setup-buildx-action@v3

      - name: Build and push
        id: push
        uses: docker/build-push-action@v5
        with:
          builder: ${{ steps.setup-builder.outputs.name }}
          context: .
          sbom: true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          file: build/package/${{ matrix.dockerfile }}
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}