.github/workflows/alpha.yaml

name: alpha

on:
  push:
    branches:
      - main

jobs:

  generate-tag:
    runs-on: ubuntu-20.04
    outputs:
      tag: ${{ steps.get_tag.outputs.GIT_TAG }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Get tags
        id: get_tag
        uses: ./.github/actions/version-tag


  build-kotsadm-migrations:
    runs-on: ubuntu-20.04
    needs: [generate-tag]
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/build-push-kotsadm-migrations-image
        with:
          image-name: index.docker.io/kotsadm/kotsadm-migrations:alpha
          git-tag: ${{ needs.generate-tag.outputs.tag }}
          registry-username: ${{ secrets.DOCKERHUB_USER }}
          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}


  build-kotsadm:
    runs-on: ubuntu-20.04
    needs: [generate-tag]
    permissions:
      id-token: write # required to be able to assume the GCP SA identity to pull private Chainguard packages.
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/build-push-kotsadm-image
        with:
          chainguard-gcp-wif-pool: ${{ secrets.CHAINGUARD_GCP_WIF_POOL }}
          chainguard-gcp-sa: ${{ secrets.CHAINGUARD_GCP_SA }}
          chainguard-gcp-project-id: ${{ secrets.CHAINGUARD_GCP_PROJECT_ID }}
          image-name: index.docker.io/kotsadm/kotsadm:alpha
          git-tag: ${{ needs.generate-tag.outputs.tag }}
          registry-username: ${{ secrets.DOCKERHUB_USER }}
          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}


  build-kurl-proxy:
    runs-on: ubuntu-20.04
    needs: [generate-tag]
    steps:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/build-push-kurl-proxy-image
        with:
          image-name: index.docker.io/kotsadm/kurl-proxy:alpha
          git-tag: ${{ needs.generate-tag.outputs.tag }}
          registry-username: ${{ secrets.DOCKERHUB_USER }}
          registry-password: ${{ secrets.DOCKERHUB_PASSWORD }}


  scan_rqlite:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Read image tags from env file
        uses: falti/dotenv-action@v1
        id: dotenv
        with:
          path: .image.env
      - name: Scan rqlite for vulnerabilities
        id: scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "docker.io/kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}"
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'rqlite-scan-output.sarif'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH,MEDIUM'
      - name: Upload scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: rqlite-scan-output.sarif


  scan_minio:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Read image tags from env file
        uses: falti/dotenv-action@v1
        id: dotenv
        with:
          path: .image.env
      - name: Scan minio for vulnerabilities
        id: scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "docker.io/kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}"
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'minio-scan-output.sarif'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Upload scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'minio-scan-output.sarif'


  scan_dex:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Read image tags from env file
        uses: falti/dotenv-action@v1
        id: dotenv
        with:
          path: .image.env
      - name: Scan dex for vulnerabilities
        id: scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}"
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'dex-scan-output.sarif'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH,MEDIUM'
      - name: Upload scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: dex-scan-output.sarif


  scan_kurl_proxy:
    runs-on: ubuntu-20.04
    needs: [build-kurl-proxy]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Scan kurl-proxy for vulnerabilities
        id: scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/kotsadm/kurl-proxy:alpha'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'kurl-proxy-scan-output.sarif'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH,MEDIUM'
      - name: Upload scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: kurl-proxy-scan-output.sarif


  scan_local_volume_provider:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Read image tags from env file
        uses: falti/dotenv-action@v1
        id: dotenv
        with:
          path: .image.env
      - name: Scan replicated/local-volume-provider for vulnerabilities
        id: scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: "docker.io/replicated/local-volume-provider:${{ steps.dotenv.outputs.LVP_TAG }}"
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'scan-output.sarif'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH,MEDIUM'
      - name: Upload scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: scan-output.sarif


  scan_kotsadm:
    runs-on: ubuntu-20.04
    needs: [build-kotsadm]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Scan kotsadm for vulnerabilities
        id: scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/kotsadm/kotsadm:alpha'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'kotsadm-scan-output.sarif'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH,MEDIUM'
      - name: Upload scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: kotsadm-scan-output.sarif


  scan_kotsadm_migrations:
    runs-on: ubuntu-20.04
    needs: [build-kotsadm-migrations]
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Scan migrations for vulnerabilities
        id: scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/kotsadm/kotsadm-migrations:alpha'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'kotsadm-migration-scan-output.sarif'
          exit-code: '0'
          ignore-unfixed: true
          severity: 'CRITICAL,HIGH,MEDIUM'
      - name: Upload scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: kotsadm-migration-scan-output.sarif