build.yaml

---
name: Build
on:
  push:
    branches:
      - main
    paths-ignore:
      - .github/ISSUE_TEMPLATE/*.md
      - "*.md"
      - docs/**
      - mkdocs.yml
      - LICENSE
      - NOTICE
  pull_request:
    branches:
      - main
    paths-ignore:
      - .github/ISSUE_TEMPLATE/*.md
      - "*.md"
      - docs/**
      - mkdocs.yml
      - LICENSE
      - NOTICE
env:
  KIND_VERSION: v0.17.0
  KIND_IMAGE: kindest/node:v1.21.1@sha256:69860bda5563ac81e3c0057d654b5253219618a22ec3a346306239bba8cfa1a6
  GO_VERSION: '1.22'
permissions: {}
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
jobs:
  verify-code:
    name: Verify code
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Install tools
        uses: aquaproj/aqua-installer@v3.0.1
        with:
          aqua_version: v1.25.0
      - name: Verify Go code
        uses: golangci/golangci-lint-action@v6.1.0
        with:
          args: --verbose
          version: v1.57.2
          skip-pkg-cache: true
          skip-build-cache: true
      - name: Verify YAML code
        uses: ibiqlik/action-yamllint@v3
      - name: Vendor Go modules
        run: go mod tidy
      - name: Verify all generated
        run: mage generate:verify
      - name: Verify Generated Helm docs
        run: mage generate:verifydocs
  tests:
    name: Run tests
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Install tools
        uses: aquaproj/aqua-installer@v3.0.1
        with:
          aqua_version: v1.25.0
      - name: Run unit tests
        run: mage test:unit
      - name: Upload code coverage
        uses: codecov/codecov-action@v4
        with:
          files: ./coverage.txt
  operator-envtest:
    name: Run Operator envtest
    needs:
      - tests
      - verify-code
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Install tools
        uses: aquaproj/aqua-installer@v3.0.1
        with:
          aqua_version: v1.25.0
      - name: Run envtest
        run: mage test:envtest
      - name: Upload code coverage
        uses: codecov/codecov-action@v4
        with:
          files: ./coverage.txt
  itest-trivy-operator:
    name: Run integration tests
    needs:
      - operator-envtest
    runs-on: ubuntu-latest
    timeout-minutes: 15
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Install tools
        uses: aquaproj/aqua-installer@v3.0.1
        with:
          aqua_version: v1.25.0
      - name: Setup Kubernetes cluster (KIND)
        uses: engineerd/setup-kind@v0.5.0
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
      - name: Test connection to Kubernetes cluster
        run: |
          kubectl cluster-info
          kubectl wait --for=condition=Ready nodes --all --timeout=300s
          kubectl describe node
      - name: Run integration tests
        run: |
          kubectl create -k deploy/static
          mage test:integration
        env:
          KUBECONFIG: /home/runner/.kube/config
          OPERATOR_NAMESPACE: trivy-system
          OPERATOR_TARGET_NAMESPACES: default
      - name: Upload code coverage
        uses: codecov/codecov-action@v4
        with:
          files: ./itest/trivy-operator/coverage.txt
  e2e-testing:
    name: Run end to end testing
    needs:
      - itest-trivy-operator
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: enabled
    steps:
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3
      - name: Available platforms
        run: echo ${{ steps.buildx.outputs.platforms }}
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version: ${{ env.GO_VERSION }}
      - name: Release snapshot
        uses: goreleaser/goreleaser-action@v6
        with:
          version: v1.7.0
          args: release -f=goreleaser-e2e.yaml --snapshot --skip-publish --rm-dist
      - name: Install kind and create cluster
        run: >
          curl -Lo ./kind https://kind.sigs.k8s.io/dl/${{ env.KIND_VERSION
          }}/kind-linux-amd64

          chmod +x ./kind

          sudo mv ./kind /usr/local/bin/kind

          kind create cluster

          curl -LO https://dl.k8s.io/release/v1.26.0/bin/linux/amd64/kubectl

          sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
      - name: Test connection to Kubernetes cluster
        run: |
          kubectl cluster-info
          kubectl wait --for=condition=Ready nodes --all --timeout=300s
          kubectl describe node
      - name: Load operator image to cluster
        run: >
          docker tag ghcr.io/aquasecurity/trivy-operator:${{ github.sha }}-amd64
          ghcr.io/aquasecurity/trivy-operator:e2e

          docker save -o trivy-operator.tar ghcr.io/aquasecurity/trivy-operator:e2e

          kind load image-archive trivy-operator.tar
      - name: Init E2E tests (Install kuttl & helm)
        run: >
          mkdir -p ./bin

          curl -L https://github.com/kudobuilder/kuttl/releases/download/v0.15.0/kubectl-kuttl_0.15.0_linux_x86_64 -o ./bin/kuttl;

          chmod +x ./bin/kuttl;

          curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3

          chmod 700 get_helm.sh

          ./get_helm.sh
      - name: Image scan mode producing vulnerability,misconfig and exposedsecrets
          reports tests
        run: >
          kubectl create namespace e2e-test

          ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/image-mode.yaml

          ./tests/resources-cleanup.sh > /dev/null 2>&1
      - name: Files System scan mode producing vulnerability,misconfig and exposedsecrets reports tests
        run: |
          kubectl create namespace e2e-test

          ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/fs-mode.yaml

          ./tests/resources-cleanup.sh > /dev/null 2>&1
      - name: Client/server mode producing vulnerability,misconfig and exposedsecrets
          reports tests
        run: >
          kubectl create namespace e2e-test

          ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/client-server.yaml

          ./tests/resources-cleanup.sh > /dev/null 2>&1
      - name: Standalon mode with Sbom scanning
          reports tests
        run: >
          kubectl create namespace e2e-test

          ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/sbom-standalone.yaml

          ./tests/resources-cleanup.sh > /dev/null 2>&1
      - name: Client/Server with Sbom scanning
          reports tests
        run: >
          kubectl create namespace e2e-test

          ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/client-server-sbom.yaml

          ./tests/resources-cleanup.sh > /dev/null 2>&1
      - name: file system with Sbom scanning
          reports tests
        run: >
          kubectl create namespace e2e-test

          ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/fs-sbom.yaml

          ./tests/resources-cleanup.sh > /dev/null 2>&1
      - name: Node scan producing cluster infraassessment report
        run: >
          kubectl create namespace e2e-test

          ./bin/kuttl test --start-kind=false --namespace e2e-test --config tests/e2e/config/node-collector.yaml

          ./tests/resources-cleanup.sh > /dev/null 2>&1
      - name: Cluster vulnerabilities report
        run: >
          ./bin/kuttl test --start-kind=false --config tests/e2e/config/cluster-scan.yaml

      - name: Delete kind cluster
        run: |
          kind delete cluster