.github/workflows/build.yaml

name: "Build, Analyze and Test"

on: [ push, pull_request ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit
          
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
        with:
          distribution: "temurin"
          java-version: 21
          cache: "maven"

      - name: Dependency Review
        if: github.event_name == 'pull_request'
        uses: actions/dependency-review-action@4081bf99e2866ebe428fc0477b69eb4fcda7220a # v4

      - name: Collect dependencies
        run: |
          ./mvnw dependency:go-offline --batch-mode
          ./mvnw verify --fail-never --batch-mode
          ./mvnw dependency:resolve-sources dependency:resolve -Dclassifier=javadoc --batch-mode

      - name: Build
        run: ./mvnw clean install --batch-mode

      - name: Build native
        run: ./mvnw clean install -Pnative --batch-mode

      - name: Run help
        id: runner
        run: |
          runners=(target/github-stats-*-runner)
          echo "cmd=$(basename ${runners[0]})" >> "$GITHUB_OUTPUT"
          
          "${runners[0]}" help

      - name: Upload target
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: target
          path: target/
          if-no-files-found: error

      - name: Upload runner binary
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: runner
          path: target/github-stats-*-runner
          if-no-files-found: error

      - name: Generate hashes
        shell: bash
        id: hash
        run: |
          echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Get image tags
        id: image_tags
        uses: redhat-cop/github-actions/get-image-version@e4729075dcd3f34946b80df6b1bfb952b9fee166 # v4
        with:
          IMAGE_CONTEXT_DIR: src/main/docker

      - name: Build image
        id: build_image
        uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
        with:
          dockerfiles: src/main/docker/Dockerfile.native
          image: github-stats
          oci: true
          tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"

      - name: Push to ghcr.io
        if: startsWith(github.ref, 'refs/tags/')
        uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
        id: push_image
        with:
          image: ${{ steps.build_image.outputs.image }}
          registry: ghcr.io/${{ github.repository }}
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
          tags: ${{ steps.build_image.outputs.tags }}

    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
      image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
      image_digest: "${{ steps.push_image.outputs.digest }}"
      image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"
      runner: "${{ steps.runner.outputs.cmd }}"

  analyze:
    needs: [ build ]
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
        with:
          distribution: "temurin"
          java-version: 21

      - name: Initialize CodeQL
        uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
        with:
          languages: java

      - name: Autobuild
        uses: github/codeql-action/autobuild@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
        with:
          category: "/language:java"

      - name: Submit Dependency Snapshot
        uses: advanced-security/maven-dependency-submission-action@4f64ddab9d742a4806eeb588d238e4c311a8397d # v4

  test:
    needs: [ build ]
    runs-on: ubuntu-latest
    env:
      RUNNER: "${{ needs.build.outputs.runner }}"
    steps:
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

      - name: Download target
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          name: target

      - name: Make github-stats-*-runner executable
        run: chmod +x ${{ env.RUNNER }}

      - name: Run 'collect-stats' for UKI
        env:
          GITHUB_LOGIN: ${{ github.repository_owner }}
          GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
        run: |
          touch /tmp/stats.csv
          ./${{ env.RUNNER }} stats collect-stats --organization=RedHat-Consulting-UK --csv-output=/tmp/stats.csv --validate-org-config=false --required-limit=400

      - name: Run 'collect-members-from-ldap' for UKI
        env:
          GITHUB_LOGIN: ${{ github.repository_owner }}
          GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
        run: |
          touch /tmp/members.csv
          ./${{ env.RUNNER }} users collect-members-from-ldap --organization=RedHat-Consulting-UK --csv-output=/tmp/members.csv --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --fail-if-no-vpn=false --guess=false

      - name: Run 'create-who-are-you-issues' for UKI
        env:
          GITHUB_LOGIN: ${{ github.repository_owner }}
          GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
        run: ./${{ env.RUNNER }} users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=admin --guess=false --fail-if-no-vpn=false

      - name: Upload /tmp/*.csv
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: outputs.csv
          path: /tmp/*.csv
          if-no-files-found: error

      - name: Run create-who-are-you-issues for UKI
        env:
          GITHUB_LOGIN: ${{ github.repository_owner }}
          GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
        run: ./${{ env.RUNNER }} users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=write --guess=false --fail-if-no-vpn=false

  sign-image:
    needs: [ build ]
    permissions:
      id-token: write
      packages: write
    if: startsWith(github.ref, 'refs/tags/')
    env:
      image_uri: ${{ needs.build.outputs.image_uri }}
    runs-on: ubuntu-latest
    steps:
      - name: Setup cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3

      - name: Cosign login
        run: |
          echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io

      - name: Sign Image
        run: |
          cosign sign --yes "${image_uri}"

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
        env:
          TRIVY_USERNAME: ${{ github.repository_owner }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
        with:
          scan-type: image
          image-ref: ${{ env.image_uri }}
          format: "cosign-vuln"
          output: "cosign-vuln.json"

      - name: Run Trivy SBOM generator
        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
        env:
          TRIVY_USERNAME: ${{ github.repository_owner }}
          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
        with:
          scan-type: image
          image-ref: ${{ env.image_uri }}
          format: "spdx-json"
          output: "spdx-json.json"

      - name: Attach attestations
        run: |
          cosign attest --yes --type vuln --predicate cosign-vuln.json "${image_uri}"
          cosign attest --yes --type cyclonedx --predicate spdx-json.json "${image_uri}"

  provenance_binary:
    needs: [ build ]
    if: startsWith(github.ref, 'refs/tags/')
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # v2.0.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true

  provenance_image:
    needs: [ build ]
    permissions:
      actions: read # for detecting the Github Actions environment.
      id-token: write # for creating OIDC tokens for signing.
      packages: write # for uploading attestations.
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 # v2.0.0
    with:
      image: ${{ needs.build.outputs.image_repo }}
      digest: ${{ needs.build.outputs.image_digest }}
      registry-username: ${{ github.repository_owner }}
    secrets:
      registry-password: ${{ secrets.GITHUB_TOKEN }}

  release:
    needs: [ build ]
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/')
    permissions:
      contents: write
    steps:
      - name: Download runner
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
        with:
          name: runner

      - name: Upload assets to release
        uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.0.9
        with:
          files: |
            github-stats-*-runner