.github/workflows/ci.yml

on:
  - push
  - pull_request
  - workflow_call

name: Continuous integration

# Declare default permissions as read only.
permissions: read-all

env:
  CARGO_TERM_COLOR: always

jobs:
  check:
    name: Cargo check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
        with:
          profile: minimal
          toolchain: stable
          override: true
      - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
        with:
          command: check

  version-check:
    name: Check Cargo.toml version
    if: github.ref_type == 'tag'
    runs-on: ubuntu-latest
    steps:
      - name: Download source code
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Check cargo file version
        run: |
          CARGO_VERSION=$(sed  -n 's,^version = \"\(.*\)\",\1,p' Cargo.toml)
          TAG_VERSION=$(echo ${{ github.ref_name }} | sed 's/v//')

          if [ "$CARGO_VERSION" != "$TAG_VERSION" ];then
              echo "::error title=Invalid Cargo.toml version::Cargo.toml version does not match the tag version"
              exit 1
          fi

  test:
    name: Unit tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
        with:
          profile: minimal
          toolchain: stable
          override: true
      - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
        with:
          command: test
          args: --workspace --bins

  e2e-tests:
    name: E2E tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
      - name: run e2e tests
        run: make e2e-tests

  fmt:
    name: Rustfmt
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
        with:
          profile: minimal
          toolchain: stable
          override: true
      - run: rustup component add rustfmt
      - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
        with:
          command: fmt
          args: --all -- --check

  clippy:
    name: Clippy
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
        with:
          profile: minimal
          toolchain: stable
          override: true
      - run: rustup component add clippy
      - uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3
        with:
          command: clippy
          args: -- -D warnings

  shellcheck:
    name: Shellcheck
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - run: shellcheck $(find scripts/ -name '*.sh')

  airgap-e2e-test:
    name: Airgap E2E test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Run registry
        run: |
          export CONTAINER_ID=$(docker run -d -p 5000:5000 --name registry registry:2)
          echo "CONTAINER_ID=${CONTAINER_ID}" >> $GITHUB_ENV
      - name: Install kwctl
        run: cargo install --path .
      - name: Save policies
        run: ./scripts/kubewarden-save-policies.sh --policies-list tests/data/airgap/policies.txt --policies policies.tar.gz
      - name: Remove policies from store
        run: |
          kwctl rm registry://ghcr.io/kubewarden/tests/pod-privileged:v0.1.9
          kwctl rm https://github.com/kubewarden/pod-privileged-policy/releases/download/v0.1.6/policy.wasm
      - name: Load policies
        run: |
          ./scripts/kubewarden-load-policies.sh \
              --policies policies.tar.gz \
              --policies-list tests/data/airgap/policies.txt \
              --registry localhost:5000 \
              --sources-path tests/data/airgap/insecure.yml
      - name: Verify policies in local registry
        run: |
          kwctl pull registry://localhost:5000/kubewarden/tests/pod-privileged:v0.1.9 \
              --sources-path tests/data/airgap/insecure.yml
          kwctl pull registry://localhost:5000/kubewarden/pod-privileged-policy/releases/download/v0.1.6/policy.wasm \
              --sources-path tests/data/airgap/insecure.yml
      - name: Clean up - delete registry
        if: always()
        run: |
          docker rm -f ${{ env.CONTAINER_ID }}