.github/workflows/test.yml

on: [push, pull_request]
name: Test
jobs:
  test:
    strategy:
      matrix:
        platform: [ubuntu-latest, macos-latest]
    runs-on: ${{ matrix.platform }}
    steps:

    - name: Checkout code
      uses: actions/checkout@v4

    - name: Install Go
      uses: actions/setup-go@v5
      with:
        go-version-file: './go.mod'
    - name: Test
      run: go test ./...

  trivy-scan-fs:
    name: Trivy - scan fs
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in fs mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          severity: 'MEDIUM,CRITICAL,HIGH' #report all severities
          exit-code: '1'
          format: 'table'

  docker:
    name: Docker Build

    runs-on: ubuntu-latest

    if: github.ref == 'refs/heads/master' && github.repository == 'daspawnw/k8s-node-label'
    needs:
      - test
      - trivy-scan-fs

    steps:
      - uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: daspawnw/k8s-node-label:latest

  docker-forks:
    name: Docker Build (forks)
    env:
      REGISTRY: ghcr.io
      IMAGE_NAME: ${{ github.repository }}
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    if: github.ref != 'daspawnw/k8s-node-label'
    needs:
      - test
      - trivy-scan-fs

    steps:
      - uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log into registry ${{ env.REGISTRY }}
        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: ${{ format('RELEASE_VERSION={0}', github.ref_name) }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: ${{ github.event_name != 'pull_request' }}
        with:
          image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
          format: 'table'
          ignore-unfixed: true
          exit-code: 1
          severity: 'MEDIUM,CRITICAL,HIGH'