Containerized CI

.dockerignore

@@ -1,4 +1,7 @@
 # More info: https://docs.docker.com/engine/reference/builder/#dockerignore-file
 # Ignore build and test binaries.
+.git/
+.github/
+.husky/
 bin/
 testbin/

.earthlyignore

@@ -0,0 +1,6 @@
+.git/
+.github/
+.husky/
+.vscode/
+bin/
+kind-logs-*

.github/workflows/e2e-on-pr.yaml

@@ -0,0 +1,60 @@
+# in test don't use yet
+
+name: end-2-end build
+
+on:
+  pull_request:
+    branches: [ main ]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: read
+  actions: read
+  security-events: write
+  packages: write
+
+concurrency:
+  group: ci-e2e-${{ github.ref }}-1
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  IMAGE_TAG: ${{ github.sha }}
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: write
+    steps:
+    - name: harden runner
+      uses: step-security/harden-runner@9b0655f430fba8c7001d4e38f8d4306db5c6e0ab
+      with:
+        egress-policy: audit
+    - name: checkout repository
+      uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+    - name: log in to ghrc.io 
+      uses: docker/login-action@1edf6180e07d2ffb423fc48a1a552855c0a1f508
+      with: 
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: run golangci-lint
+      run: make lint
+    - name: run gosec scan
+      run: make gosec
+    - name: run test
+      run: make test
+    - name: run e2e test
+      run: make e2e-test
+    - name: run image scan
+      run: make scan-image
+    - name: generate bundle manifest
+      run: make bundle
+    - name: upload Trivy scan results to GitHub Security tab
+      if: always()
+      uses: github/codeql-action/upload-sarif@1fc1008278d05ba9455caf083444e6c5a1a3cfd8
+      with:
+        sarif_file: 'trivy-results.sarif'