.github/workflows/ci.yml

name: CI

on:
  push:
    branches:
      - main
      - release-*
  pull_request: {}
  workflow_dispatch: {}

env:
  # Common versions
  EARTHLY_VERSION: '0.8.13'

  # Force Earthly to use color output
  FORCE_COLOR: "1"

  # Common users. We can't run a step 'if secrets.DOCKER_USR != ""' but we can run
  # a step 'if env.DOCKER_USR' != ""', so we copy these to succinctly test whether
  # credentials have been provided before trying to run steps that need them.
  DOCKER_USR: ${{ secrets.DOCKER_USR }}
  UPBOUND_MARKETPLACE_PUSH_ROBOT_USR: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}


jobs:
  check-diff:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure Earthly to Push Cache to GitHub Container Registry
        if: github.ref == 'refs/heads/main'
        run: |
          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

      - name: Generate Files
        run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +generate

      - name: Count Changed Files
        id: changed_files
        run: echo "count=$(git status --porcelain | wc -l)" >> $GITHUB_OUTPUT

      - name: Fail if Files Changed
        if: steps.changed_files.outputs.count != 0
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
        with:
          script: core.setFailed('Found changed files after running earthly +generate.')

  lint:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure Earthly to Push Cache to GitHub Container Registry
        if: github.ref == 'refs/heads/main'
        run: |
          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

      - name: Lint
        run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +lint

  codeql:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure Earthly to Push Cache to GitHub Container Registry
        if: github.ref == 'refs/heads/main'
        run: |
          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

      - name: Run CodeQL
        run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +ci-codeql

      - name: Upload CodeQL Results to GitHub
        uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3
        with:
          sarif_file: '_output/codeql/go.sarif'


  trivy-scan-fs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Run Trivy vulnerability scanner in fs mode
        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          skip-dirs: design
          scan-ref: '.'
          severity: 'CRITICAL,HIGH'
          format: sarif
          output: 'trivy-results.sarif'

      - name: Upload Trivy Results to GitHub
        uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # v3
        with:
          sarif_file: 'trivy-results.sarif'

  unit-tests:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure Earthly to Push Cache to GitHub Container Registry
        if: github.ref == 'refs/heads/main'
        run: |
          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

      - name: Run Unit Tests
        run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +test

      - name: Publish Unit Test Coverage
        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
        with:
          flags: unittests
          file: _output/tests/coverage.txt
          token: ${{ secrets.CODECOV_TOKEN }}

  e2e-tests:
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
        test-suite:
          - base
          - usage
          - ssa-claims
          - realtime-compositions
          - package-dependency-upgrades
          - package-signature-verification

    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure Earthly to Push Cache to GitHub Container Registry
        if: github.ref == 'refs/heads/main'
        run: |
          echo "EARTHLY_PUSH=true" >> $GITHUB_ENV
          echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

      - name: Run E2E Tests
        run: |
          earthly --strict --allow-privileged --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }}-${{ matrix.test-suite}} \
            +e2e --FLAGS="-test.failfast -fail-fast --test-suite ${{ matrix.test-suite }}"

      - name: Publish E2E Test Flakes
        if: '!cancelled()'
        uses: buildpulse/buildpulse-action@d0d30f53585cf16b2e01811a5a753fd47968654a # v0.11.0
        with:
          account: 45158470
          repository: 147886080
          key: ${{ secrets.BUILDPULSE_ACCESS_KEY_ID }}
          secret: ${{ secrets.BUILDPULSE_SECRET_ACCESS_KEY }}
          path: _output/tests/e2e-tests.xml

  publish-artifacts:
    runs-on: ubuntu-22.04

    steps:
      - name: Cleanup Disk
        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
        with:
          android: true
          dotnet: true
          haskell: true
          tool-cache: true
          swap-storage: false
          # This works, and saves ~5GiB, but takes ~2 minutes to do it.
          large-packages: false
          # TODO(negz): Does having these around avoid Earthly needing to pull
          # large images like golang?
          docker-images: false

      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
        with:
          fetch-depth: 0

      - name: Setup Earthly
        uses: earthly/actions-setup@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          version: ${{ env.EARTHLY_VERSION }}

      - name: Login to DockerHub
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.DOCKER_USR != ''
        with:
          username: ${{ secrets.DOCKER_USR }}
          password: ${{ secrets.DOCKER_PSW }}

      - name: Login to Upbound
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        if: env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
        with:
          registry: xpkg.upbound.io
          username: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR }}
          password: ${{ secrets.UPBOUND_MARKETPLACE_PUSH_ROBOT_PSW }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Configure Earthly to Push Cache to GitHub Container Registry
        if: github.ref == 'refs/heads/main'
        run: echo "EARTHLY_MAX_REMOTE_CACHE=true" >> $GITHUB_ENV

      - name: Configure Earthly to Push Artifacts
        if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release-')) && env.DOCKER_USR != '' && env.UPBOUND_MARKETPLACE_PUSH_ROBOT_USR != ''
        run: echo "EARTHLY_PUSH=true" >> $GITHUB_ENV

      - name: Set CROSSPLANE_VERSION and CROSSPLANE_INTERNAL_VERSION GitHub Environment Variables
        run: earthly +ci-version

      - name: Build and Push Artifacts
        run: earthly --strict --remote-cache ghcr.io/upbound/crossplane-earthly-cache:${{ github.job }} +ci-artifacts --CROSSPLANE_VERSION=${CROSSPLANE_VERSION} --CROSSPLANE_INTERNAL_VERSION=${CROSSPLANE_INTERNAL_VERSION}

      - name: Upload Artifacts to GitHub
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        with:
          name: output
          path: _output/**

  fuzz-test:
    runs-on: ubuntu-22.04

    steps:
      # TODO(negz): Can we make this use our Go build and dependency cache? It
      # seems to build Crossplane inside of a Docker image.
      - name: Build Fuzzers
        id: build
        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
        with:
          oss-fuzz-project-name: "crossplane"
          language: go

      - name: Run Fuzzers
        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
        with:
          oss-fuzz-project-name: "crossplane"
          fuzz-seconds: 300
          language: go

      - name: Upload Crash
        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
        if: failure() && steps.build.outcome == 'success'
        with:
          name: artifacts
          path: ./out/artifacts

  protobuf-schemas:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Setup Buf
        uses: bufbuild/buf-setup-action@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Lint Protocol Buffers
        uses: bufbuild/buf-lint-action@v1
        with:
          input: apis

      # buf-breaking-action doesn't support branches
      # https://github.com/bufbuild/buf-push-action/issues/34
      - name: Detect Breaking Changes in Protocol Buffers
        uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1
        # We want to run this for the main branch, and PRs against main.
        if: ${{ github.ref == 'refs/heads/main' || github.base_ref == 'main' }}
        with:
          input: apis
          against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main,subdir=apis"

      - name: Push Protocol Buffers to Buf Schema Registry
        if: ${{ github.repository == 'crossplane/crossplane' && github.ref == 'refs/heads/main' }}
        uses: bufbuild/buf-push-action@v1
        with:
          input: apis
          buf_token: ${{ secrets.BUF_TOKEN }}