.github/workflows/workflow.yaml

name: build_test_release
on:
  push:
    paths-ignore:
      - ".github/workflows/website.yaml"
      - "docs/**"
      - "library/**"
      - "demo/**"
      - "deprecated/**"
      - "example/**"
      - "website/**"
      - "**.md"
      - "!cmd/build/helmify/static/README.md"
  pull_request:
    paths-ignore:
      - ".github/workflows/website.yaml"
      - "docs/**"
      - "library/**"
      - "demo/**"
      - "deprecated/**"
      - "example/**"
      - "website/**"
      - "**.md"
      - "!cmd/build/helmify/static/README.md"

env:
  GITHUB_REPO: open-policy-agent/gatekeeper
  IMAGE_REPO: openpolicyagent/gatekeeper
  CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds
  GATOR_IMAGE_REPO: openpolicyagent/gator

jobs:
  lint:
    name: "Lint"
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
      contents: read
    steps:
      - name: Set up Go 1.19
        uses: actions/setup-go@v3
        with:
          go-version: 1.19

      - name: Check out code into the Go module directory
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

      # source: https://github.com/golangci/golangci-lint-action
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
          # version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
          version: v1.48.0

  test:
    name: "Unit test"
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: read
    steps:
      - name: Set up Go 1.19
        uses: actions/setup-go@v3
        with:
          go-version: 1.19

      - name: Check out code into the Go module directory
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

      - name: Unit test
        run: |
          curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64.tar.gz" &&\
            tar -zxvf kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64.tar.gz &&\
            sudo mv kubebuilder_${KUBEBUILDER_VERSION}_linux_amd64 /usr/local/kubebuilder
          make native-test
        env:
          KUBEBUILDER_VERSION: 2.3.1

      - name: Codecov Upload
        uses: codecov/codecov-action@v3
        with:
          flags: unittests
          file: ./cover.out
          fail_ci_if_error: false

  gator_test:
    name: "Test Gator"
    runs-on: ubuntu-latest
    timeout-minutes: 5
    permissions:
      contents: read
    steps:
      - name: Set up Go 1.19
        uses: actions/setup-go@v3
        with:
          go-version: 1.19

      - name: Check out code into the Go module directory
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

      - name: Download e2e dependencies
        run: |
          mkdir -p $GITHUB_WORKSPACE/bin
          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
          make e2e-dependencies KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}

      - name: gator test
        run: make test-gator-containerized

  build_test:
    name: "Build and Test"
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
    strategy:
      matrix:
        KUBERNETES_VERSION: ["1.23.13", "1.24.7", "1.25.3", "1.26.0"]
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

      - name: Set up Go 1.19
        uses: actions/setup-go@v3
        with:
          go-version: 1.19

      - name: Bootstrap e2e
        run: |
          mkdir -p $GITHUB_WORKSPACE/bin
          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
          make e2e-bootstrap KUBERNETES_VERSION=${{ matrix.KUBERNETES_VERSION }}

      - name: Run e2e
        run: |
          make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest
          make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true
          go mod tidy
          # there should be no additional manifest or go.mod changes
          git diff --exit-code
          make test-e2e

      - name: Save logs
        if: ${{ always() }}
        run: |
          kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-controller.json
          kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json

      - name: Upload artifacts
        uses: actions/upload-artifact@v3
        if: ${{ always() }}
        with:
          name: logs
          path: |
            logs-*.json

  helm_build_test:
    name: "[Helm] Build and Test"
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
    strategy:
      matrix:
        HELM_VERSION: ["3.7.2"]
        GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"]
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

      - name: Bootstrap e2e
        run: |
          mkdir -p $GITHUB_WORKSPACE/bin
          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
          make e2e-bootstrap

      - name: Run e2e
        run: |
          make e2e-build-load-image IMG=gatekeeper-e2e-helm:latest CRD_IMG=gatekeeper-crds:latest GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
          make e2e-helm-deploy HELM_REPO=gatekeeper-e2e-helm HELM_CRD_REPO=gatekeeper-crds HELM_RELEASE=latest HELM_VERSION=${{ matrix.HELM_VERSION }} GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}
          make test-e2e GATEKEEPER_NAMESPACE=${{ matrix.GATEKEEPER_NAMESPACE }}

      - name: Save logs
        if: ${{ always() }}
        run: |
          kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=controller-manager --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-controller.json
          kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l control-plane=audit-controller --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-audit.json
          kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l run=dummy-provider --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-dummy-provider.json

      - name: Upload artifacts
        uses: actions/upload-artifact@v3
        if: ${{ always() }}
        with:
          name: helm-logs
          path: |
            logs-*.json

  build_test_generator_expansion:
    name: "[Generator Resource Expansion] Build and Test"
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
    steps:
    - name: Check out code into the Go module directory
      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

    - name: Set up Go 1.19
      uses: actions/setup-go@v3
      with:
        go-version: 1.19

    - name: Bootstrap e2e
      run: |
        mkdir -p $GITHUB_WORKSPACE/bin
        echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
        make e2e-bootstrap

    - name: Run e2e
      run: |
        make e2e-build-load-image IMG=gatekeeper-e2e:latest CRD_IMG=gatekeeper-crds:latest
        make deploy IMG=gatekeeper-e2e:latest USE_LOCAL_IMG=true ENABLE_GENERATOR_EXPANSION=true
        go mod tidy
        # there should be no additional manifest or go.mod changes
        git diff --exit-code
        make test-e2e ENABLE_GENERATOR_EXPANSION_TESTS=1

    - name: Save logs
      if: ${{ always() }}
      run: |
        kubectl logs -n gatekeeper-system -l control-plane=controller-manager --tail=-1 > logs-generatorexpansion-controller.json
        kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-generatorexpansion-audit.json

    - name: Upload artifacts
      uses: actions/upload-artifact@v3
      if: ${{ always() }}
      with:
        name: generatorexpansion-logs
        path: |
          logs-*.json

  scan_vulnerabilities:
    name: "[Trivy] Scan for vulnerabilities"
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

      - name: Download trivy
        run: |
          pushd $(mktemp -d)
          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
          echo "$(pwd)" >> $GITHUB_PATH
        env:
          TRIVY_VERSION: "0.32.1"

      - name: Run trivy on git repository
        run: |
          trivy fs --format table --ignore-unfixed --skip-dirs website --security-checks vuln .

      - name: Build docker images
        run: make docker-build

      - name: Run trivy on images
        run: |
          for img in "openpolicyagent/gatekeeper:latest" "openpolicyagent/gatekeeper-crds:latest"; do
            for vuln_type in "os" "library"; do
              trivy image --ignore-unfixed --vuln-type="${vuln_type}" "${img}"
            done
          done

  pre-release:
    name: "Pre Release"
    runs-on: "ubuntu-latest"
    if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper'
    needs: [lint, test, build_test, helm_build_test, scan_vulnerabilities]
    timeout-minutes: 30
    permissions:
      contents: read
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

      - name: make docker-push-dev
        run: |
          tokenUri="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${{ env.IMAGE_REPO }}:pull&scope=repository:${{ env.CRD_IMAGE_REPO }}:pull&scope=repository:${{ env.GATOR_IMAGE_REPO }}:pull"
          bearerToken="$(curl --silent --get $tokenUri | jq --raw-output '.token')"
          listUri="https://registry-1.docker.io/v2/${{ env.IMAGE_REPO }}/tags/list"
          authz="Authorization: Bearer $bearerToken"
          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
          if [[ $exists == null ]]
          then
            make docker-login
            make docker-buildx-dev DEV_TAG=${GITHUB_SHA::7}
          fi

          listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
          if [[ $exists == null ]]
          then
            make docker-login
            make docker-buildx-crds-dev DEV_TAG=${GITHUB_SHA::7}
          fi

          listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
          version_list="$(curl --silent --get -H "Accept: application/json" -H "$authz" $listUri | jq --raw-output '.')"
          exists=$(echo $version_list | jq --arg t ${GITHUB_SHA::7} '.tags | index($t)')
          if [[ $exists == null ]]
          then
            make docker-login
            make docker-buildx-gator-dev DEV_TAG=${GITHUB_SHA::7}
          fi
        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}

  tagged-release:
    name: "Tagged Release"
    runs-on: "ubuntu-latest"
    permissions:
      contents: write
    if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper'
    needs: [lint, test, build_test, helm_build_test, scan_vulnerabilities]
    timeout-minutes: 45
    steps:
      - name: Check out code into the Go module directory
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b

      - name: Set up Go 1.19
        uses: actions/setup-go@v3
        with:
          go-version: 1.19

      - name: Get tag
        id: get_version
        run: |
          echo "TAG=${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV

      - name: Publish release
        run: |
          tokenUri="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${{ env.IMAGE_REPO }}:pull&scope=repository:${{ env.CRD_IMAGE_REPO }}:pull&scope=repository:${{ env.GATOR_IMAGE_REPO }}:pull"
          bearerToken="$(curl --silent --get $tokenUri | jq --raw-output '.token')"
          listUri="https://registry-1.docker.io/v2/${{ env.IMAGE_REPO }}/tags/list"
          authz="Authorization: Bearer $bearerToken"
          version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')"
          exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
          if [[ $exists == null ]]
          then
            make docker-login
            make docker-buildx-release VERSION=${TAG}
          fi

          listUri="https://registry-1.docker.io/v2/${{ env.CRD_IMAGE_REPO }}/tags/list"
          version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')"
          exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
          if [[ $exists == null ]]
          then
            make docker-login
            make docker-buildx-crds-release VERSION=${TAG}
          fi

          listUri="https://registry-1.docker.io/v2/${{ env.GATOR_IMAGE_REPO }}/tags/list"
          version_list="$(curl --silent --get -H "Accept: application/json" -H $authz $listUri | jq --raw-output '.')"
          exists=$(echo $version_list | jq --arg t ${TAG} '.tags | index($t)')
          if [[ $exists == null ]]
          then
            make docker-login
            make docker-buildx-gator-release VERSION=${TAG}
          fi
        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}

      - name: Bootstrap e2e
        run: |
          mkdir -p $GITHUB_WORKSPACE/bin
          echo "$GITHUB_WORKSPACE/bin" >> $GITHUB_PATH
          make e2e-bootstrap

      - name: Verify release
        run: |
          make e2e-verify-release IMG=${{ env.IMAGE_REPO }}:${TAG} USE_LOCAL_IMG=false

      - name: Build gator-cli
        run: |
          build() {
            export GOOS="$(echo ${1} | cut -d '-' -f 1)"
            export GOARCH="$(echo ${1} | cut -d '-' -f 2)"
            FILENAME=${GITHUB_WORKSPACE}/_dist/gator-${TAG}-${GOOS}-${GOARCH}
            # build the binary
            make bin/gator-${GOOS}-${GOARCH}
            # rename the binary to gator
            tmp_dir=$(mktemp -d)
            cp bin/gator-${GOOS}-${GOARCH} ${tmp_dir}/gator
            pushd ${tmp_dir}
            tar -czf ${FILENAME}.tar.gz gator*
            popd
          }
          mkdir -p _dist
          for os_arch_extension in $PLATFORMS; do
            build ${os_arch_extension} &
          done
          wait
          pushd _dist
          # consolidate tar's sha256sum into a single file
          find . -type f -name '*.tar.gz' | sort | xargs sha256sum >> sha256sums.txt
          popd
        env:
          PLATFORMS: "linux-amd64 linux-arm64 darwin-amd64 darwin-arm64"

      - name: Create GitHub release
        uses: "marvinpinto/action-automatic-releases@v1.2.1"
        with:
          repo_token: "${{ secrets.GITHUB_TOKEN }}"
          prerelease: false
          files: |
            _dist/sha256sums.txt
            _dist/*.tar.gz

      - name: Publish Helm chart
        uses: stefanprodan/helm-gh-pages@v1.7.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          charts_dir: charts
          target_dir: charts
          linting: off