.github/workflows/pr-checks.yml

# SPDX-License-Identifier: Apache-2.0
# Copyright 2024 Authors of SentryFlow

name: PR checks

on:
  pull_request:
    types: [ opened, reopened, synchronize, ready_for_review ]
    paths-ignore:
      - '**.md'
      - '**.sh'
      - 'docs/**'
      - 'LICENSE'

permissions: read-all

jobs:
  license:
    name: License
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v4

      - name: Check License Header
        uses: apache/skywalking-eyes@3ea9df11bb3a5a85665377d1fd10c02edecf2c40
        working-directory: sentryflow
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  static-checks:
    name: Static checks
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version: '1.23'

      - name: go fmt
        working-directory: sentryflow
        run: make fmt

      - name: Lint
        id: lint
        working-directory: sentryflow
        run: make lint

  go-sec:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    env:
      GO111MODULE: on
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4

      - name: Run Gosec Security Scanner
        uses: securego/gosec@master
        working-directory: sentryflow
        with:
          # we let the report trigger content trigger a failure using the GitHub Security features.
          args: '-no-fail -fmt sarif -out results.sarif ./...'

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: results.sarif

  build-image:
    name: Build SentryFlow image
    runs-on: ubuntu-latest
    timeout-minutes: 20
    steps:
      - name: Checkout source code
        uses: actions/checkout@v4

      - name: Build image
        working-directory: sentryflow
        run: make image

      - name: Scan image
        uses: anchore/scan-action@v4
        working-directory: sentryflow
        with:
          image: 'docker.io/5gsec/sentryflow:latest'
          severity-cutoff: critical
          output-format: sarif