.github/workflows/tests.yml

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
# docs: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions

name: 🧪 Tests

on:
  push:
    branches: [ master, main ]
    paths-ignore: [ '**.md' ]
    tags-ignore: [ '**' ]
  pull_request:
    paths-ignore: [ '**.md' ]

jobs:
  gitleaks:
    name: GitLeaks
    runs-on: ubuntu-latest
    steps:
      - name: Install Dasel
        run: curl -sSLf "$(curl -sSLf https://api.github.com/repos/tomwright/dasel/releases/tags/v1.27.3 | grep browser_download_url | grep linux_amd64 | grep -v .gz | cut -d\" -f 4)" -L -o dasel && chmod +x dasel

      - name: Patch GitLeaks config
        run: |
          wget -P /tmp https://raw.githubusercontent.com/zricethezav/gitleaks/master/config/gitleaks.toml
          ./dasel put string -f /tmp/gitleaks.toml ".rules.(id=generic-api-key).allowlists.[].commits.[]" "e8594f63837f77f5d5b4ad21e82dfc6c9fd6b288"

      - { uses: actions/checkout@v4, with: { fetch-depth: 0 } }

      - name: Check for GitLeaks
        uses: gacts/gitleaks@v1 # Action page: <https://github.com/gacts/gitleaks>
        with:
          config-path: /tmp/gitleaks.toml

  validate-renovate-config:
    name: Validate Renovate Config
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
      - run: npx --yes --package renovate -- renovate-config-validator --strict ./.github/renovate.json

  docker-image:
    name: Build and scan the docker image
    runs-on: ubuntu-latest
    services:
      registry:
        image: registry:2
        ports:
          - 5000:5000
    steps:
      - name: Check out code
        uses: actions/checkout@v4

      - uses: docker/setup-qemu-action@v3 # Action page: <https://github.com/docker/setup-qemu-action>

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3 # Action page: <https://github.com/docker/setup-buildx-action>
        with:
          driver-opts: network=host

      - name: Build image
        uses: docker/build-push-action@v6 # Action page: <https://github.com/docker/build-push-action>
        with:
          context: .
          file: Dockerfile
          push: true
          platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7
          tags: localhost:5000/app:local

      - name: Scan image
        id: scan
        uses: anchore/scan-action@v6 # action page: <https://github.com/anchore/scan-action>
        with:
          image: localhost:5000/app:local
          acs-report-enable: true
          fail-build: false

      - name: upload Anchore scan SARIF report
        if: ${{ always() }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}