# Copyright 2021 OpenSSF Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: build

permissions:
  contents: read

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

env:
  PROTOC_VERSION: 3.17.3
  GO_VERSION: 1.21

jobs:
  unit-test:
    name: unit-test
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
     - name: Clone the code
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ env.GO_VERSION }}
         check-latest: true
         cache: false # we manually manage caches below
     - id: go-cache-paths
       run: |
        echo "go-build=$(go env GOCACHE)" >> "$GITHUB_OUTPUT"
        echo "go-mod=$(go env GOMODCACHE)" >> "$GITHUB_OUTPUT"
     - name: Cache builds
       # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2
       with:
         path: |
          ${{ steps.go-cache-paths.outputs.go-build }}
          ${{ steps.go-cache-paths.outputs.go-mod }}
         key: ${{ runner.os }}-go-tests-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-go-tests-
     - name: Prepare test env
       run: |
        go mod download
     - name: Run unit-tests
       run: make unit-test
     - name: Upload codecoverage
       uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 3.1.4
       with:
         files: ./unit-coverage.out
         verbose: true
     - name: Run PAT Token E2E  #using retry because the GitHub token is being throttled.
       uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4
       if: ${{ github.event_name != 'pull_request' && github.actor != 'dependabot[bot]' }}
       env:
          GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
       with:
          max_attempts: 3
          retry_on: error
          timeout_minutes: 30
          command: make e2e-pat
     - name: codecov
       uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # 2.1.0
       if: ${{ github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' }}
       with:
         files: "*e2e-coverage.out"
         verbose: true
  generate-mocks:
    name: generate-mocks
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

     - name: Install Protoc
       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
       with:
        version: ${{ env.PROTOC_VERSION }}
        repo-token: ${{ secrets.GITHUB_TOKEN }}
     - name: Cache builds
       # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         path: |
           ~/go/pkg/mod
           ~/.cache/go-build
           ~/Library/Caches/go-build
           %LocalAppData%\go-build
         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-go-
     - name: Clone the code
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
          fetch-depth: 0
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
       with:
         go-version: ${{ env.GO_VERSION }}
         check-latest: true
         cache: true
     - name: generate mocks
       uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4
       with:
          max_attempts: 3
          retry_on: error
          timeout_minutes: 30
          command: |
            go env -w GOFLAGS=-mod=mod
            make install
            make generate-mocks
  generate-docs:
    name: generate-docs
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
     - name: Clone the code
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ env.GO_VERSION }}
         check-latest: true
         cache: true
     - name: generate docs
       uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
       with:
          max_attempts: 3
          retry_on: error
          timeout_minutes: 30
          command: |
            go env -w GOFLAGS=-mod=mod
            make generate-docs
     - name: ensure checks.yaml and checks.md match
       run: git diff --exit-code
  build-proto:
    name: build-proto
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

     - name: Install Protoc
       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
       with:
        version: ${{ env.PROTOC_VERSION }}
        repo-token: ${{ secrets.GITHUB_TOKEN }}
     - name: Clone the code
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
          fetch-depth: 0
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
       with:
         go-version: ${{ env.GO_VERSION }}
         check-latest: true
         cache: true
     - name: build-proto
       uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4
       with:
          max_attempts: 3
          retry_on: error
          timeout_minutes: 30
          command: |
            go env -w GOFLAGS=-mod=mod
            make build-proto
  build-matrix:
    strategy:
      matrix:
        target:
          - 'build-scorecard'
          - 'build-controller'
          - 'build-worker'
          - 'build-cii-worker'
          - 'build-shuffler'
          - 'build-bq-transfer'
          - 'build-github-server'
          - 'build-webhook'
          - 'build-add-script'
          - 'build-validate-script'
    name: ${{ matrix.target }}
    runs-on: ubuntu-latest
    needs: build-proto
    permissions:
      contents: read
    steps:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
     - name: Cache builds
       # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         path: |
           ~/go/pkg/mod
           ~/.cache/go-build
           ~/Library/Caches/go-build
           %LocalAppData%\go-build
         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-go-
     - name: Clone the code
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ env.GO_VERSION }}
         check-latest: true
         cache: true
     - name: Run build
       uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
       with:
          max_attempts: 3
          retry_on: error
          timeout_minutes: 30
          command: |
            go env -w GOFLAGS=-mod=mod
            make ${{ matrix.target }}
  validate-docs:
    name: validate-docs
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

     - name: Cache builds
       # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         path: |
           ~/go/pkg/mod
           ~/.cache/go-build
           ~/Library/Caches/go-build
           %LocalAppData%\go-build
         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-go-
     - name: Clone the code
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
          fetch-depth: 0
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
       with:
         go-version: ${{ env.GO_VERSION }}
         check-latest: true
         cache: true
     - name: Run build
       uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4
       with:
          max_attempts: 3
          retry_on: error
          timeout_minutes: 30
          command: |
            go env -w GOFLAGS=-mod=mod
            make validate-docs
  add-projects:
    name: add-projects
    runs-on: ubuntu-latest
    needs: build-proto
    permissions:
      contents: read
    steps:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
     - name: Install Protoc
       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
       with:
        version: ${{ env.PROTOC_VERSION }}
        repo-token: ${{ secrets.GITHUB_TOKEN }}
     - name: Cache builds
       # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
       uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         path: |
           ~/go/pkg/mod
           ~/.cache/go-build
           ~/Library/Caches/go-build
           %LocalAppData%\go-build
         key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-go-
     - name: Clone the code
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
          fetch-depth: 0
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
       with:
         go-version: ${{ env.GO_VERSION }}
         check-latest: true
         cache: true
     - name: Run build
       uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4
       with:
          max_attempts: 3
          retry_on: error
          timeout_minutes: 30
          command: |
            go env -w GOFLAGS=-mod=mod
            make add-projects
  validate-projects:
    name: validate-projects
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
     - name: Harden Runner
       uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

     - name: Install Protoc
       uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
       with:
        version: ${{ env.PROTOC_VERSION }}
        repo-token: ${{ secrets.GITHUB_TOKEN }}
     - name: Clone the code
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
          fetch-depth: 0
     - name: Setup Go
       uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
       with:
         go-version: ${{ env.GO_VERSION }}
         check-latest: true
         cache: true
     - name: Run build
       uses: nick-invision/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4
       with:
          max_attempts: 3
          retry_on: error
          timeout_minutes: 30
          command: |
            go env -w GOFLAGS=-mod=mod
            make validate-projects
  license-check:
    name: license boilerplate check
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v2.2.0
        with:
          go-version: ${{ env.GO_VERSION }}
          check-latest: true
          cache: true
      - name: Check license headers
        run: |
          go env -w GOFLAGS=-mod=mod
          go install github.com/google/addlicense@2fe3ee94479d08be985a84861de4e6b06a1c7208
          addlicense -ignore "**/script-empty.sh" -ignore "testdata/**" -ignore "**/testdata/**" -l apache -c 'OpenSSF Scorecard Authors' -v *
          git diff --exit-code