.github/workflows/test.yaml

name: Plural

on:
  push:
    branches:
      - master
    paths-ignore:
      - ".github/workflows/daily.yaml"
      - ".github/workflows/firebase-hosting-pull-request.yml"
      - ".github/workflows/pr-labels.yaml"
      - ".github/workflows/publish.yaml"
      - ".github/workflows/push-to-plural.yaml"
      - ".github/workflows/www.yaml"
      - ".github/workflows/trivy-artifact-scan.yaml"
      - 'www/**'
      - "plural/**"
      - "*.md"
  pull_request:
    branches: [ master ]
    paths-ignore:
      - ".github/workflows/daily.yaml"
      - ".github/workflows/firebase-hosting-pull-request.yml"
      - ".github/workflows/pr-labels.yaml"
      - ".github/workflows/publish.yaml"
      - ".github/workflows/push-to-plural.yaml"
      - ".github/workflows/www.yaml"
      - ".github/workflows/trivy-artifact-scan.yaml"
      - 'www/**'
      - "plural/**"
      - "*.md"
jobs:
  build:
    name: Build image
    runs-on: ubuntu-20.04
    strategy:
      matrix:
        app: [ plural, cron, worker, rtc ]
    permissions:
      contents: 'read'
      id-token: 'write'
      packages: 'write'
      security-events: write
      actions: read
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Docker meta ${{ matrix.app }}
        id: meta
        uses: docker/metadata-action@v4
        with:
          # list of Docker images to use as base name for tags
          images: |
            ghcr.io/pluralsh/${{ matrix.app }}
          # generate Docker tags based on the following events/attributes
          tags: |
            type=sha
            type=ref,event=pr
            type=ref,event=branch
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Login to GHCR
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Test Build ${{ matrix.app }} image
        uses: docker/build-push-action@v3
        with:
          context: "."
          file: "./Dockerfile"
          push: true
          load: false
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          platforms: linux/amd64
          cache-from: type=gha
          cache-to: type=gha,mode=max
          build-args: |
            APP_NAME=${{ matrix.app }}
            GIT_COMMIT=$GITHUB_SHA
      - name: Run Trivy vulnerability scanner on ${{ matrix.app }} image
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'image'
          image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
          hide-progress: false
          format: 'sarif'
          output: 'trivy-results.sarif'
          security-checks: 'vuln,secret'
          ignore-unfixed: true
           #severity: 'CRITICAL,HIGH'
        env:
          TRIVY_SKIP_DB_UPDATE: true
          TRIVY_SKIP_JAVA_DB_UPDATE: true
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
  trivy-scan:
    name: Trivy fs scan
    runs-on: ubuntu-20.04
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Run Trivy vulnerability scanner in fs mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          hide-progress: false
          skip-dirs: 'www,plural'
          format: 'sarif'
          output: 'trivy-results.sarif'
          security-checks: 'vuln,secret'
          ignore-unfixed: true
          #severity: 'CRITICAL,HIGH'
        env:
          TRIVY_SKIP_DB_UPDATE: true
          TRIVY_SKIP_JAVA_DB_UPDATE: true
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'
  test-release:
    name: Test release
    runs-on: ubuntu-20.04
    steps:
    - uses: actions/checkout@v3
    - name: test-release
      uses: pluralsh/chart-releaser@v0.1.1
      with:
        path: ./plural/helm/plural
        release: v0.10.10
    - run: cat plural/helm/plural/Chart.yaml
  test:
    name: Test
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3
      - uses: erlef/setup-beam@v1
        with:
          version-file: .tool-versions
          version-type: strict
      - uses: azure/setup-helm@v3
        with:
          version: latest
      - name: install plural cli
        run: |
          mkdir scratch && cd scratch
          curl -sL 'https://github.com/pluralsh/plural-cli/releases/download/v0.5.18/plural-cli_0.5.18_Linux_amd64.tar.gz' | tar xzvf -
          chmod +x plural
          cp plural /usr/local/bin/plural
      - run: make install-cockroach
      - run: make testup
      - name: Restore dependencies cache
        uses: actions/cache@v3
        with:
          path: deps
          key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }}
          restore-keys: ${{ runner.os }}-mix-6
      - name: Restore _build
        uses: actions/cache@v3
        with:
          path: _build
          key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }}
          restore-keys: ${{ runner.os }}-mix-6
      - run: mix deps.get
      - run: mix test
      - run: mix coveralls.html
      - run: pip3 install ansi2html junit2html
      - run: mkdir junit
      - run: junit2html _build/test/lib/api/test-junit-report.xml junit/api.html
      - run: junit2html _build/test/lib/core/test-junit-report.xml junit/core.html
      - run: junit2html _build/test/lib/cron/test-junit-report.xml junit/cron.html
      - run: junit2html _build/test/lib/graphql/test-junit-report.xml junit/graphql.html
      - run: junit2html _build/test/lib/email/test-junit-report.xml junit/email.html
      - run: junit2html _build/test/lib/rtc/test-junit-report.xml junit/rtc.html
      - run: junit2html _build/test/lib/worker/test-junit-report.xml junit/worker.html
      - name: Run stoat action
        uses: stoat-dev/stoat-action@v0
        if: always()
      - uses: 8398a7/action-slack@v3
        with:
          status: ${{ job.status }}
          fields: workflow,job,repo,message,commit,author
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} # required
        if: always()
  updateSchema:
    name: Check that Schema is up to date
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3
      - uses: erlef/setup-beam@v1
        with:
          version-file: .tool-versions
          version-type: strict
      - name: Restore dependencies cache
        uses: actions/cache@v3
        with:
          path: deps
          key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }}
          restore-keys: ${{ runner.os }}-mix-6
      - name: Restore _build
        uses: actions/cache@v3
        with:
          path: _build
          key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }}
          restore-keys: ${{ runner.os }}-mix-6
      - name: get dependencies
        run: mix deps.get
      - name: update schema
        run: mix absinthe.schema.sdl --schema GraphQl  schema/schema.graphql
      - name: Verify Changed files
        uses: tj-actions/verify-changed-files@v17
        id: verify-changed-files
        with:
          files: |
            schema/schema.graphql
      - name: Schema changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        run: |
          echo "::error Schema has changed changed. Please run 'make update-schema' and commit the changes."
          exit 1