.github/workflows/test.yml

---
name: "Tests"

env:
  cinc_workstation_version: 23

on:
  push:
    branches:
      - '*'
  pull_request:
    branches:
      - master

jobs:
  cookstyle:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v3
        with:
          path: |
            .cache
          key: ${{ runner.os }}-${{ env.cinc_workstation_version }}
      - name: setup environment
        run: |
          mkdir -p .cache
          curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-workstation -d .cache -v ${{ env.cinc_workstation_version }}
      - name: cookstyle
        run: |
          cinc exec cookstyle --fail-level r

  kitchen-dokken:
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        cinc_version: [ '17', '18' ]
        kitchen_distro:
          - amazonlinux-1
          - amazonlinux-2
          - centos-7
          - centos-stream-8
          - centos-stream-9
          - almalinux-8
          - almalinux-9
          - rockylinux-8
          - rockylinux-9
          - oracle-7
          - oracle-8
          - oracle-9
          - debian-10
          - debian-11
          - fedora-37
          - fedora-38
#          - opensuse-42 # something is broken here
          - ubuntu-20-04
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v3
        with:
          path: |
            .cache
          key: ${{ runner.os }}-${{ env.cinc_workstation_version }}
      - name: setup cinc workstation
        run: |
          mkdir -p .cache
          curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-workstation -d .cache -v ${{ env.cinc_workstation_version }}
      - name: kitchen
        env:
          CINC_VERSION: ${{ matrix.cinc_version }}
          KITCHEN_LOCAL_YAML: .kitchen.dokken.yml
        run: |
          kitchen test --color --destroy=always ${{ matrix.kitchen_distro }}

  kitchen-digitalocean:
    if: github.repository == 'dev-sec/chef-os-hardening' && success()
    needs: # run expensive VM tests only if cheap dokken tests are passing
      - kitchen-dokken
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        cinc_version: [ '18' ]
        kitchen_distro:
          - default-centos-7
          - default-centos-stream-8
          - default-centos-stream-9
          - default-almalinux-8
          - default-almalinux-9
          - default-rockylinux-8
          - default-rockylinux-9
          - default-ubuntu-20-04
          - default-debian-10
          - default-debian-11
          - default-fedora-38
    steps:
      - uses: actions/checkout@v4
      - uses: actions/cache@v3
        with:
          path: |
            .cache
          key: ${{ runner.os }}-${{ env.cinc_workstation_version }}
      - name: setup cinc workstation
        run: |
          mkdir -p .cache
          curl -L https://omnitruck.cinc.sh/install.sh | sudo bash -s -- -P cinc-workstation -d .cache -v ${{ env.cinc_workstation_version }}
      - name: setup ssh key
        env:
          SSH_KEY: ${{ secrets.DO_SSH_KEY }}
        run: |
          mkdir -p ~/.ssh
          echo "$SSH_KEY" > ~/.ssh/id_rsa
          chmod 700 ~/.ssh
          chmod 600 ~/.ssh/id_rsa
      - name: kitchen
        env:
          CINC_VERSION: ${{ matrix.cinc_version }}
          KITCHEN_LOCAL_YAML: .kitchen.do.yml
          DIGITALOCEAN_SSH_KEY_IDS: ${{ secrets.DO_SSH_KEY_ID }}
          DIGITALOCEAN_ACCESS_TOKEN: ${{ secrets.DO_ACCESS_TOKEN }}
        run: |
          kitchen test --color --destroy=always ${{ matrix.kitchen_distro }}

  pass-all-jobs:
    if: "!(github.repository == 'dev-sec/chef-os-hardening' && startsWith(github.head_ref, 'release/v')) && always()"
    needs:
    - cookstyle
    - kitchen-dokken
    runs-on: ubuntu-latest
    steps:
    - name: Decide whether the needed jobs succeeded or failed
      uses: re-actors/alls-green@release/v1
      with:
        jobs: ${{ toJSON(needs) }}

  pass-all-jobs-with-digitalocean:
    if: "(github.repository == 'dev-sec/chef-os-hardening' && !(startsWith(github.head_ref, 'release/v'))) && always()"
    needs:
    - cookstyle
    - kitchen-dokken
    - kitchen-digitalocean
    runs-on: ubuntu-latest
    steps:
    - name: Decide whether the needed jobs succeeded or failed
      uses: re-actors/alls-green@release/v1
      with:
        jobs: ${{ toJSON(needs) }}

  pass-all-jobs-release:
    if: "github.repository == 'dev-sec/chef-os-hardening' && startsWith(github.head_ref, 'release/v') && always()"
    runs-on: ubuntu-latest
    steps:
    - name: happy releasing
      run: |
        echo "Happy releasing :-)"
        # this is just a succeessfull placeholder to make release PR pass