.github/workflows/ci.yaml

name: CI

on: [ push ]

jobs:
  pre-commit:
    name: Linting
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up python
        uses: actions/setup-python@v4
        with:
          python-version: 3.10.14

      # Install poetry
      - name: Load cached Poetry installation
        uses: actions/cache@v3
        with:
          path: ~/.local
          key: poetry-0

      - name: Install Poetry
        uses: snok/install-poetry@v1
        with:
          version: 1.8.3
          virtualenvs-create: true
          virtualenvs-in-project: true
          installer-parallel: true

      # Install dependencies
      - name: Install dependencies
        run: poetry install --no-interaction --no-root

      # Run precommit
      - name: Run precommit
        run: poetry run pre-commit run --all-files

      # Markdown lint
      - name: markdownlint-cli
        uses: nosborn/github-action-markdown-cli@v3.3.0
        with:
          config_file: .markdownlint.yaml
          files: .
          dot: true
          ignore_files: .venv/

  security:
    name: pip-audit
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up python
        uses: actions/setup-python@v4
        with:
          python-version: 3.10.14

      # Install poetry
      - name: Load cached Poetry installation
        uses: actions/cache@v3
        with:
          path: ~/.local
          key: poetry-0
      - name: Install Poetry
        uses: snok/install-poetry@v1
        with:
          version: 1.8.3
          virtualenvs-create: true
          virtualenvs-in-project: true
          installer-parallel: true

      - name: Install dependencies
        run: poetry install --no-interaction --no-root

      - name: Export requirements
        run: poetry export -f requirements.txt --without-hashes > audit_requirements.txt

      # Run audit
      - uses: pypa/gh-action-pip-audit@v1.0.8
        with:
          inputs: audit_requirements.txt

  docker:
    name: Build Docker Image
    needs: [pre-commit, security]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v3
        with:
          images: |
            europe-west4-docker.pkg.dev/stakewiselabs/public/periodic-tasks
          flavor: |
            latest=false
          tags: |
            type=ref,event=branch
            type=ref,event=tag
            type=sha
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GAR
        uses: docker/login-action@v3
        with:
          registry: europe-west4-docker.pkg.dev
          username: _json_key
          password: ${{ secrets.GAR_JSON_KEY }}
      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

  scanner:
    name: Trivy scanner
    runs-on: ubuntu-latest
    needs: docker
    steps:
      - id: commit-hash
        uses: pr-mpt/actions-commit-hash@v2

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'europe-west4-docker.pkg.dev/stakewiselabs/public/periodic-tasks:sha-${{ steps.commit-hash.outputs.short }}'
          format: 'table'
          exit-code: '1'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          ignore-unfixed: true