.github/workflows/build-checks.yaml

on:
  pull_request:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/setup-go@v4
        with:
          go-version: "1.20"

      - name: setup env
        run: |
          echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
        shell: bash

      - uses: actions/checkout@v4
      - run: |
          make install-golangci-lint
          echo "golangci-lint path: $(which golangci-lint)"
          make lint build

  test:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/setup-go@v4
        with:
          go-version: "1.20"

      - name: setup env
        run: |
          echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
        shell: bash

      - uses: actions/checkout@v4

      - run: make ginkgo test

  scan:
    runs-on: ubuntu-22.04
    steps:
      - uses: actions/checkout@v4
      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          exit-code: '1'
          scanners: 'vuln'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'