docker.yml

name: CI

on:
  push:
    branches:
      - main
    paths:
      - "Dockerfile"
      - ".github/workflows/docker.yml"
  pull_request:
    branches:
      - main
    paths:
      - "Dockerfile"
      - ".github/workflows/docker.yml"
  workflow_dispatch:

env:
  REGISTRY: docker.io
  OWNER: ${{ github.repository_owner }}

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout source code
      uses: actions/checkout@v4
    - name: Set Tag Name
      run: |
        echo "TAG=${{ github.head_ref || github.ref_name }}" >> $GITHUB_ENV
        echo "DATE=v$(echo `date +'%Y.%m'`)" >> $GITHUB_ENV
        echo "REPO_NAME=$(echo ${PWD##*/})" >> $GITHUB_ENV
    - name: Login to DockerHub
      uses: docker/login-action@v3
      if: success()
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ secrets.DOCKER_USERNAME }}
        password: ${{ secrets.DOCKER_PASSWORD }}
    - name: Set up QEMU
      uses: docker/setup-qemu-action@master
      with:
        platforms: all
    - name: Set up Docker Buildx
      id: buildx
      if: success()
      uses: docker/setup-buildx-action@v3
      env:
        DOCKER_BUILDKIT: 1
    - name: Build and push Docker image - (TAG)
      uses: docker/build-push-action@v6
      if: success()
      env:
        DOCKER_BUILDKIT: 1
      with:
        context: .
        file: ./Dockerfile
        platforms: linux/amd64,linux/arm64
        pull: true
        push: true
        tags: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.REPO_NAME }}:${{ env.TAG == 'main' && 'latest' || env.TAG }}
    - name: Build and push Docker image - (MAIN)
      uses: docker/build-push-action@v6
      if: ${{ contains(github.ref, 'main') }}
      env:
        DOCKER_BUILDKIT: 1
      with:
        context: .
        file: ./Dockerfile
        platforms: linux/amd64,linux/arm64
        pull: true
        push: true
        tags: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.REPO_NAME }}:${{ env.DATE }}
    - name: Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      if: success()
      with:
        image-ref: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ env.REPO_NAME }}:${{ env.TAG == 'main' && 'latest' || env.TAG }}
        format: 'template'
        template: '@/contrib/sarif.tpl'
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results to GitHub Security
      uses: github/codeql-action/upload-sarif@v3
      if: success()
      with:
        sarif_file: 'trivy-results.sarif'

  k8s-test:
    runs-on: ubuntu-latest
    needs: [build]
    if: ${{ ! contains(github.ref, 'main') }}
    steps:
      - name: Create k8s Kind Cluster
        uses: helm/kind-action@v1.12.0
        with:
          verbosity: "10"
          kubectl_version: "v1.29.3"
      - name: Checkout
        uses: actions/checkout@v4
      - name: Run K8s test
        run: |
          kubectl version
          export NS=`cat deployment/kustomization.yml  | grep namespace | awk '{ print $2 }'`
          if [ -z "$NS" ]; then
            export NS='data'
          fi
          kubectl create namespace $NS
          kubectl apply -n $NS -k deployment/

          helm install kinesis charts/kinesis --namespace kinesis --create-namespace

          kubectl get all -A
          helm list -A

  auto-approve:
    runs-on: ubuntu-latest
    needs: [build, k8s-test]
    if: ${{ github.event_name == 'pull_request' }}
    steps:
    - name: Auto Approve PR
      uses: actions/github-script@v7
      with:
       script: |
        github.rest.pulls.createReview({
          owner: context.repo.owner,
          repo: context.repo.repo,
          pull_number: context.issue.number,
          event: "APPROVE"
        })

  auto-preview:
    runs-on: ubuntu-latest
    needs: [auto-approve]
    if: ${{ github.event_name == 'pull_request' }}
    steps:
    - name: Add Preview Label
      uses: actions/github-script@v7
      with:
        script: |
          github.rest.issues.addLabels({
            issue_number: context.issue.number,
            owner: context.repo.owner,
            repo: context.repo.repo,
            labels: ['preview']
          })