.github/workflows/ci.yaml

name: Main CI
on:
  push:
    branches:
      - "main"
    tags:
      - "v*"
  pull_request:
    branches:
      - "main"
jobs:
  test:
    runs-on: ubuntu-latest
    timeout-minutes: 60

    services:
      localstack:
        image: localstack/localstack:latest
        ports:
          - 4566:4566
          - 4571:4571

      vault-server:
        image: vault:1.13.3
        ports:
          - "8200:8200"
        env:
          VAULT_ADDR: "http://0.0.0.0:8200"
          VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"

    env:
      AWS_REGION: ap-southeast-2
      AWS_ACCESS_KEY_ID: foobar
      AWS_SECRET_ACCESS_KEY: foobar
      VAULT_ADDR: http://localhost:8200
      VAULT_TOKEN: vault-plaintext-root-token

    steps:
      - name: Check out repository code
        uses: actions/checkout@v4

      - name: ⚡ Cache Cargo
        uses: actions/cache@v4
        with:
          path: |
            ~/.cargo/registry
            ~/.cargo/git
          key: ${{ runner.os }}-cache-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-cache-${{ hashFiles('**/Cargo.lock') }}
            ${{ runner.os }}-cache-

      - name: ⚡ Cache Cargo Target
        uses: actions/cache@v4
        with:
          path: |
            target
          key: ${{ runner.os }}-target-${{ hashFiles('**/Cargo.lock') }}
          restore-keys: |
            ${{ runner.os }}-target-${{ hashFiles('**/Cargo.lock') }}
            ${{ runner.os }}-target-

      - id: install-aws-cli
        uses: unfor19/install-aws-cli-action@master

      - name: Wait for localstack
        run: |
          ./wait-for.sh http://localhost:4566/_localstack/health -t 300 -s -- echo 'localstack up'
          make init-test && sleep 2

      - name: Run unit tests
        run: |
          make test

  sanity-check:
    runs-on: ubuntu-latest
    timeout-minutes: 60

    services:
      localstack:
        image: localstack/localstack:latest
        ports:
          - 4566:4566
          - 4571:4571
        env:
          DEBUG: 1

      vault-server:
        image: vault:1.13.3
        ports:
          - "8200:8200"
        env:
          VAULT_ADDR: "http://0.0.0.0:8200"
          VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"

    env:
      AWS_REGION: ap-southeast-2
      AWS_ACCESS_KEY_ID: foobar
      AWS_SECRET_ACCESS_KEY: foobar
      VAULT_ADDR: http://localhost:8200
      VAULT_TOKEN: vault-plaintext-root-token

    steps:
      - name: Check out repository code
        uses: actions/checkout@v4

      - name: Create k8s Kind Cluster
        uses: helm/kind-action@v1.10.0
        with:
          cluster_name: local
          ignore_failed_clean: true

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: controller

      # setup Docker buld action
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3
        with:
          install: true

      - name: ⚡ Cache Docker layers
        uses: actions/cache@v4
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - name: Build image
        uses: docker/build-push-action@v6
        id: build
        with:
          context: .
          tags: controller:local
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new
          push: false
          load: true

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: controller:local
          format: "sarif"
          output: "trivy-results.sarif"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results.sarif"

      - name: Move cache
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

      - id: install-aws-cli
        uses: unfor19/install-aws-cli-action@master

      - name: Setup remote secrets in kind
        run: |
          ./wait-for.sh http://localhost:4566/_localstack/health -t 300 -s -- echo 'localstack up'
          make init-test
          make kind-image-load
          make install-local
          kubectl apply -f e2e/dockerhost-linux.yaml

          kubectl wait deployment -n remote-secrets remote-secrets --for condition=Available=True --timeout=30s

          kubectl -n remote-secrets exec $(kubectl get pod -A | grep remote-secrets | awk '{print $2}') -- sh -c 'apk add --no-cache curl && curl http://dockerhost:4566/_localstack/health'

      - name: Sanity check remote secrets
        run: |
          kubectl apply -f config/simples/example.yaml
          e2e/integration-test.sh

      - name: Show logs
        if: failure()
        run: |

          kubectl get secret test-rsecret -o yaml || true
          kubectl -n remote-secrets get deploy remote-secrets -o yaml || true
          kubectl -n remote-secrets logs deploy/remote-secrets || true
          docker logs "${{ job.services.localstack.id }}" || true
          kubectl get rsecrets.jerry153fish.com test-rsecret -o yaml || true
          aws ssm get-parameters --endpoint-url http://localhost:4566 --names MyStringParameter MyJsonParameter | cat -
          aws secretsmanager list-secrets --endpoint-url http://localhost:4566 | cat -
          aws cloudformation describe-stacks --stack-name MyTestStack --endpoint-url http://localhost:4566 | cat -

  docker-push:
    runs-on: ubuntu-latest
    timeout-minutes: 60
    if: ${{ github.event_name != 'pull_request' }}
    environment: main
    needs: [test, sanity-check]

    steps:
      - name: Check out repository code
        uses: actions/checkout@v4

      - name: Install Cosign
        uses: sigstore/cosign-installer@main

      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: jerry153fish/remote-secrets

      # setup Docker buld action
      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@v3
        with:
          install: true

      - name: Cache Docker layers
        uses: actions/cache@v4
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          tags: |
            ${{ github.ref != 'refs/heads/main' && steps.meta.outputs.tags || '' }}
            ${{ github.ref == 'refs/heads/main' && 'jerry153fish/remote-secrets:latest' || '' }}
          labels: ${{ steps.meta.outputs.labels }}
          push: true
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new

      - name: Sign image with a key
        run: |
          cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS} -y
        env:
          TAGS: |
            ${{ github.ref != 'refs/heads/main' && steps.meta.outputs.tags || '' }}
            ${{ github.ref == 'refs/heads/main' && 'jerry153fish/remote-secrets:latest' || '' }}
          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}

      - name: Move cache
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache