.github/workflows/ci.yaml

name: CI
on: [push]

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@v4.2.2
      - uses: securego/gosec@v2.21.4
        with:
          args: "-no-fail -fmt sarif -out results.sarif ./..."
      - uses: github/codeql-action/upload-sarif@v3.28.0
        with:
          sarif_file: results.sarif

  test:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      checks: write
    steps:
      - uses: actions/checkout@v4.2.2
      - uses: actions/setup-go@v5.2.0
        with:
          go-version: stable

      - run: make lint test

  e2e:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      checks: write
      packages: write
    steps:
      - uses: actions/checkout@v4.2.2
      - uses: actions/setup-go@v5.2.0
        with:
          go-version: stable

      - name: Create kind cluster
        uses: helm/kind-action@v1.10.0
        with:
          cluster_name: kind
      - run: make test-e2e
        continue-on-error: true
        env:
          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
          CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
      - name: Get manager logs
        run: kubectl logs -n cloudflare-gateway deployment/cloudflare-controller-manager

      - name: Upload conformance report
        uses: actions/upload-artifact@v4.5.0
        with:
          name: conformance-report
          path: '*-report.yaml'

      - uses: docker/login-action@v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}
      - run: make docker-push IMG=ghcr.io/pl4nty/cloudflare-kubernetes-gateway:$(git describe --tag --always --match 'v[0-9]*')

  release-please:
    if: github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    outputs:
      releases_created: ${{ steps.release.outputs.releases_created }}
    steps:
      - uses: googleapis/release-please-action@v4.1.3
        id: release

  release:
    needs:
      - release-please
    if: ${{ needs.release-please.outputs.releases_created == 'true' || startsWith(github.ref, 'refs/tags/') }}
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write
    steps:
      - uses: actions/checkout@v4.2.2
        with:
          fetch-depth: 0
      - run: git fetch --force --tags
      - uses: docker/login-action@v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - uses: actions/setup-go@v5.2.0
        with:
          go-version: stable
      - uses: goreleaser/goreleaser-action@v6.1.0
        with:
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ github.token }}