build_test_ci.yml

name: Build and Test CI

on:
  push:
    branches:
      - main
    paths-ignore:
      - '**/**.md'
      - 'docs/**'
  pull_request:
    branches:
      - "*"
    paths-ignore:
      - '**/**.md'
      - 'docs/**'
  workflow_dispatch:
  
permissions:
  contents: read
  pull-requests: read
  actions: read

concurrency:
  group: build-test-ci-${{ github.ref }}-1
  cancel-in-progress: true

jobs:
  go-build-test:
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@v2
      with:
        disable-sudo: true
        egress-policy: block
        allowed-endpoints: >
          api.github.com:443
          github.com:443
          golang.org:443
          proxy.golang.org:443
          sum.golang.org:443
          objects.githubusercontent.com:443
          storage.googleapis.com:443
          cli.codecov.io:443
          api.codecov.io:443

    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v5
      with:
        go-version-file: 'go.mod'
        check-latest: true

    - name: Build
      run: make build

    - name: Check for generated diff
      run: make check-gen-diff

    - name: Test
      run: make test

    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@v4
      with:
        files: ./coverage.out
        fail_ci_if_error: true
        verbose: true
        token: ${{ secrets.CODECOV_TOKEN }}
        slug: linode/cluster-api-provider-linode


  go-analyse:
    needs:  go-build-test
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@v2
      with:
        disable-sudo: true
        egress-policy: block
        allowed-endpoints: >
          api.github.com:443
          github.com:443
          proxy.golang.org:443
          sum.golang.org:443
          objects.githubusercontent.com:443
          registry-1.docker.io:443
          auth.docker.io:443
          production.cloudflare.docker.com:443
          vuln.go.dev:443
          storage.googleapis.com:443

    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v5
      with:
        go-version-file: 'go.mod'
        check-latest: true

    - name: Docker cache
      uses: ScribeMD/docker-cache@0.5.0
      with:
        key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }}

    - name: Lint
      run: make lint

    - name: Gosec
      run: make gosec

    - name: Vulncheck
      continue-on-error: true
      run: make vulncheck
    
    - name: Nilcheck
      run: make nilcheck

  e2e-test:
    needs:  [go-build-test, docker-build]
    runs-on: ubuntu-latest
    if: github.event.pull_request.draft == false
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@v2
      with:
        disable-sudo: true
        egress-policy: block
        allowed-endpoints: >
          api.linode.com:443
          api.github.com:443
          github.com:443
          gcr.io:443
          proxy.golang.org:443
          sum.golang.org:443
          *.githubusercontent.com:443
          docker.io:443
          registry-1.docker.io:443
          auth.docker.io:443
          production.cloudflare.docker.com:443
          storage.googleapis.com:443
          registry.k8s.io:443
          *.pkg.dev:443
          *.amazonaws.com:443
          *.blob.core.windows.net:443
          quay.io:443
          *.quay.io:443
          api.snapcraft.io:443
          cloud.tilt.dev:443
          kubernetes-sigs.github.io:443
          charts.jetstack.io:443

    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v5
      with:
        go-version-file: 'go.mod'
        check-latest: true

    - name: Docker cache
      uses: ScribeMD/docker-cache@0.5.0
      with:
        key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }}

    - name: E2E test
      run: make e2etest
      env:
        GITHUB_TOKEN: ${{ secrets.github_token }}
        LINODE_TOKEN: ${{ secrets.LINODE_TOKEN }}

    - name: Copy logs
      if: ${{ always() }}
      run: docker cp tilt-control-plane:/var/log .logs

    - uses: actions/upload-artifact@v4
      if: ${{ always() }}
      with:
        name: logs
        path: .logs/*
        overwrite: true

  docker-build:
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
      uses: step-security/harden-runner@v2
      with:
        disable-sudo: true
        egress-policy: block
        allowed-endpoints: >
          api.github.com:443
          github.com:443
          proxy.golang.org:443
          sum.golang.org:443
          go.dev:443
          dl.google.com:443
          golang.org:443
          objects.githubusercontent.com:443
          registry-1.docker.io:443
          auth.docker.io:443
          production.cloudflare.docker.com:443
          gcr.io:443
          storage.googleapis.com:443

    - uses: actions/checkout@v4

    - name: Docker cache
      uses: ScribeMD/docker-cache@0.5.0
      with:
        key: docker-${{ runner.os }}-${{ hashFiles('go.sum') }}

    - name: Build the Docker image
      run: make docker-build