.github/workflows/ci.yml

name: ci

concurrency:
  cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
  group: ci-${{ github.ref_name }}-${{ github.event_name }}

on:
  push:
    branches:
      - main
    tags:
      - "v*"
  pull_request:
    branches:
      - main

env:
  ANSIBLE_FORCE_COLOR: "1"
  PY_COLORS: "1"

jobs:
  trivy:
    if: github.event_name == 'push' || github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        scan-type:
          - fs
          - config
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Cache trivy db
        uses: actions/cache@v4
        with:
          path: |
            ~/.cache/trivy
            ~/work/temp
          key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
          restore-keys: |
            ${{ runner.os }}-trivy-db-
      - name: Run Trivy vulnerability scanner in fs mode
        uses: aquasecurity/trivy-action@master
        with:
          format: sarif
          ignore-unfixed: true
          output: trivy-results.sarif
          scan-ref: .
          scan-type: ${{ matrix.scan-type }}
          severity: CRITICAL,HIGH
          token-setup-trivy: ${{ secrets.GH_PAT }}
          trivy-config: trivy.yaml
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "trivy-results.sarif"

  test:
    if: github.event_name == 'push' || github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    permissions:
      contents: read
    services:
      prometheus:
        image: prom/prometheus:v3.0.1
        ports:
          - 9090:9090
      loki:
        image: grafana/loki:3.3.1
        ports:
          - 3100:3100
    strategy:
      fail-fast: false
      matrix:
        role:
          - haproxy
          - kratos
          - node_exporter
          - oathkeeper
          - promtail
          - pushgateway
          - vmagent
    env:
      VMAGENT_REMOTE_WRITE_URL: http://localhost:9090/api/v1/write
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check ansible
        run: ansible --version
      - name: Cache Ansible collections
        uses: actions/cache@v4
        with:
          path: |
            ~/.ansible/collections
            ~/.ansible/plugins
          key: ${{ runner.os }}-ansible-${{ hashFiles('**/requirements.yml') }}
          restore-keys: |
            ${{ runner.os }}-ansible-
      - name: Prepare localhost inventory
        run: |
          cat << 'EOF' > localhost.yml
          all:
            hosts:
              localhost:
                ansible_connection: local
          EOF
      - name: Install the dependencies
        run: |
          ansible-galaxy collection install -r requirements.yml
          ansible-galaxy collection install ./
      - name: Ansible playbook
        run: ansible-playbook playbook.yml -i localhost.yml -t ${{ matrix.role }}

  release-please:
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    outputs:
      releases_created: ${{ steps.release-please.outputs.releases_created }}
      tag_name: ${{ steps.release-please.outputs.tag_name }}
    permissions:
      contents: write
      pull-requests: write
    steps:
      - id: release-please
        name: Release please
        uses: googleapis/release-please-action@v4
        with:
          release-type: simple

  publish-galaxy:
    needs:
      - test
      - release-please
    if: needs.release-please.outputs.releases_created == 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Build collection
        run: ansible-galaxy collection build
      - id: publish
        name: Publish to Ansible Galaxy
        run: |
          namespace=$(yq -r .namespace galaxy.yml)
          name=$(yq -r .name galaxy.yml)
          version=$(yq -r .version galaxy.yml)

          if [ v"$version" != "${{ needs.release-please.outputs.tag_name }}" ]; then
            echo "Version in galaxy.yml ($version) does not match git tag (${{ needs.release-please.outputs.tag_name }})"
            exit 1
          fi

          ansible-galaxy collection publish \
            $namespace-$name-$version.tar.gz \
            --token ${{ secrets.ANSIBLE_GALAXY_TOKEN }}

          echo "asset=$namespace-$name-$version.tar.gz" >> $GITHUB_OUTPUT

  ansible-lint:
    if: github.event_name == 'push' || github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Run ansible-lint
        uses: ansible/ansible-lint@main
        with:
          setup_python: "true"
          requirements_file: requirements.yml

  sonarcloud:
    if: github.event_name == 'push' || github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}