.github/workflows/docker-build-branch.yml

name: 'Docker Build Branch'

on:
  pull_request:
    types: [ labeled, opened, reopened, synchronize ]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
  REPO_NAME: ${{ github.event.repository.name }}
  PROMTOOL_IMAGE_NAME: sre-promtool
  PROMTOOL_VERSION: 2.38.0
  USER: ho-cto

jobs:
  code-quality:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3.1.0
      - name: Hadolint Dockerfile
        uses: hadolint/hadolint-action@v2.1.0
        with:
          dockerfile: ./monitoring-as-code/Dockerfile
      - name: Jsonnet format check
        run: sh ${{ github.workspace }}/monitoring-as-code/fmt.sh && git diff --exit-code --color
      - name: Jsonnet lint check
        run: sh ${{ github.workspace }}/monitoring-as-code/lint.sh

  container-image-build:
    needs: code-quality
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3.1.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2.2.1
      - name: Calculate metadata
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=raw,value=${{ github.event.pull_request.head.sha }}
      - name: Build container
        uses: docker/build-push-action@v3.2.0
        with:
          context: ./monitoring-as-code
          file: ./monitoring-as-code/Dockerfile
          push: false
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            PACKAGE_TOKEN=${{secrets.GITHUB_TOKEN}}
            MAC_VERSION='#${{ github.event.number }}'
          outputs: type=docker,dest=/tmp/${{ env.REPO_NAME }}.tar
      - name: Upload artifact
        uses: actions/upload-artifact@v3.1.1
        with:
          name: ${{ env.REPO_NAME }}
          path: /tmp/${{ env.REPO_NAME }}.tar

  code-test:
    needs: container-image-build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3.1.0
      - name: Download artifact
        uses: actions/download-artifact@v3.0.1
        with:
          name: ${{ env.REPO_NAME }}
          path: /tmp
      - name: Load Docker image
        run: |
          docker load --input /tmp/${{ env.REPO_NAME }}.tar
          echo "IMAGE_TAG=$(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep sre-monitoring-as-code)" >> $GITHUB_ENV
      - name: Run monitoring mixin
        run:  docker run -v ${{ github.workspace }}/monitoring-as-code:${{ github.workspace }}/data -t ${{ env.IMAGE_TAG }} -m monitoring -rd -i ${{ github.workspace }}/data/mixin-defs -o ${{ github.workspace }}/data/output
      - name: Run testing mixin
        run:  docker run -v ${{ github.workspace }}/monitoring-as-code:${{ github.workspace }}/data -t ${{ env.IMAGE_TAG }} -m testing -rd -i ${{ github.workspace }}/data/mixin-defs -o ${{ github.workspace }}/data/output
      - name: Run promtool checks
        run: for FILE in ${{ github.workspace }}/monitoring-as-code/output/prometheus-rules/*-rules.yaml; do docker run -v ${{ github.workspace }}/monitoring-as-code:${{ github.workspace }}/data ${{env.REGISTRY}}/${{env.USER}}/${{env.PROMTOOL_IMAGE_NAME}}:${{env.PROMTOOL_VERSION}} check rules ${{ github.workspace }}/data/output/prometheus-rules/$(basename $FILE); if [ $? -ne 0 ]; then echo "Validation of rules files failed for $(basename $FILE) - exiting"; exit 1; fi done

  container-image-test:
    needs: container-image-build
    permissions:
      security-events: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3.1.0
      - name: Download artifact
        uses: actions/download-artifact@v3.0.1
        with:
          name: ${{ env.REPO_NAME }}
          path: /tmp
      - name: Load Docker image
        run: |
          docker load --input /tmp/${{ env.REPO_NAME }}.tar
          echo "IMAGE_TAG=$(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep sre-monitoring-as-code)" >> $GITHUB_ENV
      - name: Setup Node.js
        uses: actions/setup-node@v3
        with:
          node-version: 18.10.0
      - name: Setup Snyk
        run: |
          npm install snyk -g
          snyk auth ${{secrets.SNYK_TOKEN}}
      - name: Snyk Container Scan
        id: snyk-dockerfile
        run: |
          snyk container test --file=./monitoring-as-code/Dockerfile --sarif-file-output=snyk.sarif --app-vulns --severity-threshold=medium ${{ env.IMAGE_TAG }}
        continue-on-error: true
      - name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: snyk.sarif
      - name: Check on failures
        if: steps.snyk-dockerfile.outcome != 'success'
        run: exit 1

  container-image-push:
    needs: [code-test, container-image-test]
    permissions:
      packages: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3.1.0
      - name: Download artifact
        uses: actions/download-artifact@v3.0.1
        with:
          name: ${{ env.REPO_NAME }}
          path: /tmp
      - name: Load Docker image
        run: |
          docker load --input /tmp/${{ env.REPO_NAME }}.tar
          echo "IMAGE_TAG=$(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep sre-monitoring-as-code)" >> $GITHUB_ENV
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2.1.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Push image to GitHub Container Registry
        run: docker push ${{ env.IMAGE_TAG }}