ci.yml

name: CI

on:
  push:
    branches:
      - main
      - release-*
  pull_request: {}
  workflow_dispatch: {}

env:
  # We can't run a step 'if secrets.FOO != ""' but we can run a step
  # 'if env.FOO' != ""', so we copy secrets to env vars for conditional checks.
  DOCKER_USR: ${{ secrets.DOCKER_USR }}

jobs:
  check-diff:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install Nix
        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31

      - name: Setup Cachix
        uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        with:
          name: crossplane
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: Verify Generated Code
        run: nix build .#checks.x86_64-linux.generate --print-build-logs

  lint:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install Nix
        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31

      - name: Setup Cachix
        uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        with:
          name: crossplane
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: Lint
        run: nix build .#checks.x86_64-linux.go-lint --print-build-logs

  codeql:
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      security-events: write

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install Nix
        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31

      - name: Setup Cachix
        uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        with:
          name: crossplane
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: Setup Nix Environment
        uses: nicknovitski/nix-develop@9be7cfb4b10451d3390a75dc18ad0465bed4932a # v1

      - name: Initialize CodeQL
        uses: github/codeql-action/init@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3
        with:
          languages: go

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3

  trivy-scan-fs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Run Trivy vulnerability scanner in fs mode
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          skip-dirs: design
          scan-ref: '.'
          severity: 'CRITICAL,HIGH'
          format: sarif
          output: 'trivy-results.sarif'

      - name: Upload Trivy Results to GitHub
        uses: github/codeql-action/upload-sarif@b5ebac6f4c00c8ccddb7cdcd45fdb248329f808a # v3
        with:
          sarif_file: 'trivy-results.sarif'

  unit-tests:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install Nix
        uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31

      - name: Setup Cachix
        uses: cachix/cachix-action@3ba601ff5bbb07c7220846facfa2cd81eeee15a1 # v16
        with:
          name: crossplane
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

      - name: Run Unit Tests
        run: nix build .#checks.x86_64-linux.test --print-build-logs

      - name: Publish Unit Test Coverage
        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
        with:
          flags: unittests
          file: result/coverage.txt
          token: ${{ secrets.CODECOV_TOKEN }}

  protobuf-schemas:
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Setup Buf
        uses: bufbuild/buf-setup-action@v1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}

      - name: Lint Protocol Buffers
        uses: bufbuild/buf-lint-action@v1

      # buf-breaking-action doesn't support branches
      # https://github.com/bufbuild/buf-push-action/issues/34
      - name: Detect Breaking Changes in Protocol Buffers
        uses: bufbuild/buf-breaking-action@a074e988ee34efcd4927079e79c611f428354c01 # v1
        # We want to run this for the main branch, and PRs against main.
        if: ${{ github.ref == 'refs/heads/main' || github.base_ref == 'main' }}
        with:
          against: "https://github.com/${GITHUB_REPOSITORY}.git#branch=main"

      - name: Push Protocol Buffers to Buf Schema Registry
        if: ${{ github.repository == 'crossplane/crossplane-runtime' && github.ref == 'refs/heads/main' }}
        uses: bufbuild/buf-push-action@v1
        with:
          buf_token: ${{ secrets.BUF_TOKEN }}