dev_build_svace.yml

# Copyright 2024 Flant JSC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

name: Build latest CSE branch with Svace every weekend
env:
  MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }}
  CI_COMMIT_REF_NAME: ${{ github.ref_name }}
  MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
  MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
  MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
  MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}
  SOURCE_REPO: "${{secrets.SOURCE_REPO}}"
  SOURCE_REPO_GIT: "${{secrets.SOURCE_REPO_GIT}}"

on:
  workflow_dispatch:
  schedule:
    - cron: "00 04 * * *"
defaults:
  run:
    shell: bash

concurrency:
  group: "${{ github.workflow }}-${{ github.ref }}"
  cancel-in-progress: true

jobs:
  set_vars:
    runs-on: ubuntu-latest
    name: Set MODULES_MODULE_TAG
    outputs:
      modules_module_tag: ${{ steps.modules_module_tag.outputs.MODULES_MODULE_TAG }}
      module_edition: ${{ steps.modules_module_tag.outputs.MODULE_EDITION }}
      runner_type: ${{ steps.modules_module_tag.outputs.RUNNER_TYPE }}
      checkout_tag: ${{ steps.modules_module_tag.outputs.CHECKOUT_TAG }}
      checkout_sha: ${{ steps.modules_module_tag.outputs.CHECKOUT_SHA }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: "${{ github.event.pull_request.head.sha || github.sha }}"
      - name: Set vars
        id: modules_module_tag
        run: |
          if [[ "${{ github.event_name }}" == 'schedule' ]]; then
            # get last semver branch with release-X.Y-cse format
            CHECKOUT_TAG=$(git branch -r | grep -oE 'release-[0-9]+\.[0-9]+-cse$' | sort -V | tail -n 1)
          else
            CHECKOUT_TAG=${{ github.event.pull_request.head.sha || github.sha }}
          fi
          CHECKOUT_SHA=$(git rev-parse remotes/origin/$CHECKOUT_TAG)
          echo "CHECKOUT_TAG=$CHECKOUT_TAG" >> "$GITHUB_OUTPUT"
          echo "CHECKOUT_SHA=$CHECKOUT_SHA" >> "$GITHUB_OUTPUT"
          if [[ "${{ github.ref_name }}" == 'main' ]]; then
            MODULES_MODULE_TAG="${{ github.ref_name }}-svace"
          elif [[ "${{ github.ref_name }}" =~ ^release-[0-9]+\.[0-9]+ ]]; then
            MODULES_MODULE_TAG="${{ github.ref_name }}-svace"
          elif [[ -n "${{ github.event.pull_request.number }}" ]]; then
            MODULES_MODULE_TAG="pr${{ github.event.pull_request.number }}-svace"
          else
            underscored_branch=$(echo "${{ github.ref_name }}" | tr '/' '_')
            MODULES_MODULE_TAG="$underscored_branch-svace"
          fi

          echo "MODULES_MODULE_TAG=$MODULES_MODULE_TAG" >> "$GITHUB_OUTPUT"

          # Select runner
          if echo "${{ steps.get-labels.outputs.result }}" | grep -q "build/github/ubuntu"; then
            echo "RUNNER_TYPE=[\"ubuntu-22.04\"]" >> "$GITHUB_OUTPUT"
          elif echo "${{ steps.get-labels.outputs.result }}" | grep -q "build/self-hosted/regular"; then
            echo "RUNNER_TYPE=[\"self-hosted\", \"regular\"]" >> "$GITHUB_OUTPUT"
          else
            echo "RUNNER_TYPE=[\"self-hosted\", \"large\"]" >> "$GITHUB_OUTPUT"
          fi

          # EE for virtualization-audit
          echo "MODULE_EDITION=EE" >> "$GITHUB_OUTPUT"

  dev_setup_build:
    runs-on: ${{ fromJSON(needs.set_vars.outputs.runner_type)}}
    name: Build and Push images
    needs: set_vars
    env:
      MODULES_MODULE_TAG: ${{needs.set_vars.outputs.modules_module_tag}}
      MODULE_EDITION: ${{needs.set_vars.outputs.module_edition}}
      CHECKOUT_TAG: ${{needs.set_vars.outputs.checkout_tag}}
      CHECKOUT_SHA: ${{needs.set_vars.outputs.checkout_sha}}
      WERF_VIRTUAL_MERGE: 0
    steps:
      - name: Setup Docker config
        run: |
          echo "DOCKER_CONFIG=$(mktemp -d)" >> $GITHUB_ENV

      - name: Print vars
        run: |
          echo MODULES_REGISTRY=$MODULES_REGISTRY
          echo CI_COMMIT_REF_NAME=$CI_COMMIT_REF_NAME
          echo MODULES_MODULE_NAME=$MODULES_MODULE_NAME
          echo MODULES_MODULE_SOURCE=$MODULES_MODULE_SOURCE
          echo MODULE_EDITION=$MODULE_EDITION
          echo MODULES_MODULE_TAG=$MODULES_MODULE_TAG
          echo DOCKER_CONFIG=$DOCKER_CONFIG
          echo CHECKOUT_TAG=$CHECKOUT_TAG
          echo CHECKOUT_SHA=$CHECKOUT_SHA
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{needs.set_vars.outputs.checkout_tag}}

      - name: Remove unwanted software
        if: ${{ !contains(needs.set_vars.outputs.runner_type, 'self-hosted') }}
        uses: ./.github/actions/remove-unwanted-software

      - uses: deckhouse/modules-actions/setup@v2
        with:
          registry: ${{ vars.DEV_REGISTRY }}
          registry_login: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
          registry_password: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

      - uses: deckhouse/modules-actions/build@v4
        with:
          module_source: ${{ vars.DEV_MODULE_SOURCE}}
          module_name: ${{ vars.MODULE_NAME }}
          module_tag: ${{needs.set_vars.outputs.modules_module_tag}}
          source_repo: ${{secrets.SOURCE_REPO_GIT}}
          svace_enabled: "true"
          svace_analyze_host: "${{ secrets.SVACE_ANALYZE_HOST }}"
          svace_analyze_ssh_user: "${{ secrets.SVACE_ANALYZE_SSH_USER }}"
          svace_analyze_ssh_key: "${{ secrets.SVACE_ANALYZE_SSH_PRIVATE_KEY }}"

      - name: Cleanup Docker config
        run: |
          rm -rf $DOCKER_CONFIG

  analyze_build:
    name: Analyze build
    runs-on: ${{ fromJSON(needs.set_vars.outputs.runner_type)}}
    needs:
      - set_vars
      - dev_setup_build
    steps:
      - uses: deckhouse/modules-actions/svace_analyze@v4
        id: analyze
        with:
          project_group: ${{ github.event.repository.name }}
          ci_commit_ref_name: ${{ needs.set_vars.outputs.checkout_tag }}
          ci_commit_hash: ${{ needs.set_vars.outputs.checkout_sha }}
          svace_analyze_host: "${{ secrets.SVACE_ANALYZE_HOST }}"
          svace_analyze_ssh_user: "${{ secrets.SVACE_ANALYZE_SSH_USER }}"
          svacer_url: "${{ secrets.SVACER_URL }}"
          svacer_import_user: "${{ secrets.SVACER_IMPORT_USER }}"
          svacer_import_password: "${{ secrets.SVACER_IMPORT_PASSWORD }}"
          svace_analyze_ssh_private_key: "${{ secrets.SVACE_ANALYZE_SSH_PRIVATE_KEY }}"

  notify:
    name: Notify Loop
    runs-on: ubuntu-latest
    env:
      CHECKOUT_TAG: ${{needs.set_vars.outputs.checkout_tag}}
    needs:
      - set_vars
      - dev_setup_build
      - analyze_build
    if: always()
    steps:
      - name: Send results to Loop
        run: |
          DATE=$(date '+%Y-%m-%d')
          if [ "${{ needs.analyze_build.result }}" == "success" ]; then
            STATUS=":white_check_mark: SUCCESS!"
          else
            STATUS=":x: FAIL!"
          fi
          MESSAGE="
          ### :gear: **DVP $DATE Weekly Svace Analyze Report**

          **Branch:** \`$CHECKOUT_TAG\`
          **Status: ${STATUS}**

          [:link: GitHub Actions Output]($GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID)
          "
          curl -XPOST -H 'Content-Type: application/json' -d "{\"text\": \"${MESSAGE}\"}" $LOOP_WEBHOOK_URL
        env:
          LOOP_WEBHOOK_URL: ${{ secrets.LOOP_WEBHOOK_URL }}