.github/workflows/ci.yml

name: Docker

on:
  push:
    branches:
    - '**'
    tags:
    - v[0-9]+.[0-9]+.[0-9]+**
  pull_request:
    branches:
    - master

jobs:

  tests:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up JDK 17
        uses: actions/setup-java@v4
        with:
          distribution: 'temurin'
          java-version: 17

      - name: Cache Local Maven Repo
        uses: actions/cache@v4
        with:
          path: ~/.m2/repository
          key: tests-maven-${{ hashFiles('pom.xml') }}

      - uses: s4u/maven-settings-action@v3.0.0
        with:
          servers: |
            [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: java
          queries: security-and-quality

      - name: Run Tests
        run: mvn -Pdownload-ontology -B verify

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3

      - name: Upload Feasibility Backend Jar
        uses: actions/upload-artifact@v4
        with:
          name: backend-jar
          path: target/feasibilityBackend.jar

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build and Export to Docker
        uses: docker/build-push-action@v5
        with:
          context: .
          tags: backend:latest
          outputs: type=docker,dest=/tmp/feasibilityBackend.tar

      - name: Upload Feasibility Backend Image
        uses: actions/upload-artifact@v4
        with:
          name: backend-image
          path: /tmp/feasibilityBackend.tar

  security-scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        distribution: 'zulu'
        java-version: 17

    - name: Cache Local Maven Repo
      uses: actions/cache@v4
      with:
        path: ~/.m2/repository
        key: security-scan-maven-${{ hashFiles('pom.xml') }}

    - uses: s4u/maven-settings-action@v3.0.0
      with:
        servers: |
          [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]

    - name: Maven Package
      run: mvn -Pdownload-ontology -B -DskipTests package

    - name: Build and push Docker image
      uses: docker/build-push-action@v5
      with:
        context: .
        tags: security-scan-build:latest
        push: false

    - name: Run Trivy Vulnerability Scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: security-scan-build:latest
        format: sarif
        output: trivy-results.sarif
        severity: 'CRITICAL,HIGH'
        timeout: '15m0s'

    - name: Upload Trivy Scan Results to GitHub Security Tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: trivy-results.sarif

  integration-test:
    needs: tests
    runs-on: ubuntu-22.04

    steps:
      - name: Check out Git repository
        uses: actions/checkout@v4

      - name: Download Feasibility Backend Image
        uses: actions/download-artifact@v4
        with:
          name: backend-image
          path: /tmp

      - name: Install jq
        uses: dcarbone/install-jq-action@v1.0.1

      - name: Load Feasibility Backend Image
        run: docker load --input /tmp/feasibilityBackend.tar

      - name: Download ontology files from github
        run: .github/scripts/download-and-unpack-ontology.sh

      - name: Run Feasibility Backend with Database, Keycloak and Blaze
        run: docker-compose -f .github/integration-test/docker-compose.yml up -d

      - name: Wait for Feasibility Backend
        run: .github/scripts/wait-for-url.sh  http://localhost:8091/actuator/health

      - name: Check if Feasibility Backend is correctly running with the feasibility user
        run: .github/scripts/check-if-running-as-feasibility-user.sh

      - name: Wait for Blaze
        run: .github/scripts/wait-for-url.sh  http://localhost:8082/health

      - name: Load Data
        run: .github/scripts/load-test-data.sh

      - name: Wait for Keycloak
        run: .github/scripts/wait-for-url.sh  http://localhost:8083/auth/

      - name: Create Test User in Keycloak
        run: .github/scripts/create-keycloak-user.sh

      - name: Wait for Flare
        run: .github/scripts/wait-for-url.sh  http://localhost:8092/cache/stats

      - name: Post Test Query
        run: .github/scripts/post-test-query.sh

      - name: Dump docker logs on failure
        if: failure()
        uses: jwalton/gh-docker-logs@v2

  release:
    if: ${{ startsWith(github.ref, 'refs/tags/v') }}
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4

    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        distribution: 'temurin'
        java-version: 17

    - name: Cache Local Maven Repo
      uses: actions/cache@v4
      with:
        path: ~/.m2/repository
        key: release-maven-${{ hashFiles('pom.xml') }}

    - uses: s4u/maven-settings-action@v3.0.0
      with:
        servers: |
          [{"id": "mii", "username": "${{ github.actor }}", "password": "${{ secrets.GITHUB_TOKEN }}"}]

    - name: Prepare Version
      id: prep
      run: |
        echo ::set-output name=repository::$(echo $GITHUB_REPOSITORY | tr '[:upper:]' '[:lower:]')
        echo ::set-output name=version::${GITHUB_REF#refs/tags/v}

    - name: Maven Package
      run: mvn -Pdownload-ontology -B -DskipTests package

    - name: Login to GitHub Docker Registry
      uses: docker/login-action@v1
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v1

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Build and push Docker image
      uses: docker/build-push-action@v5
      with:
        context: .
        platforms: linux/amd64,linux/arm64
        tags: |
          ghcr.io/${{ steps.prep.outputs.repository }}:latest
          ghcr.io/${{ steps.prep.outputs.repository }}:${{ steps.prep.outputs.version }}
        push: true