name: Build

on:
  push:
    branches: [main]
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
    contents: read

env:
  GORELEASER_VERSION: v2.15.2
  GORELEASER_CHECKSUM_x86_64: 0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc

jobs:
  build:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results

    steps:
    - name: Checkout code
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

    - name: Set up Go
      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
      with:
        go-version-file: go.mod
    
    - name: Set up QEMU
      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4

    - name: Setup goreleaser
      env:
        FILENAME: goreleaser.tar.gz
      run: |-
        curl -sSfL -o ${{ env.FILENAME }} https://github.com/goreleaser/goreleaser/releases/download/${{ env.GORELEASER_VERSION }}/goreleaser_Linux_x86_64.tar.gz
        echo "${{ env.GORELEASER_CHECKSUM_x86_64 }}  ${{ env.FILENAME }}" | sha256sum --check
        tar -xvzf "${{ env.FILENAME }}" goreleaser
        sudo install -m 755 goreleaser /usr/local/bin/goreleaser

        rm -f "${{ env.FILENAME }}" goreleaser

    - name: Run GoReleaser
      env:
        REPO: ${{ github.repository }}
        REGISTRY: ""
      run: |-
        goreleaser --clean --snapshot

        if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
          echo "Missing required file: dist/metadata.json"
          exit 1
        fi

        if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
          echo "Missing required file: dist/artifacts.json"
          exit 1
        fi

        echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
        echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"

    - name: Run Trivy vulnerability scanner (k3kcli)
      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'fs'
        scan-ref: 'dist/k3kcli_linux_amd64_v1/k3kcli'
        format: 'sarif'
        output: 'trivy-results-k3kcli.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3kcli)
      uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
      with:
        sarif_file: trivy-results-k3kcli.sarif
        category: k3kcli

    - name: Run Trivy vulnerability scanner (k3k)
      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'image'
        scan-ref: '${{ github.repository }}:v0.0.0-amd64'
        format: 'sarif'
        output: 'trivy-results-k3k.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3k)
      uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
      with:
        sarif_file: trivy-results-k3k.sarif
        category: k3k

    - name: Run Trivy vulnerability scanner (k3k-kubelet)
      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'image'
        scan-ref: '${{ github.repository }}-kubelet:v0.0.0-amd64'
        format: 'sarif'
        output: 'trivy-results-k3k-kubelet.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3k-kubelet)
      uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
      with:
        sarif_file: trivy-results-k3k-kubelet.sarif
        category: k3k-kubelet