k3k/.github/workflows/build.yml

name: Build

on:
  push:
    branches: [main]
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
    contents: read

jobs:
  build:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results

    steps:
    - name: Checkout code
      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

    - name: Set up Go
      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
      with:
        go-version-file: go.mod
    
    - name: Set up QEMU
      uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3

    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
      with:
        distribution: goreleaser
        version: v2
        args: --clean --snapshot
      env:
        REPO: ${{ github.repository }}
        REGISTRY: ""

    - name: Run Trivy vulnerability scanner (k3kcli)
      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'fs'
        scan-ref: 'dist/k3kcli_linux_amd64_v1/k3kcli'
        format: 'sarif'
        output: 'trivy-results-k3kcli.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3kcli)
      uses: github/codeql-action/upload-sarif@38e701f46e33fb233075bf4238cb1e5d68e429e4 # v3
      with:
        sarif_file: trivy-results-k3kcli.sarif
        category: k3kcli

    - name: Run Trivy vulnerability scanner (k3k)
      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'image'
        scan-ref: '${{ github.repository }}:v0.0.0-amd64'
        format: 'sarif'
        output: 'trivy-results-k3k.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3k)
      uses: github/codeql-action/upload-sarif@38e701f46e33fb233075bf4238cb1e5d68e429e4 # v3
      with:
        sarif_file: trivy-results-k3k.sarif
        category: k3k

    - name: Run Trivy vulnerability scanner (k3k-kubelet)
      uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'image'
        scan-ref: '${{ github.repository }}-kubelet:v0.0.0-amd64'
        format: 'sarif'
        output: 'trivy-results-k3k-kubelet.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3k-kubelet)
      uses: github/codeql-action/upload-sarif@38e701f46e33fb233075bf4238cb1e5d68e429e4 # v3
      with:
        sarif_file: trivy-results-k3k-kubelet.sarif
        category: k3k-kubelet