k3k/.github/workflows/build.yml

name: Build

on:
  push:
    branches: [main]
  pull_request:
    types: [opened, synchronize, reopened]

permissions:
    contents: read

jobs:
  build:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results

    steps:
    - name: Checkout code
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

    - name: Set up Go
      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
      with:
        go-version-file: go.mod
    
    - name: Set up QEMU
      uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4

    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
      with:
        distribution: goreleaser
        version: v2
        args: --clean --snapshot
      env:
        REPO: ${{ github.repository }}
        REGISTRY: ""

    - name: Run Trivy vulnerability scanner (k3kcli)
      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'fs'
        scan-ref: 'dist/k3kcli_linux_amd64_v1/k3kcli'
        format: 'sarif'
        output: 'trivy-results-k3kcli.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3kcli)
      uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3
      with:
        sarif_file: trivy-results-k3kcli.sarif
        category: k3kcli

    - name: Run Trivy vulnerability scanner (k3k)
      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'image'
        scan-ref: '${{ github.repository }}:v0.0.0-amd64'
        format: 'sarif'
        output: 'trivy-results-k3k.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3k)
      uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3
      with:
        sarif_file: trivy-results-k3k.sarif
        category: k3k

    - name: Run Trivy vulnerability scanner (k3k-kubelet)
      uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
      with:
        ignore-unfixed: true
        severity: 'MEDIUM,HIGH,CRITICAL'
        scan-type: 'image'
        scan-ref: '${{ github.repository }}-kubelet:v0.0.0-amd64'
        format: 'sarif'
        output: 'trivy-results-k3k-kubelet.sarif'

    - name: Upload Trivy scan results to GitHub Security tab (k3k-kubelet)
      uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3
      with:
        sarif_file: trivy-results-k3k-kubelet.sarif
        category: k3k-kubelet