feat(CI): Initial CI

Signed-off-by: Anurag Rajawat <[email protected]>
5GSEC · Sep 17, 2024 · 4861ce0 · 4861ce0
1 parent 0aa7351
commit 4861ce0
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 211 deletions.
diff --git a/.github/workflows/ci-test-go.yml b/.github/workflows/ci-test-go.yml
diff --git a/.github/workflows/ci-test-py.yml b/.github/workflows/ci-test-py.yml
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
@@ -1,35 +1,91 @@
-name: pr-checks
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2024 Authors of SentryFlow
+
+name: PR checks
 
 on:
   pull_request:
-    branches: [main]
+    types: [ opened, reopened, synchronize, ready_for_review ]
+    paths-ignore:
+      - '**.md'
+      - '**.sh'
+      - 'docs/**'
+      - 'LICENSE'
+
+permissions: read-all
 
 jobs:
-  build:
+  license:
+    name: License
+    runs-on: ubuntu-20.04
+    permissions:
+      actions: write
+      contents: write
+    defaults:
+      run:
+        working-directory: ./sentryflow
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check License Header
+        uses: apache/skywalking-eyes@3ea9df11bb3a5a85665377d1fd10c02edecf2c40
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  static-checks:
+    name: Static checks
     runs-on: ubuntu-latest
-
+    defaults:
+      run:
+        working-directory: ./sentryflow
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-
-    - name: Setup Docker Build
-      uses: docker/setup-buildx-action@v1
-
-    - name: Get tag
-      id: tag
-      run: |
-        if [ ${{ github.ref }} == "refs/heads/main" ]; then
-          echo "tag=latest" >> $GITHUB_OUTPUT
-        else
-          echo "tag=tmp" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Build SentryFlow Image
-      working-directory: ./sentryflow
-      run: |
-         make TAG=${{ steps.tag.outputs.tag }} build-image
-
-    - name: Build SentryFlow AI Engine Image
-      working-directory: ./ai-engine
-      run: |
-         make TAG=${{ steps.tag.outputs.tag }} build-image
+      - uses: actions/checkout@v4
+
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+
+      - name: go fmt
+        run: make fmt
+
+      - name: Lint
+        id: lint
+        run: make lint
+
+  go-sec:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    env:
+      GO111MODULE: on
+    defaults:
+      run:
+        working-directory: ./sentryflow
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+
+  build-image:
+    name: Build SentryFlow image
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    defaults:
+      run:
+        working-directory: ./sentryflow
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Build image
+        run: make image
+
+      - name: Scan image
+        uses: anchore/scan-action@v4
+        with:
+          image: 'docker.io/5gsec/sentryflow:latest'
+          severity-cutoff: critical
+          output-format: sarif
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml