From fc1653add74bbc0039d8520e9781a949019c5713 Mon Sep 17 00:00:00 2001
From: Anurag Rajawat <anurag@accuknox.com>
Date: Thu, 19 Sep 2024 19:56:33 +0530
Subject: [PATCH] feat(CI): Initial CI

Signed-off-by: Anurag Rajawat <anurag@accuknox.com>
---
 .github/workflows/ci-test-go.yml |  56 -----------
 .github/workflows/ci-test-py.yml | 156 +++++++++++++++----------------
 .github/workflows/pr-checks.yaml |  91 ++++++++++++++++++
 .github/workflows/pr-checks.yml  |  35 -------
 .github/workflows/release.yml    |  49 ----------
 5 files changed, 169 insertions(+), 218 deletions(-)
 delete mode 100644 .github/workflows/ci-test-go.yml
 create mode 100644 .github/workflows/pr-checks.yaml
 delete mode 100644 .github/workflows/pr-checks.yml
 delete mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/ci-test-go.yml b/.github/workflows/ci-test-go.yml
deleted file mode 100644
index 2227246..0000000
--- a/.github/workflows/ci-test-go.yml
+++ /dev/null
@@ -1,56 +0,0 @@
-name: ci-test-go
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  go-fmt-sentryflow:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "v1.21"
-
-      - name: Check go-fmt
-        run: make gofmt
-        working-directory: sentryflow
-
-  go-lint-sentryflow:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "v1.21"
-
-      - name: Check Golint 
-        run: make golint
-        working-directory: sentryflow
-
-  go-sec-sentryflow:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "v1.21"
-
-      - name: Run Gosec Security Scanner
-        run: make gosec
-        working-directory: sentryflow
-
-  license:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Check License Header
-        uses: apache/skywalking-eyes@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ci-test-py.yml b/.github/workflows/ci-test-py.yml
index 4d6ba59..5ab4ed9 100644
--- a/.github/workflows/ci-test-py.yml
+++ b/.github/workflows/ci-test-py.yml
@@ -1,78 +1,78 @@
-name: ci-test-py
-on:
-  push:
-    branches: [main]
-  pull_request:
-    branches: [main]
-
-jobs:
-  py-pip-ai-sentryflow:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.11'
-          cache: 'pip'
-
-      - name: check Python pip3 requirements
-        run: |
-          pip install -r requirements.txt
-        working-directory: ai-engine
-
-  py-ruff-ai-sentryflow:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.11'
-          cache: 'pip'
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt
-        working-directory: ai-engine
-
-      - name: Create pyproject.toml
-        run: |
-          echo "[tool.ruff.lint.per-file-ignores]" > pyproject.toml
-          echo '"stringlifier/*" = ["E402", "F811", "F401"]' >> pyproject.toml
-        working-directory: ai-engine
-
-      - name: Lint with Ruff
-        run: |
-          pip install ruff
-          ruff --output-format=github .
-        working-directory: ai-engine
-
-  py-lint-ai-sentryflow:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
-        with:
-          python-version: '3.11'
-          cache: 'pip'
-
-      - name: Install dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install -r requirements.txt
-          pip install pylint
-        working-directory: ai-engine
-
-      - name: Lint with Pylint
-        run: |
-          pylint classifier.py
-        working-directory: ai-engine
-
-  py-pep8-ai-sentryflow:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: 'Run PEP8'
-        uses: quentinguidee/pep8-action@v1
-        with:
-          arguments: '--max-line-length=120 --exclude=*stringlifier/*,*protobuf/*'
+#name: ci-test-py
+#on:
+#  push:
+#    branches: [main]
+#  pull_request:
+#    branches: [main]
+#
+#jobs:
+#  py-pip-ai-sentryflow:
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v3
+#      - uses: actions/setup-python@v4
+#        with:
+#          python-version: '3.11'
+#          cache: 'pip'
+#
+#      - name: check Python pip3 requirements
+#        run: |
+#          pip install -r requirements.txt
+#        working-directory: ai-engine
+#
+#  py-ruff-ai-sentryflow:
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v3
+#      - uses: actions/setup-python@v4
+#        with:
+#          python-version: '3.11'
+#          cache: 'pip'
+#
+#      - name: Install dependencies
+#        run: |
+#          python -m pip install --upgrade pip
+#          pip install -r requirements.txt
+#        working-directory: ai-engine
+#
+#      - name: Create pyproject.toml
+#        run: |
+#          echo "[tool.ruff.lint.per-file-ignores]" > pyproject.toml
+#          echo '"stringlifier/*" = ["E402", "F811", "F401"]' >> pyproject.toml
+#        working-directory: ai-engine
+#
+#      - name: Lint with Ruff
+#        run: |
+#          pip install ruff
+#          ruff --output-format=github .
+#        working-directory: ai-engine
+#
+#  py-lint-ai-sentryflow:
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v3
+#      - uses: actions/setup-python@v4
+#        with:
+#          python-version: '3.11'
+#          cache: 'pip'
+#
+#      - name: Install dependencies
+#        run: |
+#          python -m pip install --upgrade pip
+#          pip install -r requirements.txt
+#          pip install pylint
+#        working-directory: ai-engine
+#
+#      - name: Lint with Pylint
+#        run: |
+#          pylint classifier.py
+#        working-directory: ai-engine
+#
+#  py-pep8-ai-sentryflow:
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v3
+#      - name: 'Run PEP8'
+#        uses: quentinguidee/pep8-action@v1
+#        with:
+#          arguments: '--max-line-length=120 --exclude=*stringlifier/*,*protobuf/*'
diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml
new file mode 100644
index 0000000..e174c04
--- /dev/null
+++ b/.github/workflows/pr-checks.yaml
@@ -0,0 +1,91 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2024 Authors of SentryFlow
+
+name: PR checks
+
+on:
+  pull_request:
+    types: [ opened, reopened, synchronize, ready_for_review ]
+    paths-ignore:
+      - '**.md'
+      - 'docs/**'
+      - 'LICENSE'
+
+permissions: read-all
+
+jobs:
+  license:
+    name: License
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./sentryflow
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check License Header
+        uses: apache/skywalking-eyes@v0.6.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  static-checks:
+    name: Static checks
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./sentryflow
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.22'
+
+      - name: go fmt
+        run: make fmt
+
+      - name: Lint
+        uses: golangci/golangci-lint-action@v6
+        with:
+          working-directory: ./sentryflow
+          version: v1.60.3
+          args: --timeout=10m --out-format=line-number
+          skip-cache: true # https://github.com/golangci/golangci-lint-action/issues/244#issuecomment-1052197778
+
+  go-sec:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./sentryflow
+    permissions:
+      security-events: write
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+
+  build-sentryflow-image:
+    name: Build SentryFlow container image
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    defaults:
+      run:
+        working-directory: ./sentryflow
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Build image
+        run: make image
+
+      - name: Scan image
+        uses: anchore/scan-action@v4
+        with:
+          image: "docker.io/5gsec/sentryflow:latest"
+          severity-cutoff: critical
+          output-format: sarif
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
deleted file mode 100644
index 99e3146..0000000
--- a/.github/workflows/pr-checks.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: pr-checks
-
-on:
-  pull_request:
-    branches: [main]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-      
-    - name: Setup Docker Build
-      uses: docker/setup-buildx-action@v1
-
-    - name: Get tag
-      id: tag
-      run: |
-        if [ ${{ github.ref }} == "refs/heads/main" ]; then
-          echo "tag=latest" >> $GITHUB_OUTPUT
-        else
-          echo "tag=tmp" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Build SentryFlow Image
-      working-directory: ./sentryflow
-      run: |
-         make TAG=${{ steps.tag.outputs.tag }} build-image
-
-    - name: Build SentryFlow AI Engine Image
-      working-directory: ./ai-engine
-      run: |
-         make TAG=${{ steps.tag.outputs.tag }} build-image
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index 904b408..0000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,49 +0,0 @@
-name: release
-
-on:
-  push:
-    branches: [main]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-      
-    - name: Setup Docker Build
-      uses: docker/setup-buildx-action@v1
-
-    # - name: Login to DockerHub
-    #   uses: docker/login-action@v1
-    #   with:
-    #     username: ${{ secrets.DOCKERHUB_USERNAME }}
-    #     password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-    - name: Get tag
-      id: tag
-      run: |
-        if [ ${{ github.ref }} == "refs/heads/main" ]; then
-          echo "tag=latest" >> $GITHUB_OUTPUT
-        else
-          echo "tag=tmp" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Build SentryFlow Image
-      working-directory: ./sentryflow
-      run: |
-         make TAG=${{ steps.tag.outputs.tag }} build-image
-
-    # - name: Push SentryFlow Image
-    #   run: |
-    #      docker push 5gsec/sentryflow:${{ steps.tag.outputs.tag }}
-
-    - name: Build SentryFlow AI Engine Image
-      working-directory: ./ai-engine
-      run: |
-         make TAG=${{ steps.tag.outputs.tag }} build-image
-
-    # - name: Push SentryFlow AI Engine Image
-    #   run: |
-    #      docker push 5gsec/sentryflow-ai-engine:${{ steps.tag.outputs.tag }}