.github/workflows/ci.yml

name: Opaque
on:
  pull_request:
    branches:
      - main

permissions:
  contents: read

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@18f6947f131da60743dc12d2a22ff28c2b4ea87f
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            raw.githubusercontent.com:443

      - name: Checkout repo
        uses: actions/checkout@009b9ae9e446ad8d9b8c809870b0fbcc5e03573e
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@3d10edb4c2d9ac9923e94a5ec73fa063078e9234
        with:
          go-version-file: ./go.mod

      # Linting
      - name: Linting
        uses: golangci/golangci-lint-action@a0297a137827338a46f13803e445426219bb07be
        with:
          version: latest
          args: --config=./.github/.golangci.yml ./...
          only-new-issues: true

  test:
    name: Test
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        go: [ '1.22', '1.21' ]
    steps:
      - uses: step-security/harden-runner@18f6947f131da60743dc12d2a22ff28c2b4ea87f
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            github.com:443
            proxy.golang.org:443
            storage.googleapis.com:443
            sum.golang.org:443

      - name: Checkout repo
        uses: actions/checkout@009b9ae9e446ad8d9b8c809870b0fbcc5e03573e
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@3d10edb4c2d9ac9923e94a5ec73fa063078e9234
        with:
          go-version: ${{ matrix.go }}

      # Test
      - name: Run Tests
        run: cd .github && make test

  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/harden-runner@18f6947f131da60743dc12d2a22ff28c2b4ea87f
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.codecov.io:443
            api.github.com:443
            cli.codecov.io:443
            ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
            github.com:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            scanner.sonarcloud.io:443
            sonarcloud.io:443
            storage.googleapis.com:443

      - name: Checkout repo
        uses: actions/checkout@009b9ae9e446ad8d9b8c809870b0fbcc5e03573e
        with:
          fetch-depth: 0
      - name: Setup Go
        uses: actions/setup-go@3d10edb4c2d9ac9923e94a5ec73fa063078e9234
        with:
          go-version-file: ./go.mod

      # Coverage
      - name: Run coverage
        run: cd .github && make cover

      # Codecov
      - name: Codecov
        uses: codecov/codecov-action@54a0566d1caf986dcc042eb71da69c0e69d26987
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
          file: .github/coverage.out

      # Sonar
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@02ef91109b2d589e757aefcfb2854c2783fd7b19
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        with:
          args: >
            -Dsonar.organization=bytemare-github
            -Dsonar.projectKey=bytemare_opaque
            -Dsonar.go.coverage.reportPaths=.github/coverage.out
            -Dsonar.sources=.
            -Dsonar.exclusions=examples_test.go
            -Dsonar.test.exclusions=examples_test.go,tests/**
            -Dsonar.coverage.exclusions=examples_test.go,tests/**
            -Dsonar.tests=tests/
            -Dsonar.verbose=true