.github/workflows/sub_test.yml

name: Sub - test image

on:
  workflow_call:
    secrets:
      KOSLI_API_TOKEN:
        required: true
      SNYK_TOKEN:
        required: true
    inputs:
      KOSLI_HOST:
        default: https://app.kosli.com
        required: false
        type: string
      IMAGE_TAG:
        required: true
        type: string

env: 
  KOSLI_DRY_RUN: ${{ vars.KOSLI_DRY_RUN }}
  KOSLI_HOST: ${{ inputs.KOSLI_HOST }}
  KOSLI_ORG: ${{ vars.KOSLI_ORG }}
  KOSLI_FLOW: ${{ vars.KOSLI_FLOW }}
  KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

jobs:

  branch-coverage:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Run tests, save results to evidence.json file, report to Kosli flow
        run: |
          source ./sh/run_tests_with_coverage.sh
          if run_tests_with_coverage; then KOSLI_COMPLIANT=true; else KOSLI_COMPLIANT=false; fi
          kosli report evidence artifact generic cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }} \
              --artifact-type=docker \
              --compliant=${KOSLI_COMPLIANT} \
              --description="server & client branch-coverage reports" \
              --name=branch-coverage \
              --user-data=./test/reports/evidence.json

  snyk-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Setup Snyk
        uses: snyk/actions/setup@master

      - name: Run Snyk to check Docker image for vulnerabilities
        continue-on-error: true
        run:
           snyk container test cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }} 
            --file=Dockerfile 
            --json-file-output=snyk.json 
            --policy-path=.snyk

      - name: Report Snyk results to Kosli flow
        run: |
          IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}
          docker pull ${IMAGE_NAME}
          kosli report evidence artifact snyk ${IMAGE_NAME} \
            --artifact-type=docker  \
            --name=snyk-scan  \
            --scan-results=snyk.json

  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.2.0
          bundler-cache: true

      - name: Run Rubocop linter on source, report results to Kosli flow
        run: |
          repo_root() { git rev-parse --show-toplevel; }
          export LINT_EVIDENCE_DIR=/tmp/evidence/lint
          mkdir -p "${LINT_EVIDENCE_DIR}"
          cp "$(repo_root)/.rubocop.yml" "${LINT_EVIDENCE_DIR}"/.rubocop.yml
          gem install rubocop
          if [ rubocop "$(repo_root)" | tee "${LINT_EVIDENCE_DIR}"/rubocop.log ]; then
            export KOSLI_LINT_COMPLIANT=true
          else
            export KOSLI_LINT_COMPLIANT=false
          fi

          kosli report evidence commit generic \
            --compliant="${KOSLI_LINT_COMPLIANT}" \
            --evidence-paths="${LINT_EVIDENCE_DIR}" \
            --name=lint

  pull-request:
    if: ${{ github.ref == 'refs/heads/main' }}
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      pull-requests: read
    steps:
      - uses: actions/checkout@v4

      - name: Setup Kosli CLI
        uses: kosli-dev/setup-cli-action@v2
        with:
          version: ${{ vars.KOSLI_CLI_VERSION }}

      - name: Report pull-request evidence to Kosli
        run: |
          IMAGE_NAME=cyberdojo/${{ env.KOSLI_FLOW }}:${{ inputs.IMAGE_TAG }}          
          docker pull ${IMAGE_NAME}
          kosli report evidence artifact pullrequest github ${IMAGE_NAME} \
            --artifact-type=docker \
            --github-token ${{ secrets.GITHUB_TOKEN }} \
            --name=pull-request