ddns-updater/.github/workflows/quality-checks.yml

name: Code check
on:
  push:
    tags:
      - v*
    branches:
      - master
      - main
  pull_request:
jobs:
  docker-lint:
    name: Dockerfile lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: Dockerfile
  golangci:
    name: Static code check
    runs-on: ubuntu-latest
    steps:
      - uses: actions/setup-go@v4
        with:
          go-version: '1.21'
          cache: false
      - uses: actions/checkout@v3
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
          version: latest

  dep-vulnerability:
    name: Dependency vulnerability scanner
    needs: [docker-lint, golangci, tests]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Prepare go environment
        uses: actions/setup-go@v4
        with:
          go-version: '1.21'
          cache: false
      - name: Install dep scanner
        run: |
          go install golang.org/x/vuln/cmd/govulncheck@latest
      - name: Vendoring
        run: | 
          go mod vendor
      - name: Check
        run: |
          govulncheck ./...
  tests:
    name: Tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Prepare go environment
        uses: actions/setup-go@v4
        with:
          go-version: '1.21'
          cache: false
      - name: Run tests
        run: go test --cover -coverprofile coverage.out -covermode count -v ./...
      - name: Coverage check
        env:
          TESTCOVERAGE_THRESHOLD: 0
        run: |
          echo "Checking test coverage is above threshold ..."
          echo "Threshold             : $TESTCOVERAGE_THRESHOLD %"
          totalCoverage=`go tool cover -func=coverage.out | grep total | grep -Eo '[0-9]+\.[0-9]+'`
          echo "Current test coverage : $totalCoverage %"
          if (( $(echo "$totalCoverage $TESTCOVERAGE_THRESHOLD" | awk '{print ($1 > $2)}') )); then
              echo "OK"
          else
              echo "Current test coverage is below threshold. Please add more unit tests or adjust threshold to a lower value."
              echo "Failed"
              exit 1
          fi
  build:
    name: Image vulnerability scanner
    needs: [docker-lint, golangci, tests]
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Build an image from Dockerfile
        run: |
          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'