.github/workflows/ci.yaml

name: CI

on:
  pull_request:
  push:
    branches:
      - main

jobs:
  essential-checks:
    runs-on: ubuntu-22.04
    steps:
      - name: Project Checkout
        uses: actions/checkout@v4.1.1

      - name: Run essential checks
        uses: dotanuki-labs/github-actions/essentials@main
        with:
          file-patterns: '*.sh,*.bats,*.kt,*.kts'
          license: 'mit'

  build:
    runs-on: ubuntu-22.04
    needs: essential-checks
    strategy:
      matrix:
        jdk: [ '11', '17', '21' ]

    steps:
      - name: Project Checkout
        uses: actions/checkout@v4.1.1

      - name: Setup JDK
        uses: actions/setup-java@v3.13.0
        with:
          distribution: 'zulu'
          java-version: ${{ matrix.jdk }}

      - name: Setup Gradle build
        uses: gradle/gradle-build-action@v2.9.0
        with:
          generate-job-summary: false
          gradle-home-cache-strict-match: false
          gradle-home-cache-cleanup: true
          dependency-graph: 'generate-and-submit'

      - name: Run Gradle build
        id: build
        run: ./gradlew build assembleExecutable --scan

      - name: Report Build Scan
        if: ${{ github.event_name == 'pull_request' }}
        run: ./scripts/build-scan-report.sh ${{ github.event.pull_request.number }} ${{ steps.build.outputs.build-scan-url }}
        env:
          GH_TOKEN: ${{ secrets.DOTANUKI_BOT_TOKEN }}

      - name: Run acceptance tests
        run: |
          npm install -g bats >/dev/null
          bats src/test/bash/acceptance.bats --print-output-on-failure

      - name: Archive executable
        uses: actions/upload-artifact@v3.1.3
        with:
          name: aaw-executable-jdk-${{ matrix.jdk }}
          path: build/bin

  e2e:
    runs-on: ubuntu-22.04
    needs: build
    steps:
      - name: Project Checkout
        uses: actions/checkout@v4.1.1

      - name: Setup JDK
        uses: actions/setup-java@v3.13.0
        with:
          distribution: 'zulu'
          java-version: '11'

      - name: Fetch executable from previous build
        uses: actions/download-artifact@v3.0.2

      - name: Add binary to the CLI path
        run: |
          chmod +x aaw-executable-jdk-11/aaw
          echo "$GITHUB_WORKSPACE/aaw-executable-jdk-11" >> "$GITHUB_PATH"

      - name: Run E2E tests
        run: |
          npm install -g bats
          bats src/test/bash/e2e.bats --print-output-on-failure

  secops:
    if: github.ref == 'refs/heads/main'
    permissions:
      security-events: read

    runs-on: ubuntu-22.04
    needs: build
    steps:
      - name: Project Checkout
        uses: actions/checkout@v4.1.1

      - name: Evaluate CVEs for the current Git sha
        run: ./scripts/secops.sh ${{ secrets.GITHUB_TOKEN }} ${{ github.sha }}

      - name: Archive SBOM
        uses: actions/upload-artifact@v3.1.3
        with:
          name: sbom
          path: aaw-sbom-${{ github.sha }}.json