From edcfd96e50a3ea241d85312ef64865d5edd4be06 Mon Sep 17 00:00:00 2001
From: Anurag Rajawat <anurag@accuknox.com>
Date: Wed, 18 Sep 2024 01:15:20 +0530
Subject: [PATCH] feat(CI): Initial CI

Signed-off-by: Anurag Rajawat <anurag@accuknox.com>
---
 .github/workflows/pr-checks.yml | 111 ++++++++++++++++++++++++--------
 1 file changed, 83 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 99e3146..3b27ac0 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -1,35 +1,90 @@
-name: pr-checks
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2024 Authors of SentryFlow
+
+name: PR checks
 
 on:
   pull_request:
-    branches: [main]
+    types: [ opened, reopened, synchronize, ready_for_review ]
+    paths-ignore:
+      - '**.md'
+      - '**.sh'
+      - 'docs/**'
+      - 'LICENSE'
+
+permissions: read-all
 
 jobs:
-  build:
+  license:
+    name: License
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check License Header
+        uses: apache/skywalking-eyes@3ea9df11bb3a5a85665377d1fd10c02edecf2c40
+        working-directory: sentryflow
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  static-checks:
+    name: Static checks
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+
+      - name: go fmt
+        working-directory: sentryflow
+        run: make fmt
+
+      - name: Lint
+        id: lint
+        working-directory: sentryflow
+        run: make lint
+
+  go-sec:
     runs-on: ubuntu-latest
-    
+    permissions:
+      security-events: write
+    env:
+      GO111MODULE: on
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
-      
-    - name: Setup Docker Build
-      uses: docker/setup-buildx-action@v1
-
-    - name: Get tag
-      id: tag
-      run: |
-        if [ ${{ github.ref }} == "refs/heads/main" ]; then
-          echo "tag=latest" >> $GITHUB_OUTPUT
-        else
-          echo "tag=tmp" >> $GITHUB_OUTPUT
-        fi
-
-    - name: Build SentryFlow Image
-      working-directory: ./sentryflow
-      run: |
-         make TAG=${{ steps.tag.outputs.tag }} build-image
-
-    - name: Build SentryFlow AI Engine Image
-      working-directory: ./ai-engine
-      run: |
-         make TAG=${{ steps.tag.outputs.tag }} build-image
+      - name: Checkout Source
+        uses: actions/checkout@v4
+
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        working-directory: sentryflow
+        with:
+          # we let the report trigger content trigger a failure using the GitHub Security features.
+          args: '-no-fail -fmt sarif -out results.sarif ./...'
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
+  build-image:
+    name: Build SentryFlow image
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@v4
+
+      - name: Build image
+        working-directory: sentryflow
+        run: make image
+
+      - name: Scan image
+        uses: anchore/scan-action@v4
+        working-directory: sentryflow
+        with:
+          image: 'docker.io/5gsec/sentryflow:latest'
+          severity-cutoff: critical
+          output-format: sarif