.github/workflows/build-snap.yml

name: Build and test MicroK8s snap

on:
  pull_request:
    branches:
      - master

jobs:
  build:
    name: Create snap package
    runs-on: ubuntu-latest

    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
      - name: Install lxd
        run: |
          sudo lxd init --auto
          sudo usermod --append --groups lxd $USER
          # `newgrp` does not work in GitHub Actions; use `sudo --user` instead
          # See https://github.com/actions/runner-images/issues/9932#issuecomment-2573170305
          sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- lxc version
      # Docker sets iptables rules that interfere with LXD or K8s.
      # https://documentation.ubuntu.com/lxd/en/latest/howto/network_bridge_firewalld/#prevent-connectivity-issues-with-lxd-and-docker
      - name: Apply Docker iptables workaround
        shell: bash
        run: sudo iptables -I DOCKER-USER -j ACCEPT
      - name: Install snapcraft
        run: |
          sudo snap install snapcraft --classic
      - name: Install snapd from candidate
        run: |
          # TODO(neoaggelos): revert this after latest/beta is working again
          sudo snap refresh snapd --channel=latest/stable
      - name: Build snap
        run: |
          sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- snapcraft --use-lxd
          sudo mv microk8s*.snap microk8s.snap
      - name: Uploading snap
        uses: actions/upload-artifact@v4
        with:
          name: microk8s.snap
          path: microk8s.snap

  test-upgrade:
    name: Upgrade path test
    runs-on: ubuntu-latest
    needs: build
    timeout-minutes: 30
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
      - name: Prepare test prerequisites
        uses: ./.github/actions/test-prep
      - name: Running upgrade path test
        run: |
          sudo -E UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade-path.py

  test-addons-core:
    name: Test core addons
    runs-on: ubuntu-latest
    needs: build
    timeout-minutes: 30
    env:
      # Avoid truncated "ps" output
      COLUMNS: 2048
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
      - name: Prepare test prerequisites
        uses: ./.github/actions/test-prep
      - name: Running addons tests
        env:
          UNDER_TIME_PRESSURE: ${{ !contains(github.event.pull_request.labels.*.name, 'run-all-tests') }}
        run: |
          set -x
          sudo snap install build/microk8s.snap --classic --dangerous
          ./tests/smoke-test.sh
          export SKIP_PROMETHEUS="False"
          sudo -E bash -c "cd /var/snap/microk8s/common/addons/core/tests; pytest -s -ra test-addons.py"

  test-addons-community:
    name: Test community addons
    runs-on: ubuntu-latest
    needs: build
    timeout-minutes: 60
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
      - name: Prepare test prerequisites
        uses: ./.github/actions/test-prep
      - name: Running addons tests
        env:
          UNDER_TIME_PRESSURE: ${{ !contains(github.event.pull_request.labels.*.name, 'run-all-tests') }}
        run: |
          set -x
          sudo snap install build/microk8s.snap --classic --dangerous
          sudo microk8s enable community
          sudo -E bash -c "cd /var/snap/microk8s/common/addons/community/; pytest -s -ra ./tests/"

  test-addons-core-upgrade:
    name: Test core addons upgrade
    runs-on: ubuntu-latest
    needs: build
    timeout-minutes: 30
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
      - name: Prepare test prerequisites
        uses: ./.github/actions/test-prep
      - name: Running upgrade tests
        env:
          UNDER_TIME_PRESSURE: ${{ !contains(github.event.pull_request.labels.*.name, 'run-all-tests') }}
        run: |
          set -x
          sudo -E bash -c "UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade.py"

  test-cluster-agent:
    name: Cluster agent health check
    runs-on: ubuntu-latest
    needs: build
    timeout-minutes: 30
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
      - name: Prepare test prerequisites
        uses: ./.github/actions/test-prep
      - name: Running cluster agent health check
        run: |
          set -x
          sudo snap install build/microk8s.snap --classic --dangerous
          sudo -E bash -c "pytest -s ./tests/test-cluster-agent.py"

  test-airgap:
    name: Test airgap installation
    runs-on: ubuntu-latest
    needs: build
    timeout-minutes: 30
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
      - name: Prepare test prerequisites
        uses: ./.github/actions/test-prep
      - name: Initialize LXD
        run: |
          sudo lxd init --auto
          sudo lxc network set lxdbr0 ipv6.address=none
          sudo usermod --append --groups lxd $USER
          # `newgrp` does not work in GitHub Actions; use `sudo --user` instead
          # See https://github.com/actions/runner-images/issues/9932#issuecomment-2573170305
          sudo --user "$USER" --preserve-env --preserve-env=PATH -- env -- lxc version
      - name: Run airgap tests
        run: |
          sudo -E bash -x -c "./tests/libs/airgap.sh --distro ubuntu:22.04 --channel $PWD/build/microk8s.snap"

  security-scan:
    name: Security scan
    runs-on: ubuntu-latest
    needs: build
    timeout-minutes: 30
    steps:
      - name: Checking out repo
        uses: actions/checkout@v4
      - name: Fetch snap
        uses: actions/download-artifact@v4
        with:
          name: microk8s.snap
          path: build
      - name: Create sarifs directory
        run: |
          mkdir -p sarifs
      - name: Install Trivy vulnerability scanner
        uses: aquasecurity/setup-trivy@v0.2.2
      - name: Run Trivy vulnerability scanner on codebase
        run: |
          trivy fs . --format sarif --severity CRITICAL > sarifs/trivy-microk8s-repo-scan--results.sarif
      - name: Run Trivy vulnerability scanner on images
        run: |
          for i in $(cat ./build-scripts/images.txt) ; do
            name=$(echo  $i | awk -F ':|/' '{print $(NF-1)}')
            trivy image $i --format sarif > sarifs/$name.sarif
          done
      - name: Run Trivy vulnerability scanner on the snap
        run: |
          cp build/microk8s.snap .
          unsquashfs microk8s.snap
          trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: "sarifs"