# https://github.com/letsencrypt/boulder/blob/e182d889b220421caefbf384b36467f771b5f8d3/.github/workflows/boulder-ci.yml
# Boulder CI test suite workflow

name: Boulder CI

# Controls when the action will run.
on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    branches:
      - main
      - release-branch-*
  pull_request:
    branches:
      - "**"

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
permissions:
  contents: read

jobs:
  #  Main test jobs. This looks like a single job, but the matrix
  #  items will multiply it. For example every entry in the
  #  BOULDER_TOOLS_TAG list will run with every test. If there were two
  #  tags and 5 tests there would be 10 jobs run.
  b:
    # The type of runner that the job will run on
    runs-on: ubuntu-20.04

    strategy:
      # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true
      fail-fast: false
      # Test matrix.
      matrix:
        # Add additional docker image tags here and all tests will be run with the additional image.
        BOULDER_TOOLS_TAG:
          - go1.23.1_2024-09-05
        # Tests command definitions. Use the entire "docker compose" command you want to run.
        tests:
          # Run ./test.sh --help for a description of each of the flags.
          - "./t.sh --lints --generate"
          - "./t.sh --integration"
          # Testing Config Changes:
          # Config changes that have landed in main but not yet been applied to
          # production can be made in `test/config-next/<component>.json`.
          #
          # Testing DB Schema Changes:
          # Database migrations in `sa/_db-next/migrations` are only performed
          # when `docker compose` is called using `-f docker-compose.yml -f
          # docker-compose.next.yml`.
          - "./tn.sh --integration"
          - "./t.sh --unit --enable-race-detection"
          - "./tn.sh --unit --enable-race-detection"
          - "./t.sh --start-py"

    env:
      # This sets the docker image tag for the boulder-tools repository to
      # use in tests. It will be set appropriately for each tag in the list
      # defined in the matrix.
      BOULDER_TOOLS_TAG: ${{ matrix.BOULDER_TOOLS_TAG }}

    # Sequence of tasks that will be executed as part of the job.
    steps:
      # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Docker Login
        # You may pin to the exact commit or the version.
        # uses: docker/login-action@f3364599c6aa293cdc2b8391b1b56d0c30e45c8a
        uses: docker/login-action@v3.3.0
        with:
          # Username used to log against the Docker registry
          username: ${{ secrets.DOCKER_USERNAME}}
          # Password or personal access token used to log against the Docker registry
          password: ${{ secrets.DOCKER_PASSWORD}}
          # Log out from the Docker registry at the end of a job
          logout: true
        continue-on-error: true

      # Print the env variable being used to pull the docker image. For
      # informational use.
      - name: Print BOULDER_TOOLS_TAG
        run: echo "Using BOULDER_TOOLS_TAG ${BOULDER_TOOLS_TAG}"

      # Pre-pull the docker containers before running the tests.
      - name: docker compose pull
        run: docker compose pull

      # Run the test matrix. This will run
      - name: "Run Test: ${{ matrix.tests }}"
        run: ${{ matrix.tests }}

  govulncheck:
    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false

    steps:
      # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          # When Go produces a security release, we want govulncheck to run
          # against the most recently released Go version.
          check-latest: true
          go-version: "stable"

      - name: Run govulncheck
        run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...

  vendorcheck:
    runs-on: ubuntu-20.04
    strategy:
      # When set to true, GitHub cancels all in-progress jobs if any matrix job fails. Default: true
      fail-fast: false
      matrix:
        go-version: ["1.22.5"]

    steps:
      # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Setup Go ${{ matrix.go-version }}
        uses: actions/setup-go@v5
        with:
          go-version: ${{ matrix.go-version }}

      - name: Verify vendor
        shell: bash
        run: |
          go mod tidy
          go mod vendor
          git diff --exit-code

  # This is a utility build job to detect if the status of any of the
  # above jobs have failed and fail if so. It is needed so there can be
  # one static job name that can be used to determine success of the job
  # in GitHub branch protection.
  # It does not block on the result of govulncheck so that a new vulnerability
  # disclosure does not prevent any other PRs from being merged.
  boulder_ci_test_matrix_status:
    permissions:
      contents: none
    if: ${{ always() }}
    runs-on: ubuntu-latest
    name: Boulder CI Test Matrix
    needs:
      - b
      - vendorcheck
    steps:
      - name: Check boulder ci test matrix status
        if: ${{ needs.b.result != 'success' || needs.vendorcheck.result != 'success' }}
        run: exit 1