gluetun/.github/workflows/ci.yml

name: CI
on:
  release:
    types:
      - published
  push:
    branches:
      - master
    paths:
      - .github/workflows/ci.yml
      - cmd/**
      - internal/**
      - pkg/**
      - .dockerignore
      - .golangci.yml
      - Dockerfile
      - go.mod
      - go.sum
  pull_request:
    branches:
      - master
    paths:
      - .github/workflows/ci.yml
      - cmd/**
      - internal/**
      - pkg/**
      - .dockerignore
      - .golangci.yml
      - Dockerfile
      - go.mod
      - go.sum

jobs:
  verify:
    # Only run if it's a push event or if it's a PR from this repository, and it is not dependabot.
    if: |
      github.actor != 'dependabot[bot]' &&
      (github.event_name == 'push' ||
      github.event_name == 'release' ||
      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository))
    runs-on: ubuntu-latest
    env:
      DOCKER_BUILDKIT: "1"
    steps:
      - uses: actions/checkout@v3

      - uses: reviewdog/action-misspell@v1
        with:
          locale: "US"
          level: error

      - name: Linting
        run: docker build --target lint .

      - name: Go mod tidy check
        run: docker build --target tidy .

      - name: Build test image
        run: docker build --target test -t test-container .

      - name: Run tests in test container
        run: |
          touch coverage.txt
          docker run --rm \
          -v "$(pwd)/coverage.txt:/tmp/gobuild/coverage.txt" \
          test-container

      - name: Code security analysis
        uses: snyk/actions/golang@master
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

      - name: Build final image
        run: docker build -t final-image .

      # - name: Image security analysis
      #   uses: snyk/actions/docker@master
      #   env:
      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      #   with:
      #     image: final-image

  publish:
    # Only run if it's a push event or if it's a PR from this repository
    if: |
      github.event_name == 'push' ||
      github.event_name == 'release' ||
      (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
    needs: [verify]
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      # extract metadata (tags, labels) for Docker
      # https://github.com/docker/metadata-action
      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v3
        with:
          flavor: |
            latest=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
          images: |
            qmcgaw/gluetun
            qmcgaw/private-internet-access
          tags: |
            type=ref,event=branch,enable=${{ github.ref != format('refs/heads/{0}', github.event.repository.default_branch) }}
            type=ref,event=pr
            type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
            type=semver,pattern=v{{major}}.{{minor}}
            type=semver,pattern=v{{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}

      - uses: docker/setup-qemu-action@v1
      - uses: docker/setup-buildx-action@v1

      - uses: docker/login-action@v1
        with:
          username: qmcgaw
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Short commit
        id: shortcommit
        run: echo "::set-output name=value::$(git rev-parse --short HEAD)"

      - name: Build and push final image
        uses: docker/build-push-action@v2.9.0
        with:
          platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v6,linux/arm/v7,linux/ppc64le
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            CREATED=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
            COMMIT=${{ steps.shortcommit.outputs.value }}
            VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
          tags: ${{ steps.meta.outputs.tags }}
          push: true