.github/workflows/build.yml

name: Build
on:
  workflow_dispatch:
  push:
    branches:
      - main
      - next
    paths:
      - 'src/**'
      - 'pom.xml'

concurrency:
  group: ci-main

permissions:
  # used by semantic release
  contents: write
  issues: write
  pull-requests: write
  # used to publish the docker image
  packages: write
  # used by trivy
  security-events: write

jobs:
  verify:
    name: Verify
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: maven

      - name: Run Tests
        run: mvn -B -ntp verify

  verify-native:
    strategy:
      matrix:
        os:
          - ubuntu-latest
          - windows-latest
          - macos-latest
    name: Verify ${{ matrix.os }}
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

      - uses: graalvm/setup-graalvm@v1
        with:
          version: 'latest'
          java-version: '17'
          components: 'native-image'
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Run tests
        run: mvn -B -ntp -PnativeTest verify

  release:
    name: Build and Release
    runs-on: ubuntu-latest
    needs:
      - verify
      - verify-native
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: maven

      - name: Create new release
        uses: cycjimmy/semantic-release-action@v3
        with:
          extra_plugins: |
            @semantic-release/git
            @semantic-release/exec
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Get Image Name
        id: get-image-name
        run: echo "image-name=$(mvn help:evaluate -Dexpression=image.name -q -DforceStdout)" >> $GITHUB_OUTPUT

      - name: Scan Docker Image for Vulnerabilities
        uses: aquasecurity/trivy-action@0.11.2
        with:
          image-ref: ${{ steps.get-image-name.outputs.image-name }}
          format: sarif
          output: trivy-results.sarif

      - name: Upload Trivy Results to GitHub Security Tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: trivy-results.sarif