ci.yml

## .github/workflows/ci.yml
name: CI

permissions:
  contents: write
  attestations: write
  id-token: write
  packages: write

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  build-scancode-base:
    runs-on: ubuntu-latest

    steps:
    - name: Clone scancode-toolkit repository
      run: git clone https://github.com/nexB/scancode-toolkit.git

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Cache Docker layers
      uses: actions/cache@v4
      with:
        path: /tmp/.buildx-cache
        key: ${{ runner.os }}-buildx-${{ github.sha }}
        restore-keys: |
          ${{ runner.os }}-buildx-

    - name: Log in to the Container registry
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Build and push scancode-toolkit Docker image
      uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
      with:
        context: scancode-toolkit
        file: scancode-toolkit/Dockerfile
        push: true
        tags: ghcr.io/redhatproductsecurity/licensescanner:scancode-base

  build-wrapper:
    needs: build-scancode-base
    runs-on: ubuntu-latest

    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v3

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Cache Docker layers
      uses: actions/cache@v4
      with:
        path: /tmp/.buildx-cache
        key: ${{ runner.os }}-buildx-${{ github.sha }}
        restore-keys: |
          ${{ runner.os }}-buildx-

    - name: Log in to the Container registry
      uses: docker/login-action@v3
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Extract metadata (tags, labels) for Docker
      id: meta
      uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
      with:
        images: ghcr.io/redhatproductsecurity/licensescanner

    - name: Build and push Docker image
      id: push
      uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
      with:
        context: .
        push: true
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        
    - name: Generate artifact attestation
      uses: actions/attest-build-provenance@v1
      with:
        subject-name: ghcr.io/redhatproductsecurity/licensescanner
        subject-digest: ${{ steps.push.outputs.digest }}
        push-to-registry: true


  test:
    runs-on: ubuntu-latest
    needs: build-wrapper

    steps:
    - name: Checkout repository
      uses: actions/checkout@v2

    - name: Run tests
      run: |
        chmod +x tests/test_scan.sh
        ./tests/test_scan.sh