static.yml

name: static checks

on:
  workflow_dispatch:
  push:
    branches:
      - main
  pull_request:

jobs:
  flake-check:
    runs-on: ubuntu-22.04
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: ./.github/actions/setup_nix
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: nix flake check
        run: |
          nix -L flake check

  go-source:
    runs-on: ubuntu-22.04
    timeout-minutes: 25
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
          token: ${{ !github.event.pull_request.head.repo.fork && secrets.NUNKI_CI_COMMIT_PUSH_PR || github.token }}
      - uses: ./.github/actions/setup_nix
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Run code generations & tidying
        run: |
          nix run .#scripts.generate
      - name: Check for modifications, commit changes on renovate PRs
        uses: ./.github/actions/pushdiff
        with:
          error: Generated code needs to be updated, check the GitHub run summary for the diff.
          suggested-fix: Run \`nix run .#scripts.generate\` to run code generation.
          renovate-commit-msg: "fixup: update generated code"

  govulncheck:
    runs-on: ubuntu-22.04
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: ./.github/actions/setup_nix
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Run govulncheck
        run: |
          nix run .#scripts.govulncheck -- ./...

  golangci-lint:
    runs-on: ubuntu-22.04
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - uses: ./.github/actions/setup_nix
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Run golangci-lint
        run: |
          nix run .#scripts.golangci-lint

  clean-patches:
    runs-on: ubuntu-22.04
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          path: contrast
      - uses: ./contrast/.github/actions/setup_nix
        with:
          githubToken: ${{ secrets.GITHUB_TOKEN }}
          cachixToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Check out Kata
        working-directory: contrast
        run: |
          git clone --depth 1 -b "$(nix eval --raw .#kata.kata-runtime.version)" https://github.com/kata-containers/kata-containers.git ../kata
      - name: Apply patches
        working-directory: kata
        run: |
          git config --global user.email "actionsbot@example.invalid"
          git config --global user.name "Actions Bot"
          git am --no-3way ../contrast/packages/by-name/kata/kata-runtime/*.patch
          git format-patch -N --no-signature --zero-commit -o ../contrast/packages/by-name/kata/kata-runtime/ "$(nix eval --raw .#kata.kata-runtime.version)"

          git clone --depth 1 -b "$(nix eval --raw .#kata.kata-runtime.version)" https://github.com/kata-containers/kata-containers.git kata
      - name: Check for diff
        working-directory: contrast
        run: |
          git diff --exit-code