.github/workflows/ipldt.yml

---
name: IP Leak Scan

permissions: read-all

on:

  workflow_dispatch:
    # allow direct call to support testing updates to disposition DB
    inputs:
      db_ref:
        description: 'The branch, tag or SHA to get DB from'
        default: ipldt
        type: string
      output_prefix:
        description: 'Prefix to add to output artifacts'
        required: false
        default: ''
        type: string
      docker_opts:
        description: 'extra options for docker build'
        required: false
        default: ''
        type: string

  workflow_call:
    inputs:
      db_ref:
        description: 'The branch, tag or SHA to get DB from'
        required: false
        type: string
      output_prefix:
        description: 'Prefix to add to output artifacts'
        required: false
        default: ''
        type: string
      docker_opts:
        description: 'extra options for docker build'
        required: false
        type: string

jobs:
  scan:
    runs-on: [self-hosted, Linux, docker]
    steps:

      - name: Cleanup workspace
        run: sudo rm -rf ..?* .[!.]* *

      - name: Checkout PR branch
        uses: actions/checkout@v4
        with:
          path: source

      - name: Build Docker image
        run: >
          docker build ${{ inputs.docker_opts }}
          -f "source/.github/workflows/ipldt/Dockerfile.ubuntu.ipldt"
          --build-arg USER_ID=$(id -u)
          --build-arg GROUP_ID=$(id -g)
          -t vpl_ipldt:ubuntu
          --build-arg "IPLDB_TOOL_URL=${{ vars.IPLDB_TOOL_URL }}"
          "source/.github/workflows/ipldt"

      - name: Checkout Dispositions
        uses: actions/checkout@v4
        with:
          path: db
          ref: ${{ inputs.db_ref || 'ipldt' }}

      - name: Package Source
        run: |
          pushd source
          git archive HEAD -o ../source.zip
          popd

      - name: Scan source in container
        continue-on-error: false
        run: |
          cat <<'EOL' > action.sh
          #!/bin/bash
          set -x
          set +o errexit
          set -o pipefail
          /opt/ipldt3_lin_intel64/ipldt3_lin_intel64 \
              -i source.zip \
              -c 37 \
              --usedb db/ipldt_results.ip.db \
              --usedb db/ipldt_results.ipevt.db \
              --usedb db/ipldt_results.tm.db \
              -s db/stringfile.yaml.0 \
              --db-rel-path \
              --gendb _logs/ip-leak-scan/hits-linux.db \
              --r-overwrite \
              --r _logs/ip-leak-scan \
              | tee _logs/ipldt.txt
          ret=$?
          set +o pipefail
          exit $ret
          EOL
          chmod +x action.sh

          mkdir -p _logs/ip-leak-scan
          docker run --rm -v $PWD:/working -w /working \
          vpl_ipldt:ubuntu ./action.sh
          mv _logs/ipldt.txt _logs/ip-leak-scan/ipldt_results.txt

      - name: Report
        if: success() || failure()
        run: |
            echo '```' >> $GITHUB_STEP_SUMMARY
            cat _logs/ip-leak-scan/ipldt_results.txt >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY

      - name: Record Artifacts
        uses: actions/upload-artifact@v4
        if: success() || failure()
        with:
          name: ${{ inputs.output_prefix }}ip-leak-scan
          path: _logs/ip-leak-scan

      - name: Cleanup workspace
        run: sudo rm -rf ..?* .[!.]* *