devguard-scanner.yaml

# DevSecOps Workflow Definition
# This workflow is triggered on every push to the repository
name: DevGuard-Workflow

on:
  workflow_dispatch:
  push:

jobs:
  golangci:
    name: lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
      with:
        submodules: recursive
        persist-credentials: false
    - uses: cachix/install-nix-action@v31
      with:
        install_url: https://releases.nixos.org/nix/nix-2.34.4/install
        extra_nix_config: |
          experimental-features = nix-command flakes
          substituters = https://cache.nixos.org https://nix.garage.l3montree.cloud
          trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
    - name: golangci-lint
      run: nix develop . --command golangci-lint run --timeout=30m

  tests:
    name: tests
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
    - name: Check out code
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
      with:
        submodules: recursive
        persist-credentials: false
    - uses: cachix/install-nix-action@v31
      with:
        install_url: https://releases.nixos.org/nix/nix-2.34.4/install
        extra_nix_config: |
          experimental-features = nix-command flakes
          substituters = https://cache.nixos.org https://nix.garage.l3montree.cloud
          trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
    - name: Run unittests
      run: nix develop . --command bash -c "go test \$(go list ./... | grep -v '/mocks') -coverprofile=coverage.out && go tool cover -func=coverage.out"
    - name: Archive code coverage results
      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2
      with:
        name: code-coverage
        path: coverage.out


  code-scanning:
    uses: l3montree-dev/devguard-action/.github/workflows/code-scanning.yml@nix
    permissions:
      contents: read
      security-events: write
    with:
      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
      api-url: https://api.main.devguard.org
      fail-on-risk: high
      fail-on-cvss: high
      web-ui: https://main.devguard.org
      continue-on-open-code-risk: true
    secrets:
      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}


  api-pipeline:
    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main'
    uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
    permissions:
      contents: read
      packages: write
      security-events: write
    with:
      nix-target-amd64: devguard-amd64
      nix-target-arm64: devguard-arm64
      nix-version: '2.34.4'
      image-name: ghcr.io/${{ github.repository }}
      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
      api-url: https://api.main.devguard.org
      web-ui: https://main.devguard.org
      fail-on-cvss: high
      fail-on-risk: high
      nix-cache-substituter: https://nix.garage.l3montree.cloud
      nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
      nix-cache-s3-bucket: nix
      nix-cache-region: garage
    secrets:
      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

  scanner-pipeline:
    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main'
    needs: [tests]
    uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
    permissions:
      contents: read
      packages: write
      security-events: write
    with:
      nix-target-amd64: devguard-scanner-amd64
      nix-target-arm64: devguard-scanner-arm64
      nix-version: '2.34.4'
      image-name: ghcr.io/${{ github.repository }}/scanner
      artifact-name-suffix: scanner
      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
      api-url: https://api.main.devguard.org
      web-ui: https://main.devguard.org
      fail-on-cvss: high
      fail-on-risk: high
      nix-cache-substituter: https://nix.garage.l3montree.cloud
      nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
      nix-cache-s3-bucket: nix
      nix-cache-region: garage
    secrets:
      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

  postgresql-pipeline:
    if: github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main'
    uses: l3montree-dev/devguard-action/.github/workflows/full-nix.yml@nix
    permissions:
      contents: read
      packages: write
      security-events: write
    with:
      nix-target-amd64: postgresql-amd64
      nix-target-arm64: postgresql-arm64
      nix-version: '2.34.4'
      image-name: ghcr.io/${{ github.repository }}/postgresql
      artifact-name-suffix: postgresql
      asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
      api-url: https://api.main.devguard.org
      web-ui: https://main.devguard.org
      fail-on-cvss: high
      fail-on-risk: high
      nix-cache-substituter: https://nix.garage.l3montree.cloud
      nix-cache-public-key: nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=
      nix-cache-s3-bucket: nix
      nix-cache-region: garage
    secrets:
      devguard-token: ${{ secrets.DEVGUARD_TOKEN }}

  release:
    name: Build and Release Binaries
    runs-on: ubuntu-latest
    permissions:
      contents: write
    # needs: [golangci, tests, sign-scanner, devguard]
    if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/test-release'
    outputs:
      tag: ${{ steps.tag.outputs.tag }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          persist-credentials: false

      - uses: cachix/install-nix-action@v31
        with:
          install_url: https://releases.nixos.org/nix/nix-2.34.4/install
          extra_nix_config: |
            experimental-features = nix-command flakes
            substituters = https://cache.nixos.org https://nix.garage.l3montree.cloud
            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.garage.l3montree.cloud:MGlzfPQKA91/zxw91CN+GP7NpjAAwmKvWXlDYgeeI8k=

      - name: Get tag
        id: tag
        run: |
          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
            echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
            echo "TAG_NO_V=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
          else
            echo "tag=test-$(date +%Y%m%d-%H%M%S)" >> $GITHUB_OUTPUT
          fi

      - name: Build cross-platform binaries
        run: |
          nix develop . --command bash -c "
          mkdir -p dist

          BUILD_FLAGS=\"-s -w -buildid= -X main.version=${STEPS_TAG_OUTPUTS_TAG} -X main.commit=${{ github.sha }} -X main.date=\$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions\"

          GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-linux-amd64 ./cmd/devguard-scanner
          GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-linux-arm64 ./cmd/devguard-scanner
          GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-windows-amd64.exe ./cmd/devguard-scanner
          GOOS=windows GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-windows-arm64.exe ./cmd/devguard-scanner
          GOOS=darwin GOARCH=amd64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-darwin-amd64 ./cmd/devguard-scanner
          GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags=\"\$BUILD_FLAGS\" -o dist/devguard-scanner-darwin-arm64 ./cmd/devguard-scanner
          "
        env:
          STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }}

      - name: Create archives
        run: |
          cd dist
          
          # Create tar.gz archives for Unix-like systems
          tar -czf devguard-scanner-linux-amd64.tar.gz devguard-scanner-linux-amd64
          tar -czf devguard-scanner-linux-arm64.tar.gz devguard-scanner-linux-arm64
          tar -czf devguard-scanner-darwin-amd64.tar.gz devguard-scanner-darwin-amd64
          tar -czf devguard-scanner-darwin-arm64.tar.gz devguard-scanner-darwin-arm64
          
          # Create zip archives for Windows
          zip devguard-scanner-windows-amd64.zip devguard-scanner-windows-amd64.exe
          zip devguard-scanner-windows-arm64.zip devguard-scanner-windows-arm64.exe
          
          # Remove individual binaries, keep archives
          rm -f devguard-scanner-linux-amd64 devguard-scanner-linux-arm64 devguard-scanner-darwin-amd64 devguard-scanner-darwin-arm64
          rm -f devguard-scanner-windows-amd64.exe devguard-scanner-windows-arm64.exe


      - name: Generate checksums
        run: |
          cd dist
          sha256sum *.tar.gz *.zip > checksums.txt
          echo "Generated checksums for all release artifacts"

      - name: Sign release artifacts with devguard-scanner
        uses: docker://ghcr.io/l3montree-dev/devguard/scanner:main
        with:
          entrypoint: /bin/sh
          args: |
            -c "
            cd dist
            for file in *.tar.gz *.zip checksums.txt; do
              if [ -f \"\$file\" ]; then
                echo \"Signing \$file with devguard-scanner...\"
                devguard-scanner sign --token ${{ secrets.DEVGUARD_TOKEN }} \"\$file\" > ${file}.sig
              fi
            done
            "

      - name: Create GitHub Release
        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          tag_name: ${{ steps.tag.outputs.tag }}
          name: "DevGuard Scanner ${{ steps.tag.outputs.tag }}"
          draft: false
          prerelease: ${{ contains(steps.tag.outputs.tag, 'test-') }}
          body: |
            ## 🚀 DevGuard Release ${{ steps.tag.outputs.tag }}
            
            **Secure software supply chain scanning and security analysis toolkit**
            
            ### Release Assets
            
            #### **📱 Binaries**
            - `devguard-scanner-linux-amd64.tar.gz` - Linux x64 binary
            - `devguard-scanner-linux-arm64.tar.gz` - Linux ARM64 binary  
            - `devguard-scanner-darwin-amd64.tar.gz` - macOS x64 binary
            - `devguard-scanner-darwin-arm64.tar.gz` - macOS ARM64 (Apple Silicon) binary
            - `devguard-scanner-windows-amd64.zip` - Windows x64 binary
            - `devguard-scanner-windows-arm64.zip` - Windows ARM64 binary
            
            #### **🐳 Container Images**
            - **Registry**: 
              - `ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}` (Main platform)
              - `ghcr.io/l3montree-dev/devguard-web:${{ steps.tag.outputs.tag }}` (Frontend of the platform)
              - `ghcr.io/l3montree-dev/devguard/scanner:${{ steps.tag.outputs.tag }}` (Scanner tool)

            #### Helm Charts
            
            `oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard` (Main platform Helm chart)

            ```bash
            helm install my-devguard oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard --version ${{ env.TAG_NO_V }}
            ```
            
            ### Quick Start
            
            #### **Download and Install**
            ```bash
            # Linux/macOS - Download and extract
            curl -L https://github.com/l3montree-dev/devguard/releases/download/${{ steps.tag.outputs.tag }}/devguard-scanner-linux-amd64.tar.gz | tar -xz
            chmod +x devguard-scanner-linux-amd64
            sudo mv devguard-scanner-linux-amd64 /usr/local/bin/devguard-scanner
            
            # Verify installation
            devguard-scanner --version
            ```
            
            #### **Docker Usage**
            ```bash
            # Pull DevGuard Scanner from registry
            docker pull ghcr.io/l3montree-dev/devguard/scanner:${{ steps.tag.outputs.tag }}
            
            # Pull DevGuard Platform from registry
            docker pull ghcr.io/l3montree-dev/devguard:${{ steps.tag.outputs.tag }}
            ```
            
            #### **Go Install**
            ```bash
            go install github.com/l3montree-dev/devguard/cmd/devguard-scanner@${{ steps.tag.outputs.tag }}
            ```
            
            ---
            
            📖 **Documentation**: [DevGuard Documentation](https://github.com/l3montree-dev/devguard)  
            🐛 **Report Issues**: [GitHub Issues](https://github.com/l3montree-dev/devguard/issues)  
            💬 **Community**: [Discussions](https://github.com/l3montree-dev/devguard/discussions)
          files: |
            dist/*.tar.gz
            dist/*.zip
            dist/checksums.txt
            dist/*.sig
            dist/*.link
            dist/*.provenance.json
            dist/*.sbom.json
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}