name: CVE checks docker master
on:
  workflow_dispatch:
  schedule:
    # * is a special character in YAML so you have to quote this string
    - cron:  '0 8 15 * *'
jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Set up JDK
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          distribution: 'zulu'
          cache: 'maven'

      - name: Build project
        id: build
        run: |
          ./mvnw -B -ntp versions:set -DnewVersion=$GITHUB_SHA
          ./mvnw -B -V -ntp clean package -DskipTests
          export VERSION=$(./mvnw -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
          echo "version=${VERSION}" >> $GITHUB_OUTPUT

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2

      - name: Cache Docker layers
        uses: actions/cache@v3
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - name: Build docker image
        uses: docker/build-push-action@v3
        with:
          builder: ${{ steps.buildx.outputs.name }}
          context: kafka-ui-api
          platforms: linux/amd64
          push: false
          load: true
          tags: |
            provectuslabs/kafka-ui:${{ steps.build.outputs.version }}
          build-args: |
            JAR_FILE=kafka-ui-api-${{ steps.build.outputs.version }}.jar
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache

      - name: Run CVE checks
        uses: aquasecurity/trivy-action@0.8.0
        with:
          image-ref: "provectuslabs/kafka-ui:${{ steps.build.outputs.version }}"
          format: "table"
          exit-code: "1"