types: [ closed ]

permissions: {}

jobs:
  check_pull_metadata:
    permissions:
      issues: write
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      # Check that PRs have proper metadata: labels and milestone
      # https://github.com/gradle/issue-management-action/blob/main/src/pull-metadata.ts
      - uses: gradle/issue-management-action@v1
        with:

  cancel-in-progress: true

env:
  # Set the DEVELOCITY_ACCESS_KEY so that Gradle Build Scans are generated
  DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
  # Enable debug for the `gradle-build-action` cache operations
  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true

# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:

      level: default:info,cni:info

    logAsJson: false

    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
    # to use for pulling any images in pods that reference this ServiceAccount.
    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.

    - name: Setup Gradle
      uses: gradle/actions/dependency-submission@v3
      with:
        # Action runs a custom dependencies task that fails with config-cache on Gradle 8.7 (works with 8.6)
        additional-arguments: --no-configuration-cache
      env:
        # Exclude some projects and configurations that should not contribute to the dependency graph

on:
  issues:
    types: [ opened, unlabeled, closed ]

permissions: {}

jobs:
  check_issue_metadata:
    permissions:
      issues: write
    runs-on: ubuntu-latest
    steps:
      # Check that issues have proper metadata: labels and milestone
      # https://github.com/gradle/issue-management-action/blob/main/src/issue-metadata.ts
      - uses: gradle/issue-management-action@v1
        with:

version: '3.7'

# Settings and configurations that are common for all containers
x-minio-common: &minio-common
  image: quay.io/minio/minio:RELEASE.2024-05-01T01-11-10Z
  command: server --console-address ":9001" http://minio{1...4}/data{1...2}
  expose:
    - "9000"
    - "9001"
  # environment:
    # MINIO_ROOT_USER: minioadmin
    # MINIO_ROOT_PASSWORD: minioadmin
  healthcheck:
    test: ["CMD", "mc", "ready", "local"]
    interval: 5s

        hostPath:
          path: /var/run/ztunnel
          type: DirectoryOrCreate # ideally this would be a socket, but ztunnel may not have started yet.
      # pprof needs a writable /tmp, and we don't have that thanks to `readOnlyRootFilesystem: true`, so mount one
      - name: tmp
        emptyDir: {}
      {{- with .Values.volumes }}
        {{- toYaml . | nindent 6}}

      run: ./gradlew --no-configuration-cache --init-script .github/workflows/codeql-analysis.init.gradle -DcacheNode=us -S testClasses -Dhttp.keepAlive=false
      env:
        # Set the DEVELOCITY_ACCESS_KEY so that Gradle Build Scans are generated
        DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}
        # Potential stop-gap solution for ReadTimeout issues with the Gradle Build Cache