.github/workflows/validate_selinux_compile.yml

#
# SELinux code validation workflow
#
name: "Validate SELinux code"

concurrency: 
  group: SELinux_compile_wkf_group


on:
  workflow_dispatch:

  push:
    paths:
      - '**.te'
      - '**.fc'
      - '**.if'
      
  pull_request:
    branches: [ "main", "release/**" ]
    paths:
      - '**.te'
      - '**.fc'
      - '**.if'

env:
  SEMODULE: springboot

jobs:

  compile_el8:
    name: Validate SELinux code (EL 8)
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@master
      - uses: lhqg/selinux_compile@almalinux8

  compile_el9:
    name: Validate SELinux code (EL 9)
    runs-on: ubuntu-latest
    continue-on-error: true

    steps:
      - uses: actions/checkout@master
      - uses: lhqg/selinux_compile@centos9

  compile_fedora37:
    name: Validate SELinux code (Fedora 37)
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@master
      - uses: lhqg/selinux_compile@fedora37

  compile_fedora38:
    name: Validate SELinux code (Fedora 38)
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@master
      - uses: lhqg/selinux_compile@fedora38

  compile_fedora39:
    name: Validate SELinux code (Fedora 39)
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@master
      - uses: lhqg/selinux_compile@fedora39

  compile_fedora40:
    name: Validate SELinux code (Fedora 40)
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@master
      - uses: lhqg/selinux_compile@fedora40

  semodule_info:
    name: Get SELinux module informations
    needs: [ compile_el8, compile_el9, compile_fedora37, compile_fedora38, compile_fedora39, compile_fedora40 ]
      
    runs-on: ubuntu-latest
    
    permissions:
      actions: read
      contents: read

    outputs:
      semodule_name: ${{ steps.semodule_chars.outputs.semodule_name }}
      semodule_vers: ${{ steps.semodule_chars.outputs.semodule_vers }}

    steps:
      - uses: actions/checkout@master

      - name: Get SELinux policy module characteristics
        id: semodule_chars
        run: |
          awk '
          /^[[:blank:]]*module[[:blank:]]+/ {
            sub("[[:blank:]]*;$", "")
            module_name=$2
            module_vers=$3
          }
          /^[[:blank:]]*policy_module[[:blank:]]*\(/ {
            sub("^[[:blank:]]*policy_module[[:blank:]]*[(][[:blank:]]*", "")
            sub("[[:blank:]]*)[[:blank:]]*$", "")
            split($0, a, "[[:blank:]]*,[[:blank:]]*")
            module_name=a[1]
            module_vers=a[2]
          }
          END {
            print "{semodule_name}={"module_name"}"
            print "{semodule_vers}={"module_vers"}"
          }' se_module/${SEMODULE}.te >> $GITHUB_OUTPUT

  add_tag:
    name: Add SELinux module version tag on the branch
    needs: semodule_info

    runs-on: ubuntu-latest

    if: ( github.event_name == 'push' && ( github.ref_name == 'main' || startsWith(github.ref_name, 'release/') ) )
    
    steps:
      - uses: actions/checkout@master

      - name: Tag the branch with the SELinux module version and draft a pre-release
        uses: actions/create-release@latest
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: v${{ needs.semodule_info.outputs.semodule_vers }}-rc
          release_name: Release candidate for v${{ needs.semodule_info.outputs.semodule_vers }}
          draft: true
          prerelease: true
      