name: "TLS protocol scan"
on:
  push:
    branches:
      - main
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [main]

permissions: read-all

jobs:
  tls-check:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        mode: [non-fips, fips]
        include:
          - mode: non-fips
            godebug: ""
          - mode: fips
            godebug: "fips140=only"
    name: TLS check (${{ matrix.mode }})
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v6
        with:
          cache: false
          go-version: 1.24.x
      - name: Install dependencies
        run: |
          cd $GITHUB_WORKSPACE
          mkdir -p test/data
          cd test/data
          ../scripts/gen_certs.sh
      - name: Build binary
        run: |
          cd $GITHUB_WORKSPACE
          make binary
      - name: Start zot server (${{ matrix.mode }})
        run: |
          cd $GITHUB_WORKSPACE
          if [[ -n "${{ matrix.godebug }}" ]]; then
            export GODEBUG="${{ matrix.godebug }}"
          fi
          bin/zot-linux-amd64 serve examples/config-tls.json & echo $! > zot.PID
          if [[ -n "${{ matrix.godebug }}" ]]; then
            unset GODEBUG
          fi
          sleep 5
          # Check if zot server is running
          cat /proc/$(cat zot.PID)/status | grep State || exit 1
          curl -k --connect-timeout 3 --max-time 5 --retry 60 --retry-delay 1 --retry-max-time 180 --retry-connrefused https://localhost:8080/v2/
      - name: Run TLS tests (${{ matrix.mode }})
        run: |
          cd $GITHUB_WORKSPACE
          ./test/scripts/tls_scan.sh
          ./test/scripts/tls_cipher_check.sh ${{ matrix.mode }} localhost:8080
      - name: Cleanup
        if: always()
        run: |
          cd $GITHUB_WORKSPACE
          [[ -f zot.PID ]] && kill $(cat zot.PID) 2>/dev/null || true