chore: improve ci

.github/workflows/ah-lint.yaml

@@ -2,7 +2,7 @@
 
 name: ArtifactHub Lint
 
-# permissions: {}
+permissions: {}
 
 on:
   pull_request:

.github/workflows/check-actions.yaml

@@ -2,7 +2,7 @@
 
 name: Check actions
 
-# permissions: {}
+permissions: {}
 
 on:
   pull_request:

.github/workflows/codegen.yaml

@@ -2,7 +2,7 @@
 
 name: Verify codegen
 
-# permissions: {}
+permissions: {}
 
 on:
   pull_request:

.github/workflows/codeql.yaml

@@ -0,0 +1,44 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: CodeQL
+
+permissions: {}
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  required:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # v0.16.1
+        with:
+          scan-type: fs
+          ignore-unfixed: false
+          format: sarif
+          output: trivy-results.sarif
+          severity: CRITICAL,HIGH,MEDIUM
+          scanners: vuln,secret
+          exit-code: '0'
+          vuln-type: os,library
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        with:
+          sarif_file: trivy-results.sarif
+          category: code

.github/workflows/ct-lint.yaml

@@ -2,7 +2,7 @@
 
 name: CT Lint
 
-# permissions: {}
+permissions: {}
 
 on:
   pull_request:

.github/workflows/helm-install.yaml

@@ -2,7 +2,7 @@
 
 name: Helm install
 
-# permissions: {}
+permissions: {}
 
 on:
   pull_request:

.github/workflows/lint.yaml

@@ -2,7 +2,7 @@
 
 name: Lint
 
-# permissions: {}
+permissions: {}
 
 on:
   pull_request:

.github/workflows/release.yaml

@@ -2,7 +2,7 @@
 
 name: Release
 
-# permissions: {}
+permissions: {}
 
 on:
   push:

.github/workflows/tests.yaml

@@ -0,0 +1,49 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: Tests
+
+permissions: {}
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  unit-tests:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version-file: go.mod
+        cache-dependency-path: go.sum
+    # - name: Create test cluster
+    #   run: |
+    #     set -e
+    #     make kind-cluster
+    - name: Run tests
+      run: |
+        set -e
+        make tests
+    - name: Upload Report to Codecov
+      uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+      with:
+        file: ./coverage.out
+        fail_ci_if_error: true
+        verbose: true
+
+  required:
+    needs:
+    - unit-tests
+    runs-on: ubuntu-latest
+    steps:
+    - run: echo "Required jobs success!"