147 lines
3.5 KiB
YAML
147 lines
3.5 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
pre-commit:
|
|
name: Pre-commit checks
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: '3.11'
|
|
|
|
- name: Install tooling
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install pre-commit
|
|
pip install -r backend/requirements.txt || true
|
|
pip install pytest
|
|
|
|
- name: Run pre-commit hooks
|
|
run: pre-commit run --all-files
|
|
|
|
test:
|
|
name: Run tests
|
|
needs: pre-commit
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: '3.11'
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -r backend/requirements.txt || true
|
|
pip install pytest
|
|
|
|
- name: Run tests
|
|
run: |
|
|
if [ -d backend/tests ]; then pytest -q; else echo "No tests found"; fi
|
|
|
|
docker-lint:
|
|
name: Docker Lint
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Run Hadolint on backend Dockerfile
|
|
uses: hadolint/hadolint-action@v3.1.0
|
|
with:
|
|
dockerfile: backend/Dockerfile
|
|
ignore: DL3045
|
|
|
|
- name: Run Hadolint on frontend Dockerfile
|
|
uses: hadolint/hadolint-action@v3.1.0
|
|
with:
|
|
dockerfile: frontend/Dockerfile
|
|
ignore: DL3045
|
|
|
|
build-and-scan:
|
|
name: Build and Scan Docker Images
|
|
needs: docker-lint
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Build backend image
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: ./backend
|
|
file: ./backend/Dockerfile
|
|
push: false
|
|
load: true
|
|
tags: backend:latest
|
|
|
|
- name: Build frontend image
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: ./frontend
|
|
file: ./frontend/Dockerfile
|
|
push: false
|
|
load: true
|
|
tags: frontend:latest
|
|
|
|
- name: Scan backend with Trivy
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: backend:latest
|
|
format: sarif
|
|
output: backend-trivy.sarif
|
|
|
|
- name: Scan frontend with Trivy
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: frontend:latest
|
|
format: sarif
|
|
output: frontend-trivy.sarif
|
|
|
|
- name: Upload Trivy results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: backend-trivy.sarif
|
|
category: trivy-backend
|
|
|
|
- name: Upload frontend Trivy results
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: frontend-trivy.sarif
|
|
category: trivy-frontend
|
|
|
|
validate-docker-compose:
|
|
name: Validate Docker Compose
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Validate docker-compose.yml
|
|
run: |
|
|
docker-compose -f docker-compose.yml config > /dev/null
|
|
continue-on-error: true
|