ENI-DevSecOps/.github/workflows/ci.yml

name: Task Manager CI/CD

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  lint:
    name: Lint & Format Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.10'

      - name: Install linting tools
        run: |
          python -m pip install --upgrade pip
          pip install black flake8 isort

      - name: Check code formatting (black)
        run: black --check backend/

      - name: Check import sorting (isort)
        run: isort --check-only backend/

      - name: Lint code (flake8)
        run: flake8 backend/ --max-line-length=100


  test:
    name: Run Tests
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.10'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt
          pip install pytest pytest-cov

      - name: Run unit tests
        run: |
          if [ -d backend/tests ]; then
            pytest backend/tests/ -v --cov=backend/app
          else
            echo "No tests found in backend/tests/"
          fi

  security:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: 'backend/'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          name: Task Manager CI/CD

          on:
            push:
              branches: [main, develop]
            pull_request:
              branches: [main]

          # Required permissions for uploading SARIF and security events
          permissions:
            contents: read
            checks: write
            security-events: write

          jobs:
            lint:
              name: Lint & Format Check
              runs-on: ubuntu-latest
              steps:
                - name: Checkout code
                  uses: actions/checkout@v4

                - name: Set up Python
                  uses: actions/setup-python@v4
                  with:
                    python-version: '3.11'

                - name: Install linting tools
                  run: |
                    python -m pip install --upgrade pip
                    pip install black flake8 isort

                - name: Check code formatting (black)
                  run: |
                    black --version || true
                    black --check backend/ || (echo "Black would reformat (showing diff):" && black --diff backend/ && exit 1)

                - name: Check import sorting (isort)
                  run: |
                    isort --version || true
                    isort --check-only backend/ || (echo "isort would change imports (showing diff):" && isort backend/ --profile=black --diff && exit 1)

                - name: Lint code (flake8)
                  run: flake8 backend/ --max-line-length=100

            test:
              name: Run Tests
              runs-on: ubuntu-latest
              needs: lint
              steps:
                - name: Checkout code
                  uses: actions/checkout@v4

                - name: Set up Python
                  uses: actions/setup-python@v4
                  with:
                    python-version: '3.11'

                - name: Install dependencies
                  run: |
                    python -m pip install --upgrade pip
                    pip install -r backend/requirements.txt
                    pip install pytest pytest-cov

                - name: Run unit tests
                  run: |
                    if [ -d backend/tests ]; then
                      pytest backend/tests/ -v --cov=backend/app
                    else
                      echo "No tests found in backend/tests/"
                    fi

            security:
              name: Security Scan
              runs-on: ubuntu-latest
              steps:
                - name: Checkout code
                  uses: actions/checkout@v4

                - name: Run Trivy vulnerability scanner
                  uses: aquasecurity/trivy-action@master
                  with:
                    scan-type: 'fs'
                    scan-ref: 'backend/'
                    format: 'sarif'
                    output: 'trivy-results.sarif'

                - name: Upload Trivy results to GitHub Security tab
                  uses: github/codeql-action/upload-sarif@v3
                  if: always()
                  with:
                    sarif_file: 'trivy-results.sarif'
                    token: ${{ secrets.GITHUB_TOKEN }}