ENI-DevSecOps/.github/workflows/ci.yml

name: Task Manager CI/CD

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

jobs:
  lint:
    name: Lint & Format Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.10'

      - name: Install linting tools
        run: |
          python -m pip install --upgrade pip
          pip install black flake8 isort

      - name: Check code formatting (black)
        run: black --check backend/

      - name: Check import sorting (isort)
        run: isort --check-only backend/

      - name: Lint code (flake8)
        run: flake8 backend/ --max-line-length=100


  test:
    name: Run Tests
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.10'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r backend/requirements.txt
          pip install pytest pytest-cov

      - name: Run unit tests
        run: |
          if [ -d backend/tests ]; then
            pytest backend/tests/ -v --cov=backend/app
          else
            echo "No tests found in backend/tests/"
          fi

  security:
    name: Security Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: 'backend/'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'