denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cleanup and Test pre-push hook

Browse Source
This commit is contained in:
denshooter
2025-09-12 23:31:46 +02:00
parent b34deb3c81
commit 83705af7f6
12 changed files with 453 additions and 1028 deletions
Download Patch File Download Diff File Expand all files Collapse all files

169
.gitea/workflows/ci-cd-old.yml
View File

@@ -1,169 +0,0 @@
name: CI/CD Pipeline
on:
push:
branches: [ main, production ]
pull_request:
branches: [ main, production ]
env:
NODE_VERSION: '20'
DOCKER_IMAGE: portfolio-app
CONTAINER_NAME: portfolio-app
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run linting
run: npm run lint
- name: Run tests
run: npm run test
- name: Build application
run: npm run build
security:
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.30.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'table'
output: 'trivy-results.txt'
timeout: '10m'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
continue-on-error: true
- name: Run npm audit as fallback
if: failure()
run: |
echo "Trivy failed, running npm audit as fallback..."
npm audit --audit-level=high || true
echo "Security scan completed with fallback method"
- name: Upload Trivy scan results
uses: actions/upload-artifact@v3
if: always()
with:
name: trivy-results
path: trivy-results.txt
retention-days: 7
build:
runs-on: ubuntu-latest
needs: test
if: github.ref == 'refs/heads/production'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build Docker image
run: |
docker build -t ${{ env.DOCKER_IMAGE }}:latest .
docker tag ${{ env.DOCKER_IMAGE }}:latest ${{ env.DOCKER_IMAGE }}:$(date +%Y%m%d-%H%M%S)
- name: Save Docker image
run: |
docker save ${{ env.DOCKER_IMAGE }}:latest | gzip > ${{ env.DOCKER_IMAGE }}.tar.gz
- name: Upload Docker image artifact
uses: actions/upload-artifact@v3
with:
name: docker-image
path: ${{ env.DOCKER_IMAGE }}.tar.gz
retention-days: 7
deploy:
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/production'
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Download Docker image artifact
uses: actions/download-artifact@v3
with:
name: docker-image
path: ./
- name: Load Docker image
run: |
gunzip -c ${{ env.DOCKER_IMAGE }}.tar.gz | docker load
- name: Stop existing services
run: |
docker-compose -f docker-compose.workflow.yml down || true
- name: Verify secrets before deployment
run: |
echo "🔍 Verifying secrets..."
if [ -z "${{ secrets.NEXT_PUBLIC_BASE_URL }}" ]; then
echo "❌ NEXT_PUBLIC_BASE_URL secret is missing!"
exit 1
fi
if [ -z "${{ secrets.MY_EMAIL }}" ]; then
echo "❌ MY_EMAIL secret is missing!"
exit 1
fi
if [ -z "${{ secrets.ADMIN_BASIC_AUTH }}" ]; then
echo "❌ ADMIN_BASIC_AUTH secret is missing!"
exit 1
fi
echo "✅ All required secrets are present"
- name: Start services with Docker Compose
run: |
docker-compose -f docker-compose.workflow.yml up -d
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
MY_EMAIL: ${{ secrets.MY_EMAIL }}
MY_INFO_EMAIL: ${{ secrets.MY_INFO_EMAIL }}
MY_PASSWORD: ${{ secrets.MY_PASSWORD }}
MY_INFO_PASSWORD: ${{ secrets.MY_INFO_PASSWORD }}
ADMIN_BASIC_AUTH: ${{ secrets.ADMIN_BASIC_AUTH }}
- name: Verify container environment
run: |
echo "🔍 Checking container environment variables..."
sleep 10
docker exec portfolio-app sh -c 'echo "NODE_ENV: $NODE_ENV" && echo "DATABASE_URL: $DATABASE_URL" && echo "REDIS_URL: $REDIS_URL" && echo "NEXT_PUBLIC_BASE_URL: $NEXT_PUBLIC_BASE_URL" && echo "MY_EMAIL: $MY_EMAIL" && echo "ADMIN_BASIC_AUTH: [HIDDEN]"'
- name: Wait for container to be ready
run: |
sleep 10
timeout 60 bash -c 'until curl -f http://localhost:3000/api/health; do sleep 2; done'
- name: Health check
run: |
curl -f http://localhost:3000/api/health
echo "✅ Deployment successful!"
- name: Cleanup old images
run: |
docker image prune -f
docker system prune -f

4
.gitea/workflows/ci-cd.yml
View File

@@ -81,7 +81,7 @@ jobs:
- name: Stop existing services
run: |
docker-compose -f docker-compose.workflow.yml down || true
docker-compose down || true
- name: Verify secrets before deployment
run: |
@@ -102,7 +102,7 @@ jobs:
- name: Start services with Docker Compose
run: |
docker-compose -f docker-compose.workflow.yml up -d
docker-compose up -d
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
MY_EMAIL: ${{ secrets.MY_EMAIL }}

78
.gitea/workflows/quick-deploy.yml
View File

@@ -1,78 +0,0 @@
name: Quick Deploy
on:
push:
branches: [ main ]
workflow_dispatch:
env:
NODE_VERSION: '20'
DOCKER_IMAGE: portfolio-app
CONTAINER_NAME: portfolio-app
jobs:
quick-deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build application
run: npm run build
- name: Build Docker image
run: |
docker build -t ${{ env.DOCKER_IMAGE }}:latest .
- name: Stop existing services
run: |
docker-compose -f docker-compose.workflow.yml down || true
- name: Verify secrets before deployment
run: |
echo "🔍 Verifying secrets..."
if [ -z "${{ secrets.NEXT_PUBLIC_BASE_URL }}" ]; then
echo "❌ NEXT_PUBLIC_BASE_URL secret is missing!"
exit 1
fi
if [ -z "${{ secrets.MY_EMAIL }}" ]; then
echo "❌ MY_EMAIL secret is missing!"
exit 1
fi
if [ -z "${{ secrets.ADMIN_BASIC_AUTH }}" ]; then
echo "❌ ADMIN_BASIC_AUTH secret is missing!"
exit 1
fi
echo "✅ All required secrets are present"
- name: Start services with Docker Compose
run: |
docker-compose -f docker-compose.workflow.yml up -d
env:
NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
MY_EMAIL: ${{ secrets.MY_EMAIL }}
MY_INFO_EMAIL: ${{ secrets.MY_INFO_EMAIL }}
MY_PASSWORD: ${{ secrets.MY_PASSWORD }}
MY_INFO_PASSWORD: ${{ secrets.MY_INFO_PASSWORD }}
ADMIN_BASIC_AUTH: ${{ secrets.ADMIN_BASIC_AUTH }}
- name: Verify container environment
run: |
echo "🔍 Checking container environment variables..."
sleep 10
docker exec portfolio-app sh -c 'echo "NODE_ENV: $NODE_ENV" && echo "DATABASE_URL: $DATABASE_URL" && echo "REDIS_URL: $REDIS_URL" && echo "NEXT_PUBLIC_BASE_URL: $NEXT_PUBLIC_BASE_URL" && echo "MY_EMAIL: $MY_EMAIL" && echo "ADMIN_BASIC_AUTH: [HIDDEN]"'
- name: Health check
run: |
sleep 10
curl -f http://localhost:3000/api/health
echo "✅ Quick deployment successful!"

78
.gitea/workflows/security-scan.yml
View File

@@ -1,78 +0,0 @@
name: Security Scan
on:
push:
branches: [ main, production ]
pull_request:
branches: [ main, production ]
schedule:
- cron: '0 2 * * 1' # Weekly on Monday at 2 AM
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: |
echo "🔍 Running npm audit for dependency vulnerabilities..."
npm audit --audit-level=high --json > npm-audit-results.json || true
npm audit --audit-level=high || echo "⚠️ Some vulnerabilities found, but continuing..."
- name: Run Trivy (with fallback)
run: |
echo "🔍 Attempting Trivy scan..."
# Try to install and run Trivy directly
wget -qO- https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy fs --scanners vuln,secret --format table . > trivy-results.txt 2>&1 || {
echo "⚠️ Trivy scan failed, but continuing with other checks..."
echo "Trivy scan failed due to network issues" > trivy-results.txt
}
- name: Check for secrets
run: |
echo "🔍 Checking for potential secrets..."
chmod +x scripts/check-secrets.sh
if ./scripts/check-secrets.sh; then
echo "✅ No secrets found in code"
else
echo "❌ Secrets detected - please review"
exit 1
fi
- name: Upload security scan results
uses: actions/upload-artifact@v3
if: always()
with:
name: security-scan-results
path: |
npm-audit-results.json
trivy-results.txt
retention-days: 30
- name: Security scan summary
run: |
echo "## Security Scan Summary"
echo "### NPM Audit Results"
if [ -f npm-audit-results.json ]; then
echo "✅ NPM audit completed"
else
echo "❌ NPM audit failed"
fi
echo "### Trivy Results"
if [ -f trivy-results.txt ]; then
echo "✅ Trivy scan completed"
else
echo "❌ Trivy scan failed"
fi