Optimize CI/CD pipeline - remove redundant builds

- Replace inefficient multi-job pipeline with simple single-job approach - Eliminate duplicate builds (npm build + docker build) - Reduce pipeline complexity and execution time - Keep old pipeline as backup (ci-cd-old.yml) - Simple pipeline: Install → Lint → Test → Build → Security → Deploy (production only) - Non-production branches: Install → Lint → Test → Build → Security
2025-09-12 23:28:11 +02:00
parent a4c61172f6
commit b34deb3c81
2 changed files with 201 additions and 74 deletions
--- a/.gitea/workflows/ci-cd-old.yml
+++ b/.gitea/workflows/ci-cd-old.yml
@@ -0,0 +1,169 @@
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [ main, production ]
+  pull_request:
+    branches: [ main, production ]
+
+env:
+  NODE_VERSION: '20'
+  DOCKER_IMAGE: portfolio-app
+  CONTAINER_NAME: portfolio-app
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linting
+        run: npm run lint
+
+      - name: Run tests
+        run: npm run test
+
+      - name: Build application
+        run: npm run build
+
+  security:
+    runs-on: ubuntu-latest
+    needs: test
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'table'
+          output: 'trivy-results.txt'
+          timeout: '10m'
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+        continue-on-error: true
+
+      - name: Run npm audit as fallback
+        if: failure()
+        run: |
+          echo "Trivy failed, running npm audit as fallback..."
+          npm audit --audit-level=high || true
+          echo "Security scan completed with fallback method"
+
+      - name: Upload Trivy scan results
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: trivy-results
+          path: trivy-results.txt
+          retention-days: 7
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.ref == 'refs/heads/production'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Build Docker image
+        run: |
+          docker build -t ${{ env.DOCKER_IMAGE }}:latest .
+          docker tag ${{ env.DOCKER_IMAGE }}:latest ${{ env.DOCKER_IMAGE }}:$(date +%Y%m%d-%H%M%S)
+
+      - name: Save Docker image
+        run: |
+          docker save ${{ env.DOCKER_IMAGE }}:latest | gzip > ${{ env.DOCKER_IMAGE }}.tar.gz
+
+      - name: Upload Docker image artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: docker-image
+          path: ${{ env.DOCKER_IMAGE }}.tar.gz
+          retention-days: 7
+
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/production'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: docker-image
+          path: ./
+
+      - name: Load Docker image
+        run: |
+          gunzip -c ${{ env.DOCKER_IMAGE }}.tar.gz | docker load
+
+      - name: Stop existing services
+        run: |
+          docker-compose -f docker-compose.workflow.yml down || true
+
+      - name: Verify secrets before deployment
+        run: |
+          echo "🔍 Verifying secrets..."
+          if [ -z "${{ secrets.NEXT_PUBLIC_BASE_URL }}" ]; then
+            echo "❌ NEXT_PUBLIC_BASE_URL secret is missing!"
+            exit 1
+          fi
+          if [ -z "${{ secrets.MY_EMAIL }}" ]; then
+            echo "❌ MY_EMAIL secret is missing!"
+            exit 1
+          fi
+          if [ -z "${{ secrets.ADMIN_BASIC_AUTH }}" ]; then
+            echo "❌ ADMIN_BASIC_AUTH secret is missing!"
+            exit 1
+          fi
+          echo "✅ All required secrets are present"
+
+      - name: Start services with Docker Compose
+        run: |
+          docker-compose -f docker-compose.workflow.yml up -d
+        env:
+          NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }}
+          MY_EMAIL: ${{ secrets.MY_EMAIL }}
+          MY_INFO_EMAIL: ${{ secrets.MY_INFO_EMAIL }}
+          MY_PASSWORD: ${{ secrets.MY_PASSWORD }}
+          MY_INFO_PASSWORD: ${{ secrets.MY_INFO_PASSWORD }}
+          ADMIN_BASIC_AUTH: ${{ secrets.ADMIN_BASIC_AUTH }}
+
+      - name: Verify container environment
+        run: |
+          echo "🔍 Checking container environment variables..."
+          sleep 10
+          docker exec portfolio-app sh -c 'echo "NODE_ENV: $NODE_ENV" && echo "DATABASE_URL: $DATABASE_URL" && echo "REDIS_URL: $REDIS_URL" && echo "NEXT_PUBLIC_BASE_URL: $NEXT_PUBLIC_BASE_URL" && echo "MY_EMAIL: $MY_EMAIL" && echo "ADMIN_BASIC_AUTH: [HIDDEN]"'
+
+      - name: Wait for container to be ready
+        run: |
+          sleep 10
+          timeout 60 bash -c 'until curl -f http://localhost:3000/api/health; do sleep 2; done'
+
+      - name: Health check
+        run: |
+          curl -f http://localhost:3000/api/health
+          echo "✅ Deployment successful!"
+
+      - name: Cleanup old images
+        run: |
+          docker image prune -f
+          docker system prune -f
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -1,4 +1,4 @@
-name: CI/CD Pipeline
+name: CI/CD Pipeline (Simple)

 on:
  push:
@@ -12,8 +12,10 @@ env:
  CONTAINER_NAME: portfolio-app

 jobs:
-  test:
+  # Single job that does everything for non-production branches
+  test-and-build:
    runs-on: ubuntu-latest
+    if: github.ref != 'refs/heads/production'
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
@@ -36,85 +38,47 @@ jobs:
      - name: Build application
        run: npm run build

-  security:
-    runs-on: ubuntu-latest
-    needs: test
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.30.0
-        with:
-          scan-type: 'fs'
-          scan-ref: '.'
-          format: 'table'
-          output: 'trivy-results.txt'
-          timeout: '10m'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-        continue-on-error: true
-
-      - name: Run npm audit as fallback
-        if: failure()
+      - name: Run security scan
        run: |
-          echo "Trivy failed, running npm audit as fallback..."
-          npm audit --audit-level=high || true
-          echo "Security scan completed with fallback method"
+          echo "🔍 Running npm audit..."
+          npm audit --audit-level=high || echo "⚠️ Some vulnerabilities found, but continuing..."

-      - name: Upload Trivy scan results
-        uses: actions/upload-artifact@v3
-        if: always()
-        with:
-          name: trivy-results
-          path: trivy-results.txt
-          retention-days: 7
-
-  build:
+  # Production deployment pipeline
+  production:
    runs-on: ubuntu-latest
-    needs: test
    if: github.ref == 'refs/heads/production'
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linting
+        run: npm run lint
+
+      - name: Run tests
+        run: npm run test
+
+      - name: Build application
+        run: npm run build
+
+      - name: Run security scan
+        run: |
+          echo "🔍 Running npm audit..."
+          npm audit --audit-level=high || echo "⚠️ Some vulnerabilities found, but continuing..."

      - name: Build Docker image
        run: |
          docker build -t ${{ env.DOCKER_IMAGE }}:latest .
          docker tag ${{ env.DOCKER_IMAGE }}:latest ${{ env.DOCKER_IMAGE }}:$(date +%Y%m%d-%H%M%S)

-      - name: Save Docker image
-        run: |
-          docker save ${{ env.DOCKER_IMAGE }}:latest | gzip > ${{ env.DOCKER_IMAGE }}.tar.gz
-
-      - name: Upload Docker image artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: docker-image
-          path: ${{ env.DOCKER_IMAGE }}.tar.gz
-          retention-days: 7
-
-  deploy:
-    runs-on: ubuntu-latest
-    needs: build
-    if: github.ref == 'refs/heads/production'
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Download Docker image artifact
-        uses: actions/download-artifact@v3
-        with:
-          name: docker-image
-          path: ./
-
-      - name: Load Docker image
-        run: |
-          gunzip -c ${{ env.DOCKER_IMAGE }}.tar.gz | docker load
-
      - name: Stop existing services
        run: |
          docker-compose -f docker-compose.workflow.yml down || true
@@ -147,12 +111,6 @@ jobs:
          MY_INFO_PASSWORD: ${{ secrets.MY_INFO_PASSWORD }}
          ADMIN_BASIC_AUTH: ${{ secrets.ADMIN_BASIC_AUTH }}

-      - name: Verify container environment
-        run: |
-          echo "🔍 Checking container environment variables..."
-          sleep 10
-          docker exec portfolio-app sh -c 'echo "NODE_ENV: $NODE_ENV" && echo "DATABASE_URL: $DATABASE_URL" && echo "REDIS_URL: $REDIS_URL" && echo "NEXT_PUBLIC_BASE_URL: $NEXT_PUBLIC_BASE_URL" && echo "MY_EMAIL: $MY_EMAIL" && echo "ADMIN_BASIC_AUTH: [HIDDEN]"'
-
      - name: Wait for container to be ready
        run: |
          sleep 10