name: CI/CD Pipeline on: push: branches: [ main, production ] pull_request: branches: [ main, production ] env: NODE_VERSION: '20' DOCKER_IMAGE: portfolio-app CONTAINER_NAME: portfolio-app jobs: test: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - name: Setup Node.js uses: actions/setup-node@v3 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - name: Install dependencies run: npm ci - name: Run linting run: npm run lint - name: Run tests run: npm run test - name: Build application run: npm run build security: runs-on: ubuntu-latest needs: test steps: - name: Checkout code uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.30.0 with: scan-type: 'fs' scan-ref: '.' format: 'table' output: 'trivy-results.txt' timeout: '10m' ignore-unfixed: true severity: 'CRITICAL,HIGH' continue-on-error: true - name: Run npm audit as fallback if: failure() run: | echo "Trivy failed, running npm audit as fallback..." npm audit --audit-level=high || true echo "Security scan completed with fallback method" - name: Upload Trivy scan results uses: actions/upload-artifact@v3 if: always() with: name: trivy-results path: trivy-results.txt retention-days: 7 build: runs-on: ubuntu-latest needs: test if: github.ref == 'refs/heads/production' steps: - name: Checkout code uses: actions/checkout@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Build Docker image run: | docker build -t ${{ env.DOCKER_IMAGE }}:latest . docker tag ${{ env.DOCKER_IMAGE }}:latest ${{ env.DOCKER_IMAGE }}:$(date +%Y%m%d-%H%M%S) - name: Save Docker image run: | docker save ${{ env.DOCKER_IMAGE }}:latest | gzip > ${{ env.DOCKER_IMAGE }}.tar.gz - name: Upload Docker image artifact uses: actions/upload-artifact@v3 with: name: docker-image path: ${{ env.DOCKER_IMAGE }}.tar.gz retention-days: 7 deploy: runs-on: ubuntu-latest needs: build if: github.ref == 'refs/heads/production' steps: - name: Checkout code uses: actions/checkout@v3 - name: Download Docker image artifact uses: actions/download-artifact@v3 with: name: docker-image path: ./ - name: Load Docker image run: | gunzip -c ${{ env.DOCKER_IMAGE }}.tar.gz | docker load - name: Stop existing services run: | docker-compose -f docker-compose.workflow.yml down || true - name: Verify secrets before deployment run: | echo "🔍 Verifying secrets..." if [ -z "${{ secrets.NEXT_PUBLIC_BASE_URL }}" ]; then echo "❌ NEXT_PUBLIC_BASE_URL secret is missing!" exit 1 fi if [ -z "${{ secrets.MY_EMAIL }}" ]; then echo "❌ MY_EMAIL secret is missing!" exit 1 fi if [ -z "${{ secrets.ADMIN_BASIC_AUTH }}" ]; then echo "❌ ADMIN_BASIC_AUTH secret is missing!" exit 1 fi echo "✅ All required secrets are present" - name: Start services with Docker Compose run: | docker-compose -f docker-compose.workflow.yml up -d env: NEXT_PUBLIC_BASE_URL: ${{ secrets.NEXT_PUBLIC_BASE_URL }} MY_EMAIL: ${{ secrets.MY_EMAIL }} MY_INFO_EMAIL: ${{ secrets.MY_INFO_EMAIL }} MY_PASSWORD: ${{ secrets.MY_PASSWORD }} MY_INFO_PASSWORD: ${{ secrets.MY_INFO_PASSWORD }} ADMIN_BASIC_AUTH: ${{ secrets.ADMIN_BASIC_AUTH }} - name: Verify container environment run: | echo "🔍 Checking container environment variables..." sleep 10 docker exec portfolio-app sh -c 'echo "NODE_ENV: $NODE_ENV" && echo "DATABASE_URL: $DATABASE_URL" && echo "REDIS_URL: $REDIS_URL" && echo "NEXT_PUBLIC_BASE_URL: $NEXT_PUBLIC_BASE_URL" && echo "MY_EMAIL: $MY_EMAIL" && echo "ADMIN_BASIC_AUTH: [HIDDEN]"' - name: Wait for container to be ready run: | sleep 10 timeout 60 bash -c 'until curl -f http://localhost:3000/api/health; do sleep 2; done' - name: Health check run: | curl -f http://localhost:3000/api/health echo "✅ Deployment successful!" - name: Cleanup old images run: | docker image prune -f docker system prune -f