4dc9dcb17b
✅ Dependabot Configuration: - Automated dependency updates (weekly) - Security vulnerability alerts - GitHub Actions updates - Automatic PR creation for updates ✅ Enhanced Trivy Scanning: - Added secret scanning (credentials detection) - Added configuration scanning (misconfigurations) - Comprehensive security coverage ✅ Updated Security Policy: - Added Dependabot to security features - Added secret and configuration scanning - Professional security documentation �� Alternative to Code Scanning: - Dependabot for dependency security - Trivy for comprehensive scanning - No GitHub Advanced Security needed
194 lines
5.5 KiB
YAML
194 lines
5.5 KiB
YAML
name: CI/CD Pipeline
|
|
|
|
on:
|
|
push:
|
|
branches: [main, production]
|
|
pull_request:
|
|
branches: [main, production]
|
|
|
|
env:
|
|
REGISTRY: ghcr.io
|
|
IMAGE_NAME: ${{ github.repository }}
|
|
|
|
jobs:
|
|
# Test Job
|
|
test:
|
|
name: Run Tests
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
|
|
- name: Install dependencies
|
|
run: npm ci
|
|
|
|
- name: Create test environment file
|
|
run: |
|
|
cat > .env <<EOF
|
|
NODE_ENV=test
|
|
NEXT_PUBLIC_BASE_URL=http://localhost:3000
|
|
MY_EMAIL=test@example.com
|
|
MY_INFO_EMAIL=test@example.com
|
|
MY_PASSWORD=test
|
|
MY_INFO_PASSWORD=test
|
|
NEXT_PUBLIC_UMAMI_URL=https://analytics.dk0.dev
|
|
NEXT_PUBLIC_UMAMI_WEBSITE_ID=b3665829-927a-4ada-b9bb-fcf24171061e
|
|
ADMIN_BASIC_AUTH=admin:test
|
|
LOG_LEVEL=info
|
|
EOF
|
|
|
|
- name: Run linting
|
|
run: npm run lint
|
|
|
|
- name: Run tests
|
|
run: npm run test
|
|
|
|
- name: Build application
|
|
run: npm run build
|
|
|
|
# Security scan
|
|
security:
|
|
name: Security Scan
|
|
runs-on: ubuntu-latest
|
|
needs: test
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
skip-version-check: true
|
|
scanners: 'vuln,secret,config'
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always()
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
# Build and push Docker image
|
|
build:
|
|
name: Build and Push Docker Image
|
|
runs-on: ubuntu-latest
|
|
needs: [test, security]
|
|
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/production')
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract metadata
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=sha,prefix={{branch}}-
|
|
type=raw,value=latest,enable={{is_default_branch}}
|
|
|
|
- name: Create production environment file
|
|
run: |
|
|
cat > .env <<EOF
|
|
NODE_ENV=production
|
|
NEXT_PUBLIC_BASE_URL=${{ vars.NEXT_PUBLIC_BASE_URL }}
|
|
MY_EMAIL=${{ vars.MY_EMAIL }}
|
|
MY_INFO_EMAIL=${{ vars.MY_INFO_EMAIL }}
|
|
MY_PASSWORD=${{ secrets.MY_PASSWORD }}
|
|
MY_INFO_PASSWORD=${{ secrets.MY_INFO_PASSWORD }}
|
|
NEXT_PUBLIC_UMAMI_URL=${{ vars.NEXT_PUBLIC_UMAMI_URL }}
|
|
NEXT_PUBLIC_UMAMI_WEBSITE_ID=${{ vars.NEXT_PUBLIC_UMAMI_WEBSITE_ID }}
|
|
ADMIN_BASIC_AUTH=${{ secrets.ADMIN_BASIC_AUTH }}
|
|
LOG_LEVEL=info
|
|
EOF
|
|
|
|
- name: Build and push Docker image
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm64
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
# Deploy to server
|
|
deploy:
|
|
name: Deploy to Server
|
|
runs-on: self-hosted
|
|
needs: build
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/production'
|
|
environment: production
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Deploy to server
|
|
run: |
|
|
# Set deployment variables
|
|
export IMAGE_NAME="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:production"
|
|
export CONTAINER_NAME="portfolio-app"
|
|
export COMPOSE_FILE="docker-compose.prod.yml"
|
|
|
|
# Pull latest image
|
|
docker pull $IMAGE_NAME
|
|
|
|
# Stop and remove old container
|
|
docker-compose -f $COMPOSE_FILE down || true
|
|
|
|
# Start new container
|
|
docker-compose -f $COMPOSE_FILE up -d
|
|
|
|
# Wait for health check
|
|
echo "Waiting for application to be healthy..."
|
|
timeout 60 bash -c 'until curl -f http://localhost:3000/api/health; do sleep 2; done'
|
|
|
|
# Verify deployment
|
|
if curl -f http://localhost:3000/api/health; then
|
|
echo "✅ Deployment successful!"
|
|
else
|
|
echo "❌ Deployment failed!"
|
|
docker-compose -f $COMPOSE_FILE logs
|
|
exit 1
|
|
fi
|
|
|
|
- name: Cleanup old images
|
|
run: |
|
|
# Remove unused images older than 7 days
|
|
docker image prune -f --filter "until=168h"
|
|
|
|
# Remove unused containers
|
|
docker container prune -f
|