Upload Lambda #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Backend Lambda CI/CD | |
| on: | |
| push: | |
| branches: [ "main", "dev" ] | |
| paths: | |
| - 'backend/**' | |
| pull_request: | |
| branches: [ "main", "dev" ] | |
| paths: | |
| - 'backend/**' | |
| jobs: | |
| GitLeaks: | |
| runs-on: ubuntu-latest | |
| name: Check for leaked secrets | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: GitLeaks Scan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| Build: | |
| runs-on: ubuntu-latest | |
| needs: GitLeaks | |
| name: Test and Build Lambda | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20.x' | |
| cache: npm | |
| cache-dependency-path: 'backend/package-lock.json' | |
| - name: Install dependencies | |
| run: | | |
| cd backend | |
| npm install | |
| - name: Run tests | |
| run: | | |
| cd backend | |
| if [ -f "package.json" ] && grep -q "\"test\":" "package.json"; then | |
| npm test | |
| else | |
| echo "No test script found, skipping tests" | |
| fi | |
| - name: Build Lambda package | |
| run: | | |
| cd backend | |
| if [ -f "package.json" ] && grep -q "\"build\":" "package.json"; then | |
| npm run build | |
| else | |
| echo "No build script found, skipping build" | |
| fi | |
| # Tạo ZIP package cho Lambda | |
| npm prune --production # Loại bỏ dev dependencies | |
| zip -r lambda-package.zip . -x "*.git*" "*.github*" "tests/*" "src/*" "*.ts" | |
| - name: Upload Lambda artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: lambda-package | |
| path: backend/lambda-package.zip | |
| SAST: | |
| runs-on: ubuntu-latest | |
| needs: Build | |
| name: SAST - SonarCloud | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: SonarCloud Scan | |
| uses: sonarsource/sonarcloud-github-action@master | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| with: | |
| args: > | |
| -Dsonar.organization=giabao-22520120 | |
| -Dsonar.projectKey=giabao-22520120_devsecops | |
| SCA: | |
| runs-on: ubuntu-latest | |
| needs: SAST | |
| name: SCA Scans | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run npm audit | |
| run: | | |
| cd backend | |
| npm install | |
| npm audit --audit-level=high | |
| - name: Run Snyk | |
| uses: snyk/actions/node@master | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| - name: OWASP Dependency Check | |
| uses: dependency-check/Dependency-Check_Action@main | |
| with: | |
| project: 'Backend' | |
| path: 'backend' | |
| format: 'HTML' | |
| out: 'reports' | |
| Deploy: | |
| runs-on: ubuntu-latest | |
| needs: SCA | |
| if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/dev' | |
| name: Deploy Lambda to AWS | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download Lambda package | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: lambda-package | |
| path: backend | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ap-southeast-1 | |
| - name: Upload to S3 | |
| run: | | |
| # Xác định environment từ branch | |
| ENV=$([ "${{ github.ref }}" == "refs/heads/main" ] && echo "prod" || echo "dev") | |
| # Xác định tên bucket từ Terraform | |
| BUCKET_NAME="product-tracer-lambda-deployments-${ENV}" | |
| VERSION="${{ github.sha }}" | |
| # Upload Lambda package | |
| aws s3 cp backend/lambda-package.zip s3://${BUCKET_NAME}/lambda-packages/lambda_service-${VERSION}.zip | |
| - name: Update Lambda function | |
| run: | | |
| ENV=$([ "${{ github.ref }}" == "refs/heads/main" ] && echo "prod" || echo "dev") | |
| BUCKET_NAME="product-tracer-lambda-deployments-${ENV}" | |
| FUNCTION_NAME="lambda_service-${ENV}" | |
| VERSION="${{ github.sha }}" | |
| # Cập nhật Lambda function | |
| aws lambda update-function-code \ | |
| --function-name ${FUNCTION_NAME} \ | |
| --s3-bucket ${BUCKET_NAME} \ | |
| --s3-key lambda-packages/lambda_service-${VERSION}.zip | |
| UpdateIaC: | |
| runs-on: ubuntu-latest | |
| needs: Deploy | |
| name: Update Terraform Config | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Update Lambda package reference in Terraform | |
| run: | | |
| ENV=$([ "${{ github.ref }}" == "refs/heads/main" ] && echo "prod" || echo "dev") | |
| VERSION="${{ github.sha }}" | |
| # Cập nhật biến app_version trong file variables.tf | |
| VARS_FILE="terraform/environments/$ENV/variables.tf" | |
| # Cập nhật giá trị biến app_version | |
| sed -i "/variable \"app_version\"/,/}/ s|default *= *\".*\"|default = \"${VERSION}\"|" $VARS_FILE | |
| # Commit và push thay đổi | |
| git config --global user.name "GitHub Actions" | |
| git config --global user.email "github-actions@github.com" | |
| git add $VARS_FILE | |
| git commit -m "Update app_version for Lambda deployment [skip ci]" | |
| git push |