test-cicd

.github/workflows/cicd.yml

@@ -0,0 +1,88 @@
+name: CI/CD Pipeline
+
+on:
+    pull_request:
+        branches: [main, development]
+    push:
+        branches: [main, development]
+        # Consider how you want to handle version tags
+        tags: ['v*.*.*']
+
+permissions:
+    contents: read
+    packages: write
+    security-events: write
+
+env:
+    REGISTRY: ghcr.io
+    PYTHON_VERSION: '3.13'
+
+jobs:
+    setup:
+        runs-on: ubuntu-latest
+        outputs:
+            image_base: ${{ steps.vars.outputs.image_base }}
+            pr_tag: ${{ steps.vars.outputs.pr_tag }}
+            commit_sha: ${{ steps.vars.outputs.commit_sha }}
+            commit_sha_short: ${{ steps.vars.outputs.commit_sha_short }}
+            test_image_tag: ${{ steps.vars.outputs.test_image_tag }}
+        steps:
+            - name: Compute image vars
+              id: vars
+              shell: bash
+              run: |
+                set -euo pipefail
+                ORG="$(echo "${GITHUB_REPOSITORY_OWNER}" | tr '[:upper:]' '[:lower:]')"
+                REPO="$(basename "${GITHUB_REPOSITORY}")"
+                IMAGE_BASE="${REGISTRY}/${ORG}/${REPO}"
+                echo "image_base=${IMAGE_BASE}" >> "$GITHUB_OUTPUT"
+
+                if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
+                    PR_NUM="${{ github.event.pull_request.number }}"
+                    PR_TAG="pr-${PR_NUM}-build"
+                    echo "pr_tag=${PR_TAG}" >> "$GITHUB_OUTPUT"
+                    echo "test_image_tag=${PR_TAG}" >> "$GITHUB_OUTPUT"
+                fi
+
+                if [ "${GITHUB_EVENT_NAME}" = "push" ]; then
+                    COMMIT_SHA="${GITHUB_SHA}"
+                    SHORT_SHA="${COMMIT_SHA:0:12}"
+                    echo "commit_sha=${COMMIT_SHA}" >> "$GITHUB_OUTPUT"
+                    echo "commit_sha_short=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+                    echo "test_image_tag=${SHORT_SHA}" >> "$GITHUB_OUTPUT"
+                fi
+
+    build-and-scan:
+        name: Build and Scan Container
+        runs-on: ubuntu-latest
+        needs: setup
+        steps:
+          - uses: actions/checkout@v4
+          - name: Log in to GitLab Container Registry
+            uses: docker/login-action@v3
+            with:
+              registry: gitlab.sh.nextgenwaterprediction.com
+              username: ${{ secrets.GITLAB_REGISTRY_USER }}
+              password: ${{ secrets.GITLAB_REGISTRY_PAT }}
+          - name: Build image for scanning
+            id: build
+            uses: docker/build-push-action@v6
+            with:
+              context: .
+              file: ./Dockerfile-gitlab
+              # Load the image to the local Docker daemon, but do not push it
+              load: true
+              tags: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
+          - name: Scan container with Trivy
+            uses: aquasecurity/trivy-action@0.20.0
+            with:
+              # Scan the locally available image
+              image-ref: ${{ needs.setup.outputs.image_base }}:${{ needs.setup.outputs.test_image_tag }}
+              format: 'template'
+              template: '@/contrib/sarif.tpl'
+              output: 'trivy-results.sarif'
+              severity: 'CRITICAL,HIGH'
+          - name: Upload Trivy SARIF
+            uses: github/codeql-action/upload-sarif@v3
+            with:
+              sarif_file: 'trivy-results.sarif'