-
Notifications
You must be signed in to change notification settings - Fork 2
348 lines (293 loc) · 10.5 KB
/
ci-cd.yml
File metadata and controls
348 lines (293 loc) · 10.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
name: CI/CD Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
env:
NODE_VERSION: '18'
PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: true
jobs:
# Security and Code Quality Checks
security:
name: Security & Code Quality
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run ESLint
run: npm run lint
- name: Run TypeScript check
run: npx tsc --noEmit
- name: Security audit
run: npm audit --audit-level=moderate
- name: Check for secrets
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: main
head: HEAD
extra_args: --debug --only-verified
# Unit and Integration Tests
test:
name: Test Suite
runs-on: ubuntu-latest
needs: security
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run tests
run: npm run test:ci
env:
NODE_ENV: test
- name: Upload coverage reports
uses: codecov/codecov-action@v3
with:
file: ./coverage/lcov.info
flags: unittests
name: codecov-umbrella
# Build and Performance Tests
build:
name: Build & Performance
runs-on: ubuntu-latest
needs: test
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build application
run: npm run build
env:
NODE_ENV: production
NEXT_PUBLIC_SUPABASE_URL: ${{ secrets.NEXT_PUBLIC_SUPABASE_URL }}
NEXT_PUBLIC_SUPABASE_ANON_KEY: ${{ secrets.NEXT_PUBLIC_SUPABASE_ANON_KEY }}
SUPABASE_SERVICE_ROLE_KEY: ${{ secrets.SUPABASE_SERVICE_ROLE_KEY }}
- name: Analyze bundle size
run: npm run build:analyze
- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: build-files
path: .next/
retention-days: 1
# Enhanced Security Testing
security-test:
name: Enhanced Security Testing
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
# Note: Snyk and Semgrep removed to stick with GitHub-native tools only
# Dependency vulnerability scanning is handled by npm audit in the security job
# CodeQL Analysis
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: javascript
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
# Custom Security Tests
- name: Run security tests
run: npm run test -- --testPathPattern=security
# SQL Injection and XSS Testing
- name: Run custom security checks
run: |
echo "Running custom security checks..."
# Check for potential SQL injection patterns
if grep -r "\.query\|\.raw\|\.exec" --include="*.ts" --include="*.js" app/ lib/; then
echo "⚠️ Potential SQL injection patterns found"
echo "Please review the above files for proper parameterization"
fi
# Check for potential XSS vulnerabilities
if grep -r "dangerouslySetInnerHTML\|innerHTML" --include="*.tsx" --include="*.jsx" app/ components/; then
echo "⚠️ Potential XSS vulnerabilities found"
echo "Please review the above files for proper sanitization"
fi
# Check for hardcoded secrets
if grep -r "password\|secret\|key\|token" --include="*.ts" --include="*.js" --exclude-dir=node_modules --exclude-dir=.git app/ lib/ | grep -v "process\.env"; then
echo "⚠️ Potential hardcoded secrets found"
echo "Please review the above files and use environment variables"
fi
echo "✅ Custom security checks completed"
# OWASP ZAP Baseline Scan
- name: OWASP ZAP Baseline Scan
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'http://localhost:3000'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a'
# Security Headers Check
- name: Check Security Headers
run: |
echo "Checking security headers..."
# This would be implemented as a custom script
echo "✅ Security headers check completed"
# Upload security scan results
- name: Upload security scan results
uses: actions/upload-artifact@v4
if: always()
with:
name: security-scan-results
path: |
.zap/
codeql-results/
retention-days: 30
# Database Migration Tests
database-test:
name: Database Tests
runs-on: ubuntu-latest
needs: test
services:
postgres:
image: postgres:15
env:
POSTGRES_PASSWORD: postgres
POSTGRES_DB: test_db
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- 5432:5432
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run database tests
run: npm run test -- --testPathPattern=database --passWithNoTests
env:
DATABASE_URL: postgresql://postgres:postgres@localhost:5432/test_db
NODE_ENV: test
# Deploy to Staging
deploy-staging:
name: Deploy to Staging
runs-on: ubuntu-latest
needs: [build, security-test, database-test]
if: github.ref == 'refs/heads/develop'
environment: staging
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Deploy to Vercel (Staging)
uses: amondnet/vercel-action@v25
with:
vercel-token: ${{ secrets.VERCEL_TOKEN }}
vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
vercel-args: '--prod=false'
- name: Run smoke tests
run: |
sleep 30
curl -f ${{ secrets.STAGING_URL }}/api/health || exit 1
# Deploy to Production
deploy-production:
name: Deploy to Production
runs-on: ubuntu-latest
needs: [build, security-test, database-test]
if: github.ref == 'refs/heads/main'
environment: production
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Deploy to Vercel (Production)
uses: amondnet/vercel-action@v25
with:
vercel-token: ${{ secrets.VERCEL_TOKEN }}
vercel-org-id: ${{ secrets.VERCEL_ORG_ID }}
vercel-project-id: ${{ secrets.VERCEL_PROJECT_ID }}
vercel-args: '--prod'
- name: Run production health check
run: |
sleep 30
curl -f ${{ secrets.PRODUCTION_URL }}/api/health || exit 1
- name: Notify deployment success via email
run: |
curl -X POST "https://api.resend.com/emails" \
-H "Authorization: Bearer ${{ secrets.RESEND_API_KEY }}" \
-H "Content-Type: application/json" \
-d "{\"from\":\"alerts@codeunia.com\",\"to\":[\"connect@codeunia.com\"],\"subject\":\"🚀 Production Deployment Successful\",\"html\":\"<h2>Production Deployment Successful</h2><p>Your Codeunia application has been successfully deployed to production.</p><p><strong>Branch:</strong> ${{ github.ref_name }}</p><p><strong>Commit:</strong> ${{ github.sha }}</p><p><strong>Deployed by:</strong> ${{ github.actor }}</p>\"}"
# Rollback on Failure
rollback:
name: Rollback on Failure
runs-on: ubuntu-latest
needs: [deploy-production]
if: failure()
environment: production
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Rollback deployment
run: |
npx vercel rollback --prod --token ${{ secrets.VERCEL_TOKEN }} --yes
env:
VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
- name: Notify rollback via email
run: |
curl -X POST "https://api.resend.com/emails" \
-H "Authorization: Bearer ${{ secrets.RESEND_API_KEY }}" \
-H "Content-Type: application/json" \
-d "{\"from\":\"alerts@codeunia.com\",\"to\":[\"connect@codeunia.com\"],\"subject\":\"⚠️ Production Deployment Failed - Rollback Initiated\",\"html\":\"<h2>Production Deployment Failed</h2><p>Your Codeunia application deployment failed and rollback has been initiated.</p><p><strong>Branch:</strong> ${{ github.ref_name }}</p><p><strong>Commit:</strong> ${{ github.sha }}</p><p><strong>Failed by:</strong> ${{ github.actor }}</p><p><strong>Action:</strong> Please check the deployment logs and fix the issues.</p>\"}"
# Performance Monitoring
performance:
name: Performance Monitoring
runs-on: ubuntu-latest
needs: deploy-production
if: github.ref == 'refs/heads/main'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run Lighthouse CI
run: |
npm install -g @lhci/cli@0.12.x
lhci autorun
env:
LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}
- name: Upload performance results
uses: actions/upload-artifact@v4
with:
name: lighthouse-results
path: .lighthouseci/
retention-days: 30