it-stack-nextcloud/.github/workflows/ci.yml at main · it-stack-dev/it-stack-nextcloud · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
name: CI

on:
  push:
    branches: [main, develop, 'feature/**', 'bugfix/**']
  pull_request:
    branches: [main, develop]
  workflow_dispatch:

permissions:
  contents: read
  security-events: write

jobs:
  validate:
    name: Validate Configuration
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Validate Docker Compose files
        run: |
          for f in docker/docker-compose.*.yml; do
            echo "Validating: $f"
            docker compose -f "$f" config --no-interpolate -q
          done

      - name: ShellCheck — lab test scripts
        run: |
          sudo apt-get install -y shellcheck -qq
          shellcheck --severity=error tests/labs/*.sh

      - name: Validate module manifest
        run: |
          python3 -c "
          import sys, re
          with open('it-stack-nextcloud.yml') as f:
              content = f.read()
          required = ['module:', 'version:', 'phase:', 'category:', 'ports:']
          missing = [k for k in required if k not in content]
          if missing:
              print('Missing fields:', missing); sys.exit(1)
          print('Manifest valid')
          "

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    needs: validate
    steps:
      - uses: actions/checkout@v4

      - name: Trivy — scan Dockerfile
        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: config
          scan-ref: .
          exit-code: '0'
          severity: CRITICAL,HIGH

      - name: Trivy — SARIF output
        uses: aquasecurity/trivy-action@0.28.0
        with:
          scan-type: config
          scan-ref: .
          format: sarif
          output: trivy-results.sarif

      - name: Upload SARIF to GitHub Security
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: trivy-results.sarif

  lab-01-smoke:
    name: Lab 01 — Nextcloud standalone (status.php, occ, WebDAV)
    runs-on: ubuntu-latest
    needs: validate
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4

      - name: Install tools
        run: sudo apt-get install -y curl

      - name: Validate standalone compose
        run: |
          docker compose -f docker/docker-compose.standalone.yml config -q
          echo "Standalone compose valid"

      - name: Start standalone stack
        run: docker compose -f docker/docker-compose.standalone.yml up -d

      - name: Wait for Nextcloud (first-boot SQLite setup ~2 min)
        run: timeout 300 bash -c 'until curl -sf http://localhost:8080/status.php | grep -q \'"installed":true\'; do sleep 10; done'

      - name: Run Lab 06-01 test script
        run: bash tests/labs/test-lab-06-01.sh

      - name: Collect logs on failure
        if: failure()
        run: docker compose -f docker/docker-compose.standalone.yml logs

      - name: Cleanup
        if: always()
        run: docker compose -f docker/docker-compose.standalone.yml down -v

  lab-02-smoke:
    name: Lab 02 — Nextcloud LAN (PG, Redis, pgsql backend, Redis config)
    runs-on: ubuntu-latest
    needs: validate
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4

      - name: Install tools
        run: sudo apt-get install -y curl

      - name: Validate LAN compose
        run: docker compose -f docker/docker-compose.lan.yml config -q && echo "LAN compose valid"

      - name: Start LAN stack
        run: docker compose -f docker/docker-compose.lan.yml up -d

      - name: Wait for PostgreSQL
        run: timeout 60 bash -c 'until docker compose -f docker/docker-compose.lan.yml exec -T db pg_isready -U ncuser -d nextcloud; do sleep 3; done'

      - name: Wait for Redis
        run: timeout 30 bash -c 'until docker compose -f docker/docker-compose.lan.yml exec -T redis redis-cli -a Lab02Redis! ping | grep -q PONG; do sleep 2; done'

      - name: Wait for Nextcloud (PG first-boot ~3 min)
        run: timeout 360 bash -c 'until curl -sf http://localhost:8080/status.php | grep -q "\"installed\":true"; do sleep 10; done'

      - name: Run Lab 06-02 test script
        run: bash tests/labs/test-lab-06-02.sh

      - name: Collect logs on failure
        if: failure()
        run: docker compose -f docker/docker-compose.lan.yml logs

      - name: Cleanup
        if: always()
        run: docker compose -f docker/docker-compose.lan.yml down -v

  lab-03-smoke:
    name: Lab 03 - Nextcloud Advanced (cron, resource limits, Redis policy)
    runs-on: ubuntu-latest
    needs: validate
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - name: Install tools
        run: sudo apt-get install -y curl
      - name: Validate advanced compose
        run: docker compose -f docker/docker-compose.advanced.yml config -q && echo "Advanced compose valid"
      - name: Start advanced stack
        run: docker compose -f docker/docker-compose.advanced.yml up -d
      - name: Wait for PostgreSQL
        run: timeout 60 bash -c 'until docker compose -f docker/docker-compose.advanced.yml exec -T db pg_isready -U ncuser -d nextcloud; do sleep 3; done'
      - name: Wait for Nextcloud
        run: timeout 360 bash -c 'until curl -sf http://localhost:8080/status.php | grep -q "\"installed\":true"; do sleep 10; done'
      - name: Run Lab 06-03 test script
        run: bash tests/labs/test-lab-06-03.sh
      - name: Collect logs on failure
        if: failure()
        run: docker compose -f docker/docker-compose.advanced.yml logs
      - name: Cleanup
        if: always()
        run: docker compose -f docker/docker-compose.advanced.yml down -v
  lab-04-smoke:
    name: Lab 04 — Nextcloud SSO Integration (Keycloak OIDC)
    runs-on: ubuntu-latest
    needs: validate
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - name: Install tools
        run: sudo apt-get install -y curl
      - name: Validate SSO compose
        run: docker compose -f docker/docker-compose.sso.yml config -q && echo "SSO compose valid"
      - name: Start SSO stack
        run: docker compose -f docker/docker-compose.sso.yml up -d
      - name: Wait for Keycloak
        run: timeout 120 bash -c 'until curl -sf http://localhost:8084/health/ready | grep -q UP; do sleep 5; done'
      - name: Wait for PostgreSQL
        run: timeout 60 bash -c 'until docker compose -f docker/docker-compose.sso.yml exec -T db pg_isready -U ncuser -d nextcloud; do sleep 3; done'
      - name: Wait for Nextcloud
        run: timeout 360 bash -c 'until curl -sf http://localhost:8080/status.php | grep -q "\"installed\":true"; do sleep 10; done'
      - name: Run Lab 06-04 test script
        run: bash tests/labs/test-lab-06-04.sh
      - name: Collect logs on failure
        if: failure()
        run: docker compose -f docker/docker-compose.sso.yml logs
      - name: Cleanup
        if: always()
        run: docker compose -f docker/docker-compose.sso.yml down -v
  lab-05-smoke:
    name: "Lab 05 — INT-02 Nextcloud+Keycloak OIDC, LDAP sync, user_oidc, WebDAV + INT-13 Nextcloud↔SuiteCRM CalDAV calendar sync"
    runs-on: ubuntu-latest
    needs: validate
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - name: Install tools
        run: sudo apt-get install -y curl ldap-utils python3
      - name: Validate integration compose
        run: docker compose -f docker/docker-compose.integration.yml config -q && echo "Integration compose valid"
      - name: Start integration stack
        run: docker compose -f docker/docker-compose.integration.yml up -d
      - name: Wait for OpenLDAP + ldap-seed (Keycloak depends on it)
        run: timeout 90 bash -c 'until docker exec nc-int-ldap ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapAdmin05! > /dev/null 2>&1; do sleep 5; done'
      - name: Wait for Keycloak (includes ldap-seed completion)
        run: timeout 240 bash -c 'until curl -sf http://localhost:8104/health/ready | grep -q UP; do sleep 5; done'
      - name: Wait for Nextcloud
        run: timeout 300 bash -c 'until curl -sf http://localhost:8100/status.php | grep -q "\"installed\":true"; do sleep 10; done'
      - name: Run Lab 06-05 test script
        run: bash tests/labs/test-lab-06-05.sh --no-cleanup
      - name: Collect logs on failure
        if: failure()
        run: docker compose -f docker/docker-compose.integration.yml logs
      - name: Cleanup
        if: always()
        run: docker compose -f docker/docker-compose.integration.yml down -v

  lab-06-smoke:
    name: Lab 06 -- Nextcloud Production Deployment (resource limits + metrics)
    runs-on: ubuntu-latest
    needs: validate
    continue-on-error: true
    steps:
      - uses: actions/checkout@v4
      - name: Install tools
        run: sudo apt-get install -y curl ldap-utils
      - name: Validate production compose
        run: docker compose -f docker/docker-compose.production.yml config -q && echo "Production compose valid"
      - name: Start production stack
        run: docker compose -f docker/docker-compose.production.yml up -d
      - name: Wait for Keycloak
        run: timeout 240 bash -c 'until curl -sf http://localhost:8204/health/ready | grep -q UP; do sleep 5; done'
      - name: Wait for OpenLDAP
        run: timeout 120 bash -c 'until docker exec nc-prod-ldap ldapsearch -x -H ldap://localhost -b dc=lab,dc=local -D cn=admin,dc=lab,dc=local -w LdapProd06! > /dev/null 2>&1; do sleep 5; done'
      - name: Wait for Nextcloud
        run: timeout 360 bash -c 'until curl -sf http://localhost:8200/status.php; do sleep 10; done'
      - name: Run Lab 06-06 test script
        run: bash tests/labs/test-lab-06-06.sh --no-cleanup
      - name: Collect logs on failure
        if: failure()
        run: docker compose -f docker/docker-compose.production.yml logs
      - name: Cleanup
        if: always()
        run: docker compose -f docker/docker-compose.production.yml down -v