ci: add production CI, release, and security scan workflows

Author: RedjiJB

.github/workflows/ci.yml

@@ -2,44 +2,98 @@ name: CI
 
 on:
   push:
-    branches: [main, develop]
+    branches: [main, develop, 'feature/**', 'bugfix/**']
   pull_request:
     branches: [main, develop]
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
-  lint:
-    name: Lint
+  validate:
+    name: Validate Configuration
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - name: Validate docker-compose files
+
+      - name: Validate Docker Compose files
         run: |
           for f in docker/docker-compose.*.yml; do
-            echo "Validating \..."
-            docker compose -f "\" config -q
+            echo "Validating: $f"
+            docker compose -f "$f" config -q
           done
-      - name: Lint shell scripts
+
+      - name: ShellCheck — lab test scripts
         run: |
-          sudo apt-get install -y shellcheck
-          shellcheck tests/labs/*.sh docker/entrypoint.sh
+          sudo apt-get install -y shellcheck -qq
+          shellcheck tests/labs/*.sh
 
-  test-lab-01:
-    name: Lab 01 — Standalone
-    runs-on: ubuntu-latest
-    needs: lint
-    steps:
-      - uses: actions/checkout@v4
-      - name: Run Lab 01
-        run: bash tests/labs/test-lab-03-01.sh
+      - name: Validate module manifest
+        run: |
+          python3 -c "
+          import sys, re
+          with open('it-stack-postgresql.yml') as f:
+              content = f.read()
+          required = ['module:', 'version:', 'phase:', 'category:', 'ports:']
+          missing = [k for k in required if k not in content]
+          if missing:
+              print('Missing fields:', missing); sys.exit(1)
+          print('Manifest valid')
+          "
 
   security-scan:
     name: Security Scan
     runs-on: ubuntu-latest
-    needs: lint
+    needs: validate
     steps:
       - uses: actions/checkout@v4
-      - name: Run Trivy on Dockerfile
-        uses: aquasecurity/trivy-action@master
+
+      - name: Trivy — scan Dockerfile
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: config
+          scan-ref: .
+          exit-code: '0'
+          severity: CRITICAL,HIGH
+
+      - name: Trivy — SARIF output
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: config
           scan-ref: .
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload SARIF to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
+
+  lab-01-smoke:
+    name: Lab 01 — Smoke Test
+    runs-on: ubuntu-latest
+    needs: validate
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Start standalone stack
+        run: docker compose -f docker/docker-compose.standalone.yml up -d
+
+      - name: Wait for health
+        run: |
+          echo "Waiting for services to be healthy..."
+          sleep 30
+          docker compose -f docker/docker-compose.standalone.yml ps
+
+      - name: Run Lab 01 test script
+        run: bash tests/labs/test-lab-01.sh
+
+      - name: Collect logs on failure
+        if: failure()
+        run: docker compose -f docker/docker-compose.standalone.yml logs
+
+      - name: Cleanup
+        if: always()
+        run: docker compose -f docker/docker-compose.standalone.yml down -v

.github/workflows/release.yml

@@ -2,32 +2,63 @@ name: Release
 
 on:
   push:
-    tags: ['v*.*.*']
+    tags:
+      - 'v*.*.*'
+
+permissions:
+  contents: write
+  packages: write
 
 jobs:
   build-and-push:
     name: Build and Push Docker Image
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
     steps:
       - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to GHCR
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Extract metadata
         id: meta
         uses: docker/metadata-action@v5
         with:
           images: ghcr.io/it-stack-dev/it-stack-postgresql
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha,prefix=sha-,format=short
+
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: .
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Trivy — scan released image
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ghcr.io/it-stack-dev/it-stack-postgresql:${{ steps.meta.outputs.version }}
+          scan-type: image
+          exit-code: '0'
+          severity: CRITICAL,HIGH
+          format: table
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          files: |
+            it-stack-postgresql.yml

.github/workflows/security.yml

@@ -0,0 +1,40 @@
+name: Security Scan (Scheduled)
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'   # Every Monday at 02:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  trivy-scan:
+    name: Trivy Full Scan
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Trivy — filesystem scan
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          format: sarif
+          output: trivy-fs.sarif
+          severity: CRITICAL,HIGH,MEDIUM
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-fs.sarif
+
+      - name: Trivy — config scan
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          scan-type: config
+          scan-ref: .
+          format: table
+          severity: CRITICAL,HIGH