Skip to content
CI

CI #15

Sign in to view logs

CI

CI #15

Workflow file for this run

.github/workflows/ci.yml at d86b1b1
name: CI
on:
push:
branches: [main, develop, 'feature/**', 'bugfix/**']
pull_request:
branches: [main, develop]
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
validate:
name: Validate Configuration
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate Docker Compose files
run: |
echo "Validating: docker/docker-compose.standalone.yml"
docker compose -f docker/docker-compose.standalone.yml config -q
echo "OK: docker/docker-compose.standalone.yml"
echo "Validating: docker/docker-compose.lan.yml"
docker compose -f docker/docker-compose.lan.yml config -q
echo "OK: docker/docker-compose.lan.yml"
for f in docker/docker-compose.advanced.yml docker/docker-compose.sso.yml; do
echo "Checking scaffold: $f"
docker compose -f "$f" config --no-interpolate -q 2>&1 && echo "OK: $f" \
|| echo "WARN: $f has placeholder variables (scaffold — not yet built out)"
done
echo "Validating: docker/docker-compose.integration.yml"
docker compose -f docker/docker-compose.integration.yml config -q
echo "OK: docker/docker-compose.integration.yml"
echo "Validating: docker/docker-compose.production.yml"
docker compose -f docker/docker-compose.production.yml config -q
echo "OK: docker/docker-compose.production.yml"
- name: ShellCheck — lab test scripts
run: |
sudo apt-get install -y shellcheck -qq
shellcheck --severity=error tests/labs/*.sh
- name: Validate module manifest
run: |
python3 -c "
import sys, re
with open('it-stack-traefik.yml') as f:
content = f.read()
required = ['module:', 'version:', 'phase:', 'category:', 'ports:']
missing = [k for k in required if k not in content]
if missing:
print('Missing fields:', missing); sys.exit(1)
print('Manifest valid')
"
security-scan:
name: Security Scan
runs-on: ubuntu-latest
needs: validate
steps:
- uses: actions/checkout@v4
- name: Trivy — scan Dockerfile
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: config
scan-ref: .
exit-code: '0'
severity: CRITICAL,HIGH
- name: Trivy — SARIF output
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: config
scan-ref: .
format: sarif
output: trivy-results.sarif
- name: Upload SARIF to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif
lab-01-smoke:
name: Lab 01 — Smoke Test
runs-on: ubuntu-latest
needs: validate
continue-on-error: true # scaffold stubs; full lab runs on real VMs
steps:
- uses: actions/checkout@v4
- name: Install tools
run: sudo apt-get install -y netcat-openbsd
- name: Start standalone stack
run: docker compose -f docker/docker-compose.standalone.yml up -d
- name: Wait for Traefik to be ready
run: |
echo "Waiting for Traefik ping endpoint..."
timeout 60 bash -c 'until curl -sf http://localhost:80/ping > /dev/null 2>&1; do sleep 2; done'
echo "Traefik is ready"
docker compose -f docker/docker-compose.standalone.yml ps
- name: Run Lab 18-01 test script
run: bash tests/labs/test-lab-18-01.sh
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.standalone.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.standalone.yml down -v
lab-02-smoke:
name: Lab 02 — TLS Routing & Load Balancing
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install tools
run: sudo apt-get install -y netcat-openbsd curl
- name: Start LAN stack (traefik + backends)
run: docker compose -f docker/docker-compose.lan.yml up -d
- name: Wait for Traefik ping endpoint
run: |
timeout 90 bash -c '
until curl -sf http://localhost:80/ping; do
sleep 3
done'
echo "Traefik is ready"
- name: Run Lab 18-02 test script
run: bash tests/labs/test-lab-18-02.sh
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.lan.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.lan.yml down -v
lab-03-smoke:
name: Lab 03 — Prometheus Metrics + Middleware + TCP
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install tools
run: sudo apt-get install -y netcat-openbsd curl
- name: Start advanced stack (traefik + backends)
run: docker compose -f docker/docker-compose.advanced.yml up -d
- name: Wait for Traefik ping
run: timeout 90 bash -c 'until curl -sf http://localhost:80/ping; do sleep 3; done'
- name: Wait for metrics endpoint
run: timeout 30 bash -c 'until curl -sf http://localhost:8082/metrics | grep -q traefik_; do sleep 3; done'
- name: Run Lab 18-03 test script
run: bash tests/labs/test-lab-18-03.sh
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.advanced.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.advanced.yml down -v
lab-04-smoke:
name: Lab 04 — Traefik ForwardAuth SSO via Keycloak
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install tools
run: sudo apt-get install -y netcat-openbsd curl
- name: Start SSO stack (KC + Traefik + oauth2-proxy + whoami services)
run: docker compose -f docker/docker-compose.sso.yml up -d
- name: Wait for Keycloak
run: timeout 200 bash -c 'until curl -sf http://localhost:8080/health/ready | grep -q UP; do sleep 5; done'
- name: Wait for Traefik
run: timeout 60 bash -c 'until curl -sf http://localhost:8080/api/version | grep -q Version; do sleep 3; done'
- name: Run Lab 18-04 test script
env:
KC_PASS: "Lab04Password!"
run: bash tests/labs/test-lab-18-04.sh
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.sso.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.sso.yml down -v
lab-05-smoke:
name: Lab 05 -- Traefik + Keycloak + ForwardAuth + Prometheus
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install tools
run: sudo apt-get install -y curl netcat-openbsd
- name: Start integration stack
run: docker compose -f docker/docker-compose.integration.yml up -d
- name: Wait for Keycloak
run: timeout 200 bash -c 'until curl -sf http://localhost:8080/health/ready | grep -q UP; do sleep 5; done'
- name: Wait for Traefik
run: timeout 60 bash -c 'until curl -sf http://localhost:8080/api/version | grep -q Version; do sleep 3; done'
- name: Run Lab 18-05 test script
env:
KC_PASS: "Lab05Password!"
run: bash tests/labs/test-lab-18-05.sh
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.integration.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.integration.yml down -v
lab-06-smoke:
name: Lab 06 — Traefik Production (TLS, rate-limit, access logs, Prometheus)
runs-on: ubuntu-latest
needs: validate
continue-on-error: true
steps:
- uses: actions/checkout@v4
- name: Install tools
run: sudo apt-get install -y curl
- name: Start production stack
run: docker compose -f docker/docker-compose.production.yml up -d
- name: Wait for Traefik API
run: timeout 60 bash -c 'until curl -sf http://localhost:8080/api/version | grep -q Version; do sleep 3; done'
- name: Wait for backends
run: timeout 60 bash -c 'until curl -sf http://localhost/ | grep -q Hostname; do sleep 3; done'
- name: Run Lab 18-06 test script
run: bash tests/labs/test-lab-18-06.sh
- name: Collect logs on failure
if: failure()
run: docker compose -f docker/docker-compose.production.yml logs
- name: Cleanup
if: always()
run: docker compose -f docker/docker-compose.production.yml down -v