UnHackable/.github/workflows/ci.yml at main · shubhiscoding/UnHackable · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
name: CI Pipeline - UnHackable

on:
  push:
    branches: [main, master]
  pull_request:
    branches: [main, master]
  workflow_dispatch:

env:
  IMAGE_NAME: ${{ secrets.DOCKERHUB_USERNAME }}/unhackable

jobs:
  # ============================================
  # Stage 1: Code Quality & Linting
  # WHY: Enforces coding standards, prevents technical debt,
  #      catches syntax errors early before expensive operations
  # ============================================
  lint:
    name: Lint & Type Check
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Run ESLint
        run: npm run lint

      - name: TypeScript Type Check
        run: npx tsc --noEmit

  # ============================================
  # Stage 2: Unit Tests
  # WHY: Validates business logic, prevents regressions,
  #      ensures code behaves as expected
  # ============================================
  test:
    name: Unit Tests
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Run unit tests
        run: npm test --if-present

  # ============================================
  # Stage 3: SAST - Static Application Security Testing
  # WHY: Detects OWASP Top 10 vulnerabilities in source code,
  #      implements shift-left security before deployment
  # ============================================
  sast:
    name: SAST - CodeQL Analysis
    runs-on: ubuntu-latest
    needs: lint
    permissions:
      security-events: write
      actions: read
      contents: read
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: javascript-typescript
          queries: security-and-quality

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:javascript-typescript"

  # ============================================
  # Stage 4: SCA - Software Composition Analysis
  # WHY: Identifies vulnerable dependencies (supply chain attacks),
  #      checks for known CVEs in npm packages
  # ============================================
  sca:
    name: SCA - Dependency Check
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: NPM Audit (Security Check)
        run: npm audit --audit-level=moderate || true

  # ============================================
  # Stage 5: Build Application
  # WHY: Validates that the application compiles successfully,
  #      creates production-ready artifacts
  # ============================================
  build:
    name: Build Application
    runs-on: ubuntu-latest
    needs: [test, sast, sca]
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Build Next.js application
        run: npm run build

  # ============================================
  # Stage 6: Docker Build & Scan
  # WHY: Packages application into container, scans for
  #      OS & library vulnerabilities before shipping
  # ============================================
  docker:
    name: Docker Build & Scan
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./dockerfile
          push: false
          load: true
          tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      # ----------------------------------------
      # Image Scan with Trivy
      # WHY: Detects OS & library vulnerabilities in container
      # ----------------------------------------
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
          format: 'table'
          severity: 'CRITICAL,HIGH'

      # ----------------------------------------
      # Container Smoke Test
      # WHY: Validates container starts and responds to health checks
      # ----------------------------------------
      - name: Run container smoke test
        run: |
          docker run -d --name test-container -p 3000:3000 ${{ env.IMAGE_NAME }}:${{ github.sha }}
          sleep 15
          curl --fail http://localhost:3000 || exit 1
          echo "✅ Container health check passed!"
          docker logs test-container
          docker rm -f test-container

  # ============================================
  # Stage 7: Push to Registry
  # WHY: Publishes trusted, scanned image to DockerHub,
  #      enables downstream CD pipeline deployment
  # ============================================
  push:
    name: Push to DockerHub
    runs-on: ubuntu-latest
    needs: docker
    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./dockerfile
          push: true
          tags: |
            ${{ env.IMAGE_NAME }}:latest
            ${{ env.IMAGE_NAME }}:${{ github.sha }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Image pushed successfully
        run: |
          echo "Image pushed to DockerHub!"
          echo "Tags: latest, ${{ github.sha }}"