-
Notifications
You must be signed in to change notification settings - Fork 0
142 lines (117 loc) · 3.78 KB
/
Copy pathci-cd.yml
File metadata and controls
142 lines (117 loc) · 3.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: CI/CD Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
jobs:
# Job 1: Lint and Test
test:
name: Lint and Test
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ['3.9', '3.10', '3.11']
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
cache: 'pip'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install pytest pytest-cov flake8
- name: Lint with flake8
run: |
# Stop the build if there are Python syntax errors or undefined names
flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude=venv,env,.venv,.git,__pycache__
# Exit-zero treats all errors as warnings
flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude=venv,env,.venv,.git,__pycache__
- name: Run tests
run: |
pytest tests/ -v --cov=app --cov-report=xml --cov-report=term
env:
FLASK_ENV: testing
SECRET_KEY: test-secret-key
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
with:
file: ./coverage.xml
fail_ci_if_error: false
# Job 2: Security Scan
security:
name: Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install safety
run: pip install safety
- name: Run safety check
run: safety check --json || true
- name: Run Bandit security scan
run: |
pip install bandit
bandit -r . -f json -o bandit-report.json || true
- name: Upload security reports
uses: actions/upload-artifact@v3
if: always()
with:
name: security-reports
path: |
bandit-report.json
# Job 3: Build Docker Image
build:
name: Build Docker Image
runs-on: ubuntu-latest
needs: [test, security]
if: github.event_name == 'push'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
if: github.ref == 'refs/heads/main'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
push: ${{ github.ref == 'refs/heads/main' }}
tags: |
${{ secrets.DOCKER_USERNAME }}/project-management:latest
${{ secrets.DOCKER_USERNAME }}/project-management:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Test Docker image
run: |
docker build -t project-management:test .
docker run -d -p 8000:8000 --name test-container project-management:test
sleep 10
curl http://localhost:8000/health || exit 1
docker stop test-container
# Job 4: Deploy to Render (optional)
deploy-render:
name: Deploy to Render
runs-on: ubuntu-latest
needs: build
if: github.ref == 'refs/heads/main'
steps:
- name: Trigger Render Deployment
if: secrets.RENDER_DEPLOY_HOOK_URL != ''
run: |
curl -X POST "${{ secrets.RENDER_DEPLOY_HOOK_URL }}"
- name: Deployment notification
run: echo "Deployment triggered to Render"