0b836f7e2d
All checks were successful
CI/CD / go-lint (push) Has been skipped
CI/CD / python-lint (push) Has been skipped
CI/CD / nodejs-lint (push) Has been skipped
CI/CD / test-go-ai-compliance (push) Successful in 38s
CI/CD / test-python-backend-compliance (push) Successful in 41s
CI/CD / test-python-document-crawler (push) Successful in 25s
CI/CD / test-python-dsms-gateway (push) Successful in 21s
CI/CD / deploy-hetzner (push) Successful in 1m27s
The runner container has Docker socket but no host filesystem access. docker compose needs to read YAML files, so run build+deploy inside a helper container that has both Docker socket and the deploy dir mounted. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
273 lines
9.4 KiB
YAML
273 lines
9.4 KiB
YAML
# Gitea Actions CI/CD Pipeline
|
|
# BreakPilot Compliance
|
|
#
|
|
# Services:
|
|
# Go: ai-compliance-sdk
|
|
# Python: backend-compliance, document-crawler, dsms-gateway
|
|
# Node.js: admin-compliance, developer-portal
|
|
#
|
|
# Workflow:
|
|
# Push auf main → Tests → Build → Deploy (Hetzner)
|
|
# Pull Request → Lint + Tests (kein Deploy)
|
|
|
|
name: CI/CD
|
|
|
|
on:
|
|
push:
|
|
branches: [main, develop]
|
|
pull_request:
|
|
branches: [main, develop]
|
|
|
|
jobs:
|
|
# ========================================
|
|
# Lint (nur bei PRs)
|
|
# ========================================
|
|
|
|
go-lint:
|
|
runs-on: docker
|
|
if: github.event_name == 'pull_request'
|
|
container: golangci/golangci-lint:v1.62-alpine
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
apk add --no-cache git
|
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
|
- name: Lint ai-compliance-sdk
|
|
run: |
|
|
if [ -d "ai-compliance-sdk" ]; then
|
|
cd ai-compliance-sdk && golangci-lint run --timeout 5m ./...
|
|
fi
|
|
|
|
python-lint:
|
|
runs-on: docker
|
|
if: github.event_name == 'pull_request'
|
|
container: python:3.12-slim
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
|
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
|
- name: Lint Python services
|
|
run: |
|
|
pip install --quiet ruff
|
|
for svc in backend-compliance document-crawler dsms-gateway; do
|
|
if [ -d "$svc" ]; then
|
|
echo "=== Linting $svc ==="
|
|
ruff check "$svc/" --output-format=github || true
|
|
fi
|
|
done
|
|
|
|
nodejs-lint:
|
|
runs-on: docker
|
|
if: github.event_name == 'pull_request'
|
|
container: node:20-alpine
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
apk add --no-cache git
|
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
|
- name: Lint Node.js services
|
|
run: |
|
|
for svc in admin-compliance developer-portal; do
|
|
if [ -d "$svc" ]; then
|
|
echo "=== Linting $svc ==="
|
|
cd "$svc"
|
|
npm ci --silent 2>/dev/null || npm install --silent
|
|
npx next lint || true
|
|
cd ..
|
|
fi
|
|
done
|
|
|
|
# ========================================
|
|
# Unit Tests
|
|
# ========================================
|
|
|
|
test-go-ai-compliance:
|
|
runs-on: docker
|
|
container: golang:1.24-alpine
|
|
env:
|
|
CGO_ENABLED: "0"
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
apk add --no-cache git
|
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
|
- name: Test ai-compliance-sdk
|
|
run: |
|
|
if [ ! -d "ai-compliance-sdk" ]; then
|
|
echo "WARNUNG: ai-compliance-sdk nicht gefunden"
|
|
exit 0
|
|
fi
|
|
cd ai-compliance-sdk
|
|
go test -v -coverprofile=coverage.out ./... 2>&1
|
|
COVERAGE=$(go tool cover -func=coverage.out 2>/dev/null | tail -1 | awk '{print $3}' || echo "0%")
|
|
echo "Coverage: $COVERAGE"
|
|
|
|
test-python-backend-compliance:
|
|
runs-on: docker
|
|
container: python:3.12-slim
|
|
env:
|
|
CI: "true"
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
|
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
|
- name: Test backend-compliance
|
|
run: |
|
|
if [ ! -d "backend-compliance" ]; then
|
|
echo "WARNUNG: backend-compliance nicht gefunden"
|
|
exit 0
|
|
fi
|
|
cd backend-compliance
|
|
export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
|
|
pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
|
|
pip install --quiet --no-cache-dir fastapi uvicorn pytest pytest-asyncio
|
|
python -m pytest compliance/tests/ -v --tb=short
|
|
|
|
test-python-document-crawler:
|
|
runs-on: docker
|
|
container: python:3.12-slim
|
|
env:
|
|
CI: "true"
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
|
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
|
- name: Test document-crawler
|
|
run: |
|
|
if [ ! -d "document-crawler" ]; then
|
|
echo "WARNUNG: document-crawler nicht gefunden"
|
|
exit 0
|
|
fi
|
|
cd document-crawler
|
|
export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
|
|
pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
|
|
pip install --quiet --no-cache-dir pytest pytest-asyncio
|
|
python -m pytest tests/ -v --tb=short
|
|
|
|
test-python-dsms-gateway:
|
|
runs-on: docker
|
|
container: python:3.12-slim
|
|
env:
|
|
CI: "true"
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1
|
|
git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git .
|
|
- name: Test dsms-gateway
|
|
run: |
|
|
if [ ! -d "dsms-gateway" ]; then
|
|
echo "WARNUNG: dsms-gateway nicht gefunden"
|
|
exit 0
|
|
fi
|
|
cd dsms-gateway
|
|
export PYTHONPATH="$(pwd):${PYTHONPATH:-}"
|
|
pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true
|
|
pip install --quiet --no-cache-dir pytest pytest-asyncio
|
|
python -m pytest test_main.py -v --tb=short
|
|
|
|
# ========================================
|
|
# Build & Deploy auf Hetzner (nur main, kein PR)
|
|
# ========================================
|
|
|
|
deploy-hetzner:
|
|
runs-on: docker
|
|
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
|
|
needs:
|
|
- test-go-ai-compliance
|
|
- test-python-backend-compliance
|
|
- test-python-document-crawler
|
|
- test-python-dsms-gateway
|
|
container: docker:27-cli
|
|
steps:
|
|
- name: Deploy
|
|
run: |
|
|
set -euo pipefail
|
|
DEPLOY_DIR="/opt/breakpilot-compliance"
|
|
COMPOSE_FILES="-f docker-compose.yml -f docker-compose.hetzner.yml"
|
|
COMMIT_SHA="${GITHUB_SHA:-unknown}"
|
|
SHORT_SHA="${COMMIT_SHA:0:8}"
|
|
REPO_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
|
|
echo "=== BreakPilot Compliance Deploy ==="
|
|
echo "Commit: ${SHORT_SHA}"
|
|
echo "Deploy Dir: ${DEPLOY_DIR}"
|
|
echo ""
|
|
|
|
# Der Runner laeuft in einem Container mit Docker-Socket-Zugriff,
|
|
# hat aber KEINEN direkten Zugriff auf das Host-Dateisystem.
|
|
# Loesung: Alpine-Helper-Container mit Host-Bind-Mount fuer Git-Ops.
|
|
|
|
# 1. Repo auf dem Host erstellen/aktualisieren via Helper-Container
|
|
echo "=== Updating code on host ==="
|
|
docker run --rm \
|
|
-v "${DEPLOY_DIR}:${DEPLOY_DIR}" \
|
|
--entrypoint sh \
|
|
alpine/git:latest \
|
|
-c "
|
|
if [ ! -d '${DEPLOY_DIR}/.git' ]; then
|
|
echo 'Erstmaliges Klonen nach ${DEPLOY_DIR}...'
|
|
git clone '${REPO_URL}' '${DEPLOY_DIR}'
|
|
else
|
|
cd '${DEPLOY_DIR}'
|
|
git fetch origin main
|
|
git reset --hard origin/main
|
|
fi
|
|
"
|
|
echo "Code aktualisiert auf ${SHORT_SHA}"
|
|
|
|
# 2. .env sicherstellen (muss einmalig manuell angelegt werden)
|
|
docker run --rm -v "${DEPLOY_DIR}:${DEPLOY_DIR}" alpine \
|
|
sh -c "
|
|
if [ ! -f '${DEPLOY_DIR}/.env' ]; then
|
|
echo 'WARNUNG: ${DEPLOY_DIR}/.env fehlt!'
|
|
echo 'Bitte einmalig auf dem Host anlegen.'
|
|
echo 'Deploy wird fortgesetzt (Services starten ggf. mit Defaults).'
|
|
else
|
|
echo '.env vorhanden'
|
|
fi
|
|
"
|
|
|
|
# 3. Build + Deploy via Helper-Container mit Docker-Socket + Deploy-Dir
|
|
# docker compose muss die YAML-Dateien lesen koennen, daher
|
|
# alles in einem Container mit beiden Mounts ausfuehren.
|
|
echo ""
|
|
echo "=== Building + Deploying ==="
|
|
docker run --rm \
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
-v "${DEPLOY_DIR}:${DEPLOY_DIR}" \
|
|
-w "${DEPLOY_DIR}" \
|
|
docker:27-cli \
|
|
sh -c "
|
|
COMPOSE_FILES='-f docker-compose.yml -f docker-compose.hetzner.yml'
|
|
|
|
echo '=== Building Docker Images ==='
|
|
docker compose \${COMPOSE_FILES} build --parallel \
|
|
admin-compliance \
|
|
backend-compliance \
|
|
ai-compliance-sdk \
|
|
developer-portal
|
|
|
|
echo ''
|
|
echo '=== Starting containers ==='
|
|
docker compose \${COMPOSE_FILES} up -d --remove-orphans \
|
|
admin-compliance \
|
|
backend-compliance \
|
|
ai-compliance-sdk \
|
|
developer-portal
|
|
|
|
echo ''
|
|
echo '=== Health Checks ==='
|
|
sleep 10
|
|
for svc in bp-compliance-admin bp-compliance-backend bp-compliance-ai-sdk bp-compliance-developer-portal; do
|
|
STATUS=\$(docker inspect --format='{{.State.Status}}' \"\${svc}\" 2>/dev/null || echo 'not found')
|
|
echo \"\${svc}: \${STATUS}\"
|
|
done
|
|
"
|
|
|
|
echo ""
|
|
echo "=== Deploy abgeschlossen: ${SHORT_SHA} ==="
|