# Gitea Actions CI/CD Pipeline # BreakPilot Compliance # # Services: # Go: ai-compliance-sdk # Python: backend-compliance, document-crawler, dsms-gateway # Node.js: admin-compliance, developer-portal # # Workflow: # Push auf main → Tests → Build → Deploy (Hetzner) # Pull Request → Lint + Tests (kein Deploy) name: CI/CD on: push: branches: [main, develop] pull_request: branches: [main, develop] jobs: # ======================================== # Lint (nur bei PRs) # ======================================== go-lint: runs-on: docker if: github.event_name == 'pull_request' container: golangci/golangci-lint:v1.62-alpine steps: - name: Checkout run: | apk add --no-cache git git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Lint ai-compliance-sdk run: | if [ -d "ai-compliance-sdk" ]; then cd ai-compliance-sdk && golangci-lint run --timeout 5m ./... fi python-lint: runs-on: docker if: github.event_name == 'pull_request' container: python:3.12-slim steps: - name: Checkout run: | apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1 git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Lint Python services run: | pip install --quiet ruff for svc in backend-compliance document-crawler dsms-gateway; do if [ -d "$svc" ]; then echo "=== Linting $svc ===" ruff check "$svc/" --output-format=github || true fi done nodejs-lint: runs-on: docker if: github.event_name == 'pull_request' container: node:20-alpine steps: - name: Checkout run: | apk add --no-cache git git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Lint Node.js services run: | for svc in admin-compliance developer-portal; do if [ -d "$svc" ]; then echo "=== Linting $svc ===" cd "$svc" npm ci --silent 2>/dev/null || npm install --silent npx next lint || true cd .. fi done # ======================================== # Unit Tests # ======================================== test-go-ai-compliance: runs-on: docker container: golang:1.24-alpine env: CGO_ENABLED: "0" steps: - name: Checkout run: | apk add --no-cache git git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Test ai-compliance-sdk run: | if [ ! -d "ai-compliance-sdk" ]; then echo "WARNUNG: ai-compliance-sdk nicht gefunden" exit 0 fi cd ai-compliance-sdk go test -v -coverprofile=coverage.out ./... 2>&1 COVERAGE=$(go tool cover -func=coverage.out 2>/dev/null | tail -1 | awk '{print $3}' || echo "0%") echo "Coverage: $COVERAGE" test-python-backend-compliance: runs-on: docker container: python:3.12-slim env: CI: "true" steps: - name: Checkout run: | apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1 git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Test backend-compliance run: | if [ ! -d "backend-compliance" ]; then echo "WARNUNG: backend-compliance nicht gefunden" exit 0 fi cd backend-compliance export PYTHONPATH="$(pwd):${PYTHONPATH:-}" pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true pip install --quiet --no-cache-dir fastapi uvicorn pytest pytest-asyncio python -m pytest compliance/tests/ -v --tb=short test-python-document-crawler: runs-on: docker container: python:3.12-slim env: CI: "true" steps: - name: Checkout run: | apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1 git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Test document-crawler run: | if [ ! -d "document-crawler" ]; then echo "WARNUNG: document-crawler nicht gefunden" exit 0 fi cd document-crawler export PYTHONPATH="$(pwd):${PYTHONPATH:-}" pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true pip install --quiet --no-cache-dir pytest pytest-asyncio python -m pytest tests/ -v --tb=short test-python-dsms-gateway: runs-on: docker container: python:3.12-slim env: CI: "true" steps: - name: Checkout run: | apt-get update -qq && apt-get install -y -qq git > /dev/null 2>&1 git clone --depth 1 --branch ${GITHUB_REF_NAME} ${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git . - name: Test dsms-gateway run: | if [ ! -d "dsms-gateway" ]; then echo "WARNUNG: dsms-gateway nicht gefunden" exit 0 fi cd dsms-gateway export PYTHONPATH="$(pwd):${PYTHONPATH:-}" pip install --quiet --no-cache-dir -r requirements.txt 2>/dev/null || true pip install --quiet --no-cache-dir pytest pytest-asyncio python -m pytest test_main.py -v --tb=short # ======================================== # Build & Deploy auf Hetzner (nur main, kein PR) # ======================================== deploy-hetzner: runs-on: docker if: github.event_name == 'push' && github.ref == 'refs/heads/main' needs: - test-go-ai-compliance - test-python-backend-compliance - test-python-document-crawler - test-python-dsms-gateway container: docker:27-cli steps: - name: Deploy run: | set -euo pipefail DEPLOY_DIR="/opt/breakpilot-compliance" COMPOSE_FILES="-f docker-compose.yml -f docker-compose.hetzner.yml" COMMIT_SHA="${GITHUB_SHA:-unknown}" SHORT_SHA="${COMMIT_SHA:0:8}" REPO_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git" echo "=== BreakPilot Compliance Deploy ===" echo "Commit: ${SHORT_SHA}" echo "Deploy Dir: ${DEPLOY_DIR}" echo "" # Der Runner laeuft in einem Container mit Docker-Socket-Zugriff, # hat aber KEINEN direkten Zugriff auf das Host-Dateisystem. # Loesung: Alpine-Helper-Container mit Host-Bind-Mount fuer Git-Ops. # 1. Repo auf dem Host erstellen/aktualisieren via Helper-Container echo "=== Updating code on host ===" docker run --rm \ -v "${DEPLOY_DIR}:${DEPLOY_DIR}" \ --entrypoint sh \ alpine/git:latest \ -c " if [ ! -d '${DEPLOY_DIR}/.git' ]; then echo 'Erstmaliges Klonen nach ${DEPLOY_DIR}...' git clone '${REPO_URL}' '${DEPLOY_DIR}' else cd '${DEPLOY_DIR}' git fetch origin main git reset --hard origin/main fi " echo "Code aktualisiert auf ${SHORT_SHA}" # 2. .env sicherstellen (muss einmalig manuell angelegt werden) docker run --rm -v "${DEPLOY_DIR}:${DEPLOY_DIR}" alpine \ sh -c " if [ ! -f '${DEPLOY_DIR}/.env' ]; then echo 'WARNUNG: ${DEPLOY_DIR}/.env fehlt!' echo 'Bitte einmalig auf dem Host anlegen.' echo 'Deploy wird fortgesetzt (Services starten ggf. mit Defaults).' else echo '.env vorhanden' fi " # 3. Build + Deploy via Helper-Container mit Docker-Socket + Deploy-Dir # docker compose muss die YAML-Dateien lesen koennen, daher # alles in einem Container mit beiden Mounts ausfuehren. echo "" echo "=== Building + Deploying ===" docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ -v "${DEPLOY_DIR}:${DEPLOY_DIR}" \ -w "${DEPLOY_DIR}" \ docker:27-cli \ sh -c " COMPOSE_FILES='-f docker-compose.yml -f docker-compose.hetzner.yml' echo '=== Building Docker Images ===' docker compose \${COMPOSE_FILES} build --parallel \ admin-compliance \ backend-compliance \ ai-compliance-sdk \ developer-portal echo '' echo '=== Starting containers ===' docker compose \${COMPOSE_FILES} up -d --remove-orphans \ admin-compliance \ backend-compliance \ ai-compliance-sdk \ developer-portal echo '' echo '=== Health Checks ===' sleep 10 for svc in bp-compliance-admin bp-compliance-backend bp-compliance-ai-sdk bp-compliance-developer-portal; do STATUS=\$(docker inspect --format='{{.State.Status}}' \"\${svc}\" 2>/dev/null || echo 'not found') echo \"\${svc}: \${STATUS}\" done " echo "" echo "=== Deploy abgeschlossen: ${SHORT_SHA} ==="