19855efacc
Some checks failed
Tests / Go Tests (push) Has been cancelled
Tests / Python Tests (push) Has been cancelled
Tests / Integration Tests (push) Has been cancelled
Tests / Go Lint (push) Has been cancelled
Tests / Python Lint (push) Has been cancelled
Tests / Security Scan (push) Has been cancelled
Tests / All Checks Passed (push) Has been cancelled
Security Scanning / Secret Scanning (push) Has been cancelled
Security Scanning / Dependency Vulnerability Scan (push) Has been cancelled
Security Scanning / Go Security Scan (push) Has been cancelled
Security Scanning / Python Security Scan (push) Has been cancelled
Security Scanning / Node.js Security Scan (push) Has been cancelled
Security Scanning / Docker Image Security (push) Has been cancelled
Security Scanning / Security Summary (push) Has been cancelled
CI/CD Pipeline / Go Tests (push) Has been cancelled
CI/CD Pipeline / Python Tests (push) Has been cancelled
CI/CD Pipeline / Website Tests (push) Has been cancelled
CI/CD Pipeline / Linting (push) Has been cancelled
CI/CD Pipeline / Security Scan (push) Has been cancelled
CI/CD Pipeline / Docker Build & Push (push) Has been cancelled
CI/CD Pipeline / Integration Tests (push) Has been cancelled
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
CI/CD Pipeline / CI Summary (push) Has been cancelled
ci/woodpecker/manual/build-ci-image Pipeline was successful
ci/woodpecker/manual/main Pipeline failed
All services: admin-v2, studio-v2, website, ai-compliance-sdk, consent-service, klausur-service, voice-service, and infrastructure. Large PDFs and compiled binaries excluded via .gitignore.
504 lines
16 KiB
YAML
504 lines
16 KiB
YAML
name: CI/CD Pipeline
|
|
|
|
on:
|
|
push:
|
|
branches: [main, develop]
|
|
pull_request:
|
|
branches: [main, develop]
|
|
|
|
env:
|
|
GO_VERSION: '1.21'
|
|
PYTHON_VERSION: '3.11'
|
|
NODE_VERSION: '20'
|
|
POSTGRES_USER: breakpilot
|
|
POSTGRES_PASSWORD: breakpilot123
|
|
POSTGRES_DB: breakpilot_test
|
|
REGISTRY: ghcr.io
|
|
IMAGE_PREFIX: ${{ github.repository_owner }}/breakpilot
|
|
|
|
jobs:
|
|
# ==========================================
|
|
# Go Consent Service Tests
|
|
# ==========================================
|
|
go-tests:
|
|
name: Go Tests
|
|
runs-on: ubuntu-latest
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
env:
|
|
POSTGRES_USER: ${{ env.POSTGRES_USER }}
|
|
POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
|
|
POSTGRES_DB: ${{ env.POSTGRES_DB }}
|
|
ports:
|
|
- 5432:5432
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
cache-dependency-path: consent-service/go.sum
|
|
|
|
- name: Download dependencies
|
|
working-directory: ./consent-service
|
|
run: go mod download
|
|
|
|
- name: Run Go Vet
|
|
working-directory: ./consent-service
|
|
run: go vet ./...
|
|
|
|
- name: Run Unit Tests
|
|
working-directory: ./consent-service
|
|
run: go test -v -race -coverprofile=coverage.out ./...
|
|
env:
|
|
DATABASE_URL: postgres://${{ env.POSTGRES_USER }}:${{ env.POSTGRES_PASSWORD }}@localhost:5432/${{ env.POSTGRES_DB }}?sslmode=disable
|
|
JWT_SECRET: test-jwt-secret-for-ci
|
|
JWT_REFRESH_SECRET: test-refresh-secret-for-ci
|
|
|
|
- name: Check Coverage
|
|
working-directory: ./consent-service
|
|
run: |
|
|
go tool cover -func=coverage.out
|
|
COVERAGE=$(go tool cover -func=coverage.out | grep total | awk '{print $3}' | sed 's/%//')
|
|
echo "Total coverage: ${COVERAGE}%"
|
|
if (( $(echo "$COVERAGE < 50" | bc -l) )); then
|
|
echo "::warning::Coverage is below 50%"
|
|
fi
|
|
|
|
- name: Upload coverage to Codecov
|
|
uses: codecov/codecov-action@v4
|
|
with:
|
|
files: ./consent-service/coverage.out
|
|
flags: go
|
|
name: go-coverage
|
|
continue-on-error: true
|
|
|
|
# ==========================================
|
|
# Python Backend Tests
|
|
# ==========================================
|
|
python-tests:
|
|
name: Python Tests
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ env.PYTHON_VERSION }}
|
|
cache: 'pip'
|
|
cache-dependency-path: backend/requirements.txt
|
|
|
|
- name: Install dependencies
|
|
working-directory: ./backend
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install -r requirements.txt
|
|
pip install pytest pytest-cov pytest-asyncio httpx
|
|
|
|
- name: Run Python Tests
|
|
working-directory: ./backend
|
|
run: pytest -v --cov=. --cov-report=xml --cov-report=term-missing
|
|
continue-on-error: true
|
|
|
|
- name: Upload coverage to Codecov
|
|
uses: codecov/codecov-action@v4
|
|
with:
|
|
files: ./backend/coverage.xml
|
|
flags: python
|
|
name: python-coverage
|
|
continue-on-error: true
|
|
|
|
# ==========================================
|
|
# Node.js Website Tests
|
|
# ==========================================
|
|
website-tests:
|
|
name: Website Tests
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: ${{ env.NODE_VERSION }}
|
|
cache: 'npm'
|
|
cache-dependency-path: website/package-lock.json
|
|
|
|
- name: Install dependencies
|
|
working-directory: ./website
|
|
run: npm ci
|
|
|
|
- name: Run TypeScript check
|
|
working-directory: ./website
|
|
run: npx tsc --noEmit
|
|
continue-on-error: true
|
|
|
|
- name: Run ESLint
|
|
working-directory: ./website
|
|
run: npm run lint
|
|
continue-on-error: true
|
|
|
|
- name: Build website
|
|
working-directory: ./website
|
|
run: npm run build
|
|
env:
|
|
NEXT_PUBLIC_BILLING_API_URL: http://localhost:8083
|
|
NEXT_PUBLIC_APP_URL: http://localhost:3000
|
|
|
|
# ==========================================
|
|
# Linting
|
|
# ==========================================
|
|
lint:
|
|
name: Linting
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
- name: Run golangci-lint
|
|
uses: golangci/golangci-lint-action@v4
|
|
with:
|
|
version: latest
|
|
working-directory: ./consent-service
|
|
args: --timeout=5m
|
|
continue-on-error: true
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ env.PYTHON_VERSION }}
|
|
|
|
- name: Install Python linters
|
|
run: pip install flake8 black isort
|
|
|
|
- name: Run flake8
|
|
working-directory: ./backend
|
|
run: flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
|
|
continue-on-error: true
|
|
|
|
- name: Check Black formatting
|
|
working-directory: ./backend
|
|
run: black --check --diff .
|
|
continue-on-error: true
|
|
|
|
# ==========================================
|
|
# Security Scan
|
|
# ==========================================
|
|
security:
|
|
name: Security Scan
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
severity: 'CRITICAL,HIGH'
|
|
exit-code: '0'
|
|
continue-on-error: true
|
|
|
|
- name: Run Go security check
|
|
uses: securego/gosec@master
|
|
with:
|
|
args: '-no-fail -fmt sarif -out results.sarif ./consent-service/...'
|
|
continue-on-error: true
|
|
|
|
# ==========================================
|
|
# Docker Build & Push
|
|
# ==========================================
|
|
docker-build:
|
|
name: Docker Build & Push
|
|
runs-on: ubuntu-latest
|
|
needs: [go-tests, python-tests, website-tests]
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
if: github.event_name != 'pull_request'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract metadata for consent-service
|
|
id: meta-consent
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-consent-service
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=sha,prefix=
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
|
|
- name: Build and push consent-service
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: ./consent-service
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: ${{ steps.meta-consent.outputs.tags }}
|
|
labels: ${{ steps.meta-consent.outputs.labels }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Extract metadata for backend
|
|
id: meta-backend
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-backend
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=sha,prefix=
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
|
|
- name: Build and push backend
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: ./backend
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: ${{ steps.meta-backend.outputs.tags }}
|
|
labels: ${{ steps.meta-backend.outputs.labels }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Extract metadata for website
|
|
id: meta-website
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-website
|
|
tags: |
|
|
type=ref,event=branch
|
|
type=ref,event=pr
|
|
type=sha,prefix=
|
|
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
|
|
|
|
- name: Build and push website
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: ./website
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
tags: ${{ steps.meta-website.outputs.tags }}
|
|
labels: ${{ steps.meta-website.outputs.labels }}
|
|
build-args: |
|
|
NEXT_PUBLIC_BILLING_API_URL=${{ vars.NEXT_PUBLIC_BILLING_API_URL || 'http://localhost:8083' }}
|
|
NEXT_PUBLIC_APP_URL=${{ vars.NEXT_PUBLIC_APP_URL || 'http://localhost:3000' }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
# ==========================================
|
|
# Integration Tests
|
|
# ==========================================
|
|
integration-tests:
|
|
name: Integration Tests
|
|
runs-on: ubuntu-latest
|
|
needs: [docker-build]
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Start services with Docker Compose
|
|
run: |
|
|
docker compose up -d postgres mailpit
|
|
sleep 10
|
|
|
|
- name: Run consent-service
|
|
working-directory: ./consent-service
|
|
run: |
|
|
go build -o consent-service ./cmd/server
|
|
./consent-service &
|
|
sleep 5
|
|
env:
|
|
DATABASE_URL: postgres://breakpilot:breakpilot123@localhost:5432/breakpilot_db?sslmode=disable
|
|
JWT_SECRET: test-jwt-secret
|
|
JWT_REFRESH_SECRET: test-refresh-secret
|
|
SMTP_HOST: localhost
|
|
SMTP_PORT: 1025
|
|
|
|
- name: Health Check
|
|
run: |
|
|
curl -f http://localhost:8081/health || exit 1
|
|
|
|
- name: Run Integration Tests
|
|
run: |
|
|
# Test Auth endpoints
|
|
curl -s http://localhost:8081/api/v1/auth/health
|
|
|
|
# Test Document endpoints
|
|
curl -s http://localhost:8081/api/v1/documents
|
|
continue-on-error: true
|
|
|
|
- name: Stop services
|
|
if: always()
|
|
run: docker compose down
|
|
|
|
# ==========================================
|
|
# Deploy to Staging
|
|
# ==========================================
|
|
deploy-staging:
|
|
name: Deploy to Staging
|
|
runs-on: ubuntu-latest
|
|
needs: [docker-build, integration-tests]
|
|
if: github.ref == 'refs/heads/develop' && github.event_name == 'push'
|
|
environment:
|
|
name: staging
|
|
url: https://staging.breakpilot.app
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Deploy to staging server
|
|
env:
|
|
STAGING_HOST: ${{ secrets.STAGING_HOST }}
|
|
STAGING_USER: ${{ secrets.STAGING_USER }}
|
|
STAGING_SSH_KEY: ${{ secrets.STAGING_SSH_KEY }}
|
|
run: |
|
|
# This is a placeholder for actual deployment
|
|
# Configure based on your staging infrastructure
|
|
echo "Deploying to staging environment..."
|
|
echo "Images to deploy:"
|
|
echo " - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-consent-service:develop"
|
|
echo " - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-backend:develop"
|
|
echo " - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-website:develop"
|
|
|
|
# Example: SSH deployment (uncomment when configured)
|
|
# mkdir -p ~/.ssh
|
|
# echo "$STAGING_SSH_KEY" > ~/.ssh/id_rsa
|
|
# chmod 600 ~/.ssh/id_rsa
|
|
# ssh -o StrictHostKeyChecking=no $STAGING_USER@$STAGING_HOST "cd /opt/breakpilot && docker compose pull && docker compose up -d"
|
|
|
|
- name: Notify deployment
|
|
run: |
|
|
echo "## Staging Deployment" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "Successfully deployed to staging environment" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "**Deployed images:**" >> $GITHUB_STEP_SUMMARY
|
|
echo "- consent-service: \`develop\`" >> $GITHUB_STEP_SUMMARY
|
|
echo "- backend: \`develop\`" >> $GITHUB_STEP_SUMMARY
|
|
echo "- website: \`develop\`" >> $GITHUB_STEP_SUMMARY
|
|
|
|
# ==========================================
|
|
# Deploy to Production
|
|
# ==========================================
|
|
deploy-production:
|
|
name: Deploy to Production
|
|
runs-on: ubuntu-latest
|
|
needs: [docker-build, integration-tests]
|
|
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
|
|
environment:
|
|
name: production
|
|
url: https://breakpilot.app
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to GitHub Container Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Deploy to production server
|
|
env:
|
|
PROD_HOST: ${{ secrets.PROD_HOST }}
|
|
PROD_USER: ${{ secrets.PROD_USER }}
|
|
PROD_SSH_KEY: ${{ secrets.PROD_SSH_KEY }}
|
|
run: |
|
|
# This is a placeholder for actual deployment
|
|
# Configure based on your production infrastructure
|
|
echo "Deploying to production environment..."
|
|
echo "Images to deploy:"
|
|
echo " - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-consent-service:latest"
|
|
echo " - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-backend:latest"
|
|
echo " - ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-website:latest"
|
|
|
|
# Example: SSH deployment (uncomment when configured)
|
|
# mkdir -p ~/.ssh
|
|
# echo "$PROD_SSH_KEY" > ~/.ssh/id_rsa
|
|
# chmod 600 ~/.ssh/id_rsa
|
|
# ssh -o StrictHostKeyChecking=no $PROD_USER@$PROD_HOST "cd /opt/breakpilot && docker compose pull && docker compose up -d"
|
|
|
|
- name: Notify deployment
|
|
run: |
|
|
echo "## Production Deployment" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "Successfully deployed to production environment" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "**Deployed images:**" >> $GITHUB_STEP_SUMMARY
|
|
echo "- consent-service: \`latest\`" >> $GITHUB_STEP_SUMMARY
|
|
echo "- backend: \`latest\`" >> $GITHUB_STEP_SUMMARY
|
|
echo "- website: \`latest\`" >> $GITHUB_STEP_SUMMARY
|
|
|
|
# ==========================================
|
|
# Summary
|
|
# ==========================================
|
|
summary:
|
|
name: CI Summary
|
|
runs-on: ubuntu-latest
|
|
needs: [go-tests, python-tests, website-tests, lint, security, docker-build, integration-tests]
|
|
if: always()
|
|
|
|
steps:
|
|
- name: Check job results
|
|
run: |
|
|
echo "## CI/CD Summary" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Job | Status |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|-----|--------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Go Tests | ${{ needs.go-tests.result }} |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Python Tests | ${{ needs.python-tests.result }} |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Website Tests | ${{ needs.website-tests.result }} |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Linting | ${{ needs.lint.result }} |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Security | ${{ needs.security.result }} |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Docker Build | ${{ needs.docker-build.result }} |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Integration Tests | ${{ needs.integration-tests.result }} |" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "### Docker Images" >> $GITHUB_STEP_SUMMARY
|
|
echo "Images are pushed to: \`${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}-*\`" >> $GITHUB_STEP_SUMMARY
|