225 lines
10 KiB
YAML
225 lines
10 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
|
|
env:
|
|
CARGO_TERM_COLOR: always
|
|
RUSTFLAGS: "-D warnings"
|
|
# sccache caches compilation artifacts within a job so that compiling
|
|
# both --features server and --features web shares common crate work.
|
|
RUSTC_WRAPPER: /usr/local/bin/sccache
|
|
SCCACHE_DIR: /tmp/sccache
|
|
|
|
# Cancel in-progress runs for the same branch/PR
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
# ---------------------------------------------------------------------------
|
|
# Stage 1: Lint, audit, and test (single job to share cargo cache)
|
|
# ---------------------------------------------------------------------------
|
|
check:
|
|
name: Check
|
|
if: github.event_name == 'pull_request'
|
|
runs-on: docker
|
|
container:
|
|
image: rust:1.94-bookworm
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
git init
|
|
git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}"
|
|
git checkout FETCH_HEAD
|
|
- name: Install tools
|
|
run: |
|
|
rustup component add rustfmt clippy
|
|
curl -fsSL https://github.com/mozilla/sccache/releases/download/v0.9.1/sccache-v0.9.1-x86_64-unknown-linux-musl.tar.gz \
|
|
| tar xz --strip-components=1 -C /usr/local/bin/ sccache-v0.9.1-x86_64-unknown-linux-musl/sccache
|
|
chmod +x /usr/local/bin/sccache
|
|
cargo install cargo-audit --locked
|
|
env:
|
|
RUSTC_WRAPPER: ""
|
|
|
|
# Format (no compilation needed)
|
|
- name: Format
|
|
run: cargo fmt --all --check
|
|
env:
|
|
RUSTC_WRAPPER: ""
|
|
|
|
# Clippy (compiles once, sccache reuses across feature sets)
|
|
- name: Clippy (agent)
|
|
run: cargo clippy -p compliance-agent -- -D warnings
|
|
- name: Clippy (dashboard server)
|
|
run: cargo clippy -p compliance-dashboard --features server --no-default-features -- -D warnings
|
|
- name: Clippy (dashboard web)
|
|
run: cargo clippy -p compliance-dashboard --features web --no-default-features -- -D warnings
|
|
- name: Clippy (mcp)
|
|
run: cargo clippy -p compliance-mcp -- -D warnings
|
|
|
|
# Security audit
|
|
- name: Security Audit
|
|
run: cargo audit
|
|
env:
|
|
RUSTC_WRAPPER: ""
|
|
|
|
# Tests (reuses compilation artifacts from clippy)
|
|
- name: Tests (core + agent)
|
|
run: cargo test -p compliance-core -p compliance-agent --lib
|
|
- name: Tests (dashboard server)
|
|
run: cargo test -p compliance-dashboard --features server --no-default-features
|
|
- name: Tests (dashboard web)
|
|
run: cargo test -p compliance-dashboard --features web --no-default-features
|
|
|
|
- name: Show sccache stats
|
|
run: sccache --show-stats
|
|
if: always()
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Stage 2: Deploy (only on main, after checks pass)
|
|
# Each service only deploys when its relevant files changed.
|
|
# ---------------------------------------------------------------------------
|
|
detect-changes:
|
|
name: Detect Changes
|
|
runs-on: docker
|
|
if: github.ref == 'refs/heads/main'
|
|
container:
|
|
image: alpine:latest
|
|
outputs:
|
|
agent: ${{ steps.changes.outputs.agent }}
|
|
dashboard: ${{ steps.changes.outputs.dashboard }}
|
|
docs: ${{ steps.changes.outputs.docs }}
|
|
mcp: ${{ steps.changes.outputs.mcp }}
|
|
steps:
|
|
- name: Install git
|
|
run: apk add --no-cache git
|
|
- name: Checkout
|
|
run: |
|
|
git init
|
|
git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=2 origin "${GITHUB_SHA}"
|
|
git checkout FETCH_HEAD
|
|
- name: Detect changed paths
|
|
id: changes
|
|
run: |
|
|
CHANGED=$(git diff --name-only HEAD~1 HEAD 2>/dev/null || echo "")
|
|
echo "Changed files:"
|
|
echo "$CHANGED"
|
|
|
|
# Agent: core libs, agent code, agent Dockerfile
|
|
if echo "$CHANGED" | grep -qE '^(compliance-core/|compliance-agent/|compliance-graph/|compliance-dast/|Dockerfile\.agent|Cargo\.(toml|lock))'; then
|
|
echo "agent=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "agent=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
# Dashboard: core libs, dashboard code, dashboard Dockerfile, assets
|
|
if echo "$CHANGED" | grep -qE '^(compliance-core/|compliance-dashboard/|Dockerfile\.dashboard|Dioxus\.toml|assets/|bin/|Cargo\.(toml|lock))'; then
|
|
echo "dashboard=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "dashboard=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
# Docs: docs folder, docs Dockerfile
|
|
if echo "$CHANGED" | grep -qE '^(docs/|Dockerfile\.docs)'; then
|
|
echo "docs=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "docs=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
# MCP: core libs, mcp code, mcp Dockerfile
|
|
if echo "$CHANGED" | grep -qE '^(compliance-core/|compliance-mcp/|Dockerfile\.mcp|Cargo\.(toml|lock))'; then
|
|
echo "mcp=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "mcp=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
deploy-agent:
|
|
name: Deploy Agent
|
|
runs-on: docker
|
|
needs: [detect-changes]
|
|
if: needs.detect-changes.outputs.agent == 'true'
|
|
container:
|
|
image: docker:27-cli
|
|
steps:
|
|
- name: Build, push and trigger orca redeploy
|
|
run: |
|
|
apk add --no-cache git curl openssl
|
|
git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
|
|
IMAGE=registry.meghsakha.com/compliance-agent
|
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
|
|
docker build -f Dockerfile.agent -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
|
|
docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
|
|
PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy agent"}}' "${GITHUB_SHA}")
|
|
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
|
|
RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
|
|
|
|
deploy-dashboard:
|
|
name: Deploy Dashboard
|
|
runs-on: docker
|
|
needs: [detect-changes]
|
|
if: needs.detect-changes.outputs.dashboard == 'true'
|
|
container:
|
|
image: docker:27-cli
|
|
steps:
|
|
- name: Build, push and trigger orca redeploy
|
|
run: |
|
|
apk add --no-cache git curl openssl
|
|
git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
|
|
IMAGE=registry.meghsakha.com/compliance-dashboard
|
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
|
|
docker build -f Dockerfile.dashboard -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
|
|
docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
|
|
PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy dashboard"}}' "${GITHUB_SHA}")
|
|
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
|
|
RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
|
|
|
|
deploy-docs:
|
|
name: Deploy Docs
|
|
runs-on: docker
|
|
needs: [detect-changes]
|
|
if: needs.detect-changes.outputs.docs == 'true'
|
|
container:
|
|
image: docker:27-cli
|
|
steps:
|
|
- name: Build, push and trigger orca redeploy
|
|
run: |
|
|
apk add --no-cache git curl openssl
|
|
git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
|
|
IMAGE=registry.meghsakha.com/compliance-docs
|
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
|
|
docker build -f Dockerfile.docs -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
|
|
docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
|
|
PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy docs"}}' "${GITHUB_SHA}")
|
|
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
|
|
RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
|
|
|
|
deploy-mcp:
|
|
name: Deploy MCP
|
|
runs-on: docker
|
|
needs: [detect-changes]
|
|
if: needs.detect-changes.outputs.mcp == 'true'
|
|
container:
|
|
image: docker:27-cli
|
|
steps:
|
|
- name: Build, push and trigger orca redeploy
|
|
run: |
|
|
apk add --no-cache git curl openssl
|
|
git init && git remote add origin "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}.git"
|
|
git fetch --depth=1 origin "${GITHUB_SHA}" && git checkout FETCH_HEAD
|
|
IMAGE=registry.meghsakha.com/compliance-mcp
|
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login registry.meghsakha.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
|
|
docker build -f Dockerfile.mcp -t "$IMAGE:latest" -t "$IMAGE:${GITHUB_SHA}" .
|
|
docker push "$IMAGE:latest" && docker push "$IMAGE:${GITHUB_SHA}"
|
|
PAYLOAD=$(printf '{"ref":"refs/heads/main","repository":{"full_name":"sharang/compliance-scanner-agent"},"head_commit":{"id":"%s","message":"deploy mcp"}}' "${GITHUB_SHA}")
|
|
SIG=$(printf '%s' "$PAYLOAD" | openssl dgst -sha256 -hmac "${{ secrets.ORCA_WEBHOOK_SECRET }}" | awk '{print $2}')
|
|
RESP=$(curl -fsS -w "\nHTTP %{http_code}" -X POST "http://46.225.100.82:6880/api/v1/webhooks/github" -H "Content-Type: application/json" -H "X-Hub-Signature-256: sha256=$SIG" -d "$PAYLOAD"); echo "$RESP"
|