From 340d3ed95c1d20917281be5379dd4c01a4bf699c Mon Sep 17 00:00:00 2001
From: gitea <the.dark.mist23@gmail.com>
Date: Wed, 26 Nov 2025 12:24:05 +0330
Subject: [PATCH] Improved Pipeline manifest

---
 .gitea/workflows/cicd.yaml | 36 ++++++++++--------------------------
 1 file changed, 10 insertions(+), 26 deletions(-)

diff --git a/.gitea/workflows/cicd.yaml b/.gitea/workflows/cicd.yaml
index 76b63bb..3453618 100644
--- a/.gitea/workflows/cicd.yaml
+++ b/.gitea/workflows/cicd.yaml
@@ -6,6 +6,7 @@ on:
       - main
 
 jobs:
+  # 1) Run tests first
   test:
     runs-on: ubuntu-latest
     steps:
@@ -27,7 +28,8 @@ jobs:
           DB_NAME: ''
         run: pytest
 
-  build:
+  # 2) Build image, scan it, and deploy (all on the same runner)
+  build_scan_deploy:
     needs: test
     runs-on: ubuntu-latest
     steps:
@@ -47,28 +49,13 @@ jobs:
       - name: Build Docker image
         uses: docker/build-push-action@v6
         with:
-          load: true
+          load: true                      # load image into local Docker
           tags: demo-app:latest
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
 
-      - name: Save Docker image to tar
-        run: docker save demo-app:latest > demo-app.tar
-        # demo-app.tar now lives in the shared workspace for later jobs
-
-  scan:
-    needs: build
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code (keep demo-app.tar)
-        uses: actions/checkout@v4
-        with:
-          clean: false   # do NOT git clean; preserves demo-app.tar
-
-      - name: Load image from tar
-        run: docker load -i demo-app.tar
-
-      - name: Scan Image
+      # --- Security scan happens on the same runner as the build ---
+      - name: Scan image with Trivy
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: demo-app:latest
@@ -76,14 +63,11 @@ jobs:
           exit-code: 1
           severity: CRITICAL,HIGH
 
-  deploy:
-    needs: [build, scan]
-    runs-on: ubuntu-latest
-    steps:
-      # no checkout here so we don't accidentally clean demo-app.tar
+      # If Trivy finds HIGH/CRITICAL vulns, the step above fails and
+      # nothing below (including deploy) will run.
 
-      - name: Verify image tar exists
-        run: ls -lh demo-app.tar
+      - name: Save Docker image to tar
+        run: docker save demo-app:latest > demo-app.tar
 
       - name: Set up SSH
         run: |