From c473ffbd16e9a37d49b8e1791508c9dd8304795b Mon Sep 17 00:00:00 2001
From: gitea <the.dark.mist23@gmail.com>
Date: Wed, 26 Nov 2025 13:03:25 +0330
Subject: [PATCH] refactor cicd pipeline

---
 .gitea/workflows/cicd.yaml | 63 ++++++++++++++++++++------------------
 1 file changed, 34 insertions(+), 29 deletions(-)

diff --git a/.gitea/workflows/cicd.yaml b/.gitea/workflows/cicd.yaml
index 3453618..4bdf5ab 100644
--- a/.gitea/workflows/cicd.yaml
+++ b/.gitea/workflows/cicd.yaml
@@ -6,7 +6,7 @@ on:
       - main
 
 jobs:
-  # 1) Run tests first
+  # ------------------ TEST ------------------
   test:
     runs-on: ubuntu-latest
     steps:
@@ -23,48 +23,53 @@ jobs:
 
       - name: Run tests
         env:
-          DB_USER: ''  # Empty to force SQLite fallback
+          DB_USER: ''   # force SQLite fallback
           DB_PASS: ''
           DB_NAME: ''
         run: pytest
 
-  # 2) Build image, scan it, and deploy (all on the same runner)
-  build_scan_deploy:
+  # ------------------ BUILD ------------------
+  build:
     needs: test
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Cache Docker layers
-        uses: actions/cache@v4
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile', 'requirements.txt') }}
-          restore-keys: ${{ runner.os }}-buildx-
-
       - name: Build Docker image
-        uses: docker/build-push-action@v6
-        with:
-          load: true                      # load image into local Docker
-          tags: demo-app:latest
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+        run: docker build -t demo-app:latest .
 
-      # --- Security scan happens on the same runner as the build ---
+  # ------------------ SCAN ------------------
+  scan:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Rebuild image in this job so it's available locally
+      - name: Build Docker image for scan
+        run: docker build -t demo-app:latest .
+
+      # Use Trivy via Docker, no GitHub-specific action
       - name: Scan image with Trivy
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: demo-app:latest
-          format: table
-          exit-code: 1
-          severity: CRITICAL,HIGH
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            aquasecurity/trivy:latest \
+            image --exit-code 1 --severity CRITICAL,HIGH demo-app:latest
 
-      # If Trivy finds HIGH/CRITICAL vulns, the step above fails and
-      # nothing below (including deploy) will run.
+  # ------------------ DEPLOY ------------------
+  deploy:
+    needs: [build, scan]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # Rebuild image for deployment
+      - name: Build Docker image for deploy
+        run: docker build -t demo-app:latest .
 
       - name: Save Docker image to tar
         run: docker save demo-app:latest > demo-app.tar