From cb404c8faa1931e5d8ed7ee038a4032961263197 Mon Sep 17 00:00:00 2001
From: gitea <the.dark.mist23@gmail.com>
Date: Thu, 27 Nov 2025 11:23:30 +0000
Subject: [PATCH] updated artifact implementation on pipeline

---
 .gitea/workflows/cicd.yaml | 167 +++++++++++++++++++++++++------------
 1 file changed, 114 insertions(+), 53 deletions(-)

diff --git a/.gitea/workflows/cicd.yaml b/.gitea/workflows/cicd.yaml
index f668a68..5118d8e 100644
--- a/.gitea/workflows/cicd.yaml
+++ b/.gitea/workflows/cicd.yaml
@@ -1,20 +1,96 @@
-name: Build and Deploy Demo App
+# .gitea/workflows/cicd.yaml
+name: Build and Deploy Demo App (Artifacts, GHES/Gitea-safe)
+
 on:
   push:
-    branches:
-      - main
+    branches: [ main ]
+
 jobs:
-  build-and-deploy:
+  # ---------- TEST ----------
+  test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install deps
+        run: pip install -r requirements.txt
+
+      - name: Run tests (SQLite fallback)
+        env:
+          DB_USER: ""   # force SQLite fallback in app.py
+          DB_PASS: ""
+          DB_NAME: ""
+        run: pytest
+
+  # ---------- BUILD ----------
+  build:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
       - name: Build Docker image
         run: docker build -t demo-app:latest .
+
       - name: Save Docker image to tar
         run: docker save demo-app:latest > demo-app.tar
+
+      # IMPORTANT: use v3 on Gitea/GHES
+      - name: Upload image artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: demo-image
+          path: demo-app.tar
+          if-no-files-found: error
+          # retention-days: 7   # optional; depends on your Gitea settings
+
+  # ---------- SCAN ----------
+  scan:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # IMPORTANT: use v3 on Gitea/GHES
+      - name: Download image artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: demo-image
+          path: .   # place demo-app.tar in the workspace root
+
+      - name: Load Docker image from artifact
+        run: docker load -i demo-app.tar
+
+      - name: Scan image with Trivy
+        run: |
+          docker run --rm \
+            -v /var/run/docker.sock:/var/run/docker.sock \
+            aquasec/trivy:latest \
+            image --exit-code 1 --severity CRITICAL,HIGH --no-progress demo-app:latest
+
+  # ---------- DEPLOY ----------
+  deploy:
+    needs: [build, scan]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # IMPORTANT: use v3 on Gitea/GHES
+      - name: Download image artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: demo-image
+          path: .
+
       - name: Set up SSH
         run: |
           apt update && apt install -y openssh-client
@@ -24,57 +100,42 @@ jobs:
           eval "$(ssh-agent -s)"
           ssh-add ~/.ssh/id_ed25519
           ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts
-      - name: Copy files to server via SCP
+
+      - name: Copy files to server
         run: |
-          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} demo-app.tar ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}demo-app.tar
-          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} docker-compose.yml ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}docker-compose.yml
-          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} -r nginx_user_conf.d ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}nginx_user_conf.d
-      - name: Deploy on server via SSH
+          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} \
+            demo-app.tar \
+            ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/demo-app.tar"
+
+          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} \
+            docker-compose.yml \
+            ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/docker-compose.yml"
+
+          scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} -r \
+            nginx_user_conf.d \
+            ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/nginx_user_conf.d"
+
+      - name: Deploy on server
         run: |
-          ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << EOF
-            cd ${{ secrets.DEPLOY_PATH }}
+          ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} \
+            ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << 'EOF'
+            set -e
+            cd "${{ secrets.DEPLOY_PATH }}"
 
-            # Check and install Docker if not present (Ubuntu/Debian assumed)
-            if ! command -v docker &> /dev/null; then
-              sudo apt update -y
-              sudo apt install -y ca-certificates curl
-              sudo install -m 0755 -d /etc/apt/keyrings
-              sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
-              sudo chmod a+r /etc/apt/keyrings/docker.asc
-              echo "deb [arch=\$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \$(. /etc/os-release && echo "\$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
-              sudo apt update -y
-              sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-              sudo systemctl start docker
-              sudo systemctl enable docker
-            fi
+            # Write DB secrets for compose
+            echo "DB_USER=${{ secrets.DB_USER }}" > .env
+            echo "DB_PASS=${{ secrets.DB_PASS }}" >> .env
+            echo "DB_NAME=${{ secrets.DB_NAME }}" >> .env
 
-            # Ensure docker-compose-plugin is installed (for 'docker compose' command)
-            if ! docker compose version &> /dev/null; then
-              sudo apt update -y
-              sudo apt install -y docker-compose-plugin
-            fi
-
-            # Load image
+            # Load image and restart stack
             docker load -i demo-app.tar
-
-            # Graceful stop
-            docker compose down --remove-orphans -v || true
-
-            # Obtain initial cert if not present (standalone mode; ports are free since down)
-            if [ ! -d "letsencrypt/live/demo.networkwizard.xyz" ]; then
-              docker run --rm \
-                -p 80:80 \
-                -v ${PWD}/letsencrypt:/etc/letsencrypt \
-                certbot/certbot certonly --standalone \
-                -d demo.networkwizard.xyz \
-                --email your@email.com \
-                --agree-tos \
-                --non-interactive
+            if [ ! -f docker-compose.yml ]; then
+              echo "ERROR: docker-compose.yml not found in $(pwd)" >&2
+              ls -la
+              exit 1
             fi
+            docker compose -f docker-compose.yml down
+            docker compose -f docker-compose.yml --env-file .env up -d --remove-orphans
 
-            # Deploy
-            docker compose up -d --force-recreate
-
-            # Cleanup
-            rm demo-app.tar
-          EOF
\ No newline at end of file
+            rm -f demo-app.tar
+          EOF