# .gitea/workflows/cicd.yaml name: Build and Deploy Demo App (Artifacts, GHES/Gitea-safe) on: push: branches: [ main ] jobs: # ---------- TEST ---------- test: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install deps run: pip install -r requirements.txt - name: Run tests (SQLite fallback) env: DB_USER: "" # force SQLite fallback in app.py DB_PASS: "" DB_NAME: "" run: pytest # ---------- BUILD ---------- build: needs: test runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Build Docker image run: docker build -t demo-app:latest . - name: Save Docker image to tar run: docker save demo-app:latest > demo-app.tar # IMPORTANT: use v3 on Gitea/GHES - name: Upload image artifact uses: actions/upload-artifact@v3 with: name: demo-image path: demo-app.tar if-no-files-found: error # retention-days: 7 # optional; depends on your Gitea settings # ---------- SCAN ---------- scan: needs: build runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 # IMPORTANT: use v3 on Gitea/GHES - name: Download image artifact uses: actions/download-artifact@v3 with: name: demo-image path: . # place demo-app.tar in the workspace root - name: Load Docker image from artifact run: docker load -i demo-app.tar - name: Scan image with Trivy run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy:latest \ image --exit-code 1 --severity CRITICAL,HIGH --no-progress demo-app:latest # ---------- DEPLOY ---------- deploy: needs: [build, scan] runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 # IMPORTANT: use v3 on Gitea/GHES - name: Download image artifact uses: actions/download-artifact@v3 with: name: demo-image path: . - name: Set up SSH run: | apt update && apt install -y openssh-client mkdir -p ~/.ssh echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_ed25519 ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts - name: Copy files to server run: | scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} \ demo-app.tar \ ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/demo-app.tar" scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} \ docker-compose.yml \ ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/docker-compose.yml" scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} -r \ nginx_user_conf.d \ ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/nginx_user_conf.d" - name: Deploy on server run: | ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} \ ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << 'EOF' set -e cd "${{ secrets.DEPLOY_PATH }}" # Write DB secrets for compose echo "DB_USER=${{ secrets.DB_USER }}" > .env echo "DB_PASS=${{ secrets.DB_PASS }}" >> .env echo "DB_NAME=${{ secrets.DB_NAME }}" >> .env # Load image and restart stack docker load -i demo-app.tar if [ ! -f docker-compose.yml ]; then echo "ERROR: docker-compose.yml not found in $(pwd)" >&2 ls -la exit 1 fi docker compose -f docker-compose.yml down docker compose -f docker-compose.yml --env-file .env up -d --remove-orphans rm -f demo-app.tar EOF