# .gitea/workflows/cicd.yaml name: Build and Deploy Demo App (Artifacts) on: push: branches: - main jobs: # ---------- TEST ---------- test: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.12" - name: Install deps run: pip install -r requirements.txt - name: Run tests (SQLite fallback) env: DB_USER: "" # force SQLite fallback in app.py DB_PASS: "" DB_NAME: "" run: pytest # ---------- BUILD ---------- build: needs: test runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Build Docker image run: docker build -t demo-app:latest . - name: Save Docker image to tar run: docker save demo-app:latest > demo-app.tar - name: Upload image artifact uses: actions/upload-artifact@v4 with: name: demo-image path: demo-app.tar if-no-files-found: error # retention-days: 7 # optional; depends on your Gitea settings # ---------- SCAN ---------- scan: needs: build runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Download image artifact uses: actions/download-artifact@v4 with: name: demo-image path: . - name: Load Docker image from artifact run: docker load -i demo-app.tar # Trivy via Docker (no marketplace action needed) - name: Scan image with Trivy run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy:latest \ image --exit-code 1 --severity CRITICAL,HIGH --no-progress demo-app:latest # ---------- DEPLOY ---------- deploy: needs: [build, scan] runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Download image artifact uses: actions/download-artifact@v4 with: name: demo-image path: . - name: Set up SSH run: | apt update && apt install -y openssh-client mkdir -p ~/.ssh echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519 chmod 600 ~/.ssh/id_ed25519 eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_ed25519 ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts - name: Copy files to server run: | # Copy image tar scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} \ demo-app.tar \ ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/demo-app.tar" # Copy docker-compose file scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} \ docker-compose.yml \ ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/docker-compose.yml" # Copy nginx config directory (used as volume in docker-compose.yml) scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} -r \ nginx_user_conf.d \ ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:"${{ secrets.DEPLOY_PATH }}/nginx_user_conf.d" - name: Deploy on server run: | ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} \ ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << EOF set -e cd "${{ secrets.DEPLOY_PATH }}" # Create/update .env with DB secrets echo "DB_USER=${{ secrets.DB_USER }}" > .env echo "DB_PASS=${{ secrets.DB_PASS }}" >> .env echo "DB_NAME=${{ secrets.DB_NAME }}" >> .env # Load the new image from the tarball docker load -I demo-app.tar || docker load -i demo-app.tar # compatibility # Make sure we actually have a compose file here if [ ! -f docker-compose.yml ]; then echo "ERROR: docker-compose.yml not found in \$(pwd)" >&2 ls -la exit 1 fi # Restart the compose stack docker compose -f docker-compose.yml down docker compose -f docker-compose.yml --env-file .env up -d --remove-orphans # Clean up rm -f demo-app.tar EOF