gitea/devops
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
340d3ed95c1d20917281be5379dd4c01a4bf699c
devops/.gitea/workflows/cicd.yaml
gitea 340d3ed95c
Some checks failed
Build and Deploy Demo App / test (push) Successful in 12s
Details
Build and Deploy Demo App / build_scan_deploy (push) Failing after 10m42s
Details
Improved Pipeline manifest
2025-11-26 12:24:05 +03:30

100 lines
3.1 KiB
YAML
Raw Blame History

name: Build and Deploy Demo App
on:
push:
branches:
- main
jobs:
# 1) Run tests first
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install deps
run: pip install -r requirements.txt
- name: Run tests
env:
DB_USER: '' # Empty to force SQLite fallback
DB_PASS: ''
DB_NAME: ''
run: pytest
# 2) Build image, scan it, and deploy (all on the same runner)
build_scan_deploy:
needs: test
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile', 'requirements.txt') }}
restore-keys: ${{ runner.os }}-buildx-
- name: Build Docker image
uses: docker/build-push-action@v6
with:
load: true # load image into local Docker
tags: demo-app:latest
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
# --- Security scan happens on the same runner as the build ---
- name: Scan image with Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: demo-app:latest
format: table
exit-code: 1
severity: CRITICAL,HIGH
# If Trivy finds HIGH/CRITICAL vulns, the step above fails and
# nothing below (including deploy) will run.
- name: Save Docker image to tar
run: docker save demo-app:latest > demo-app.tar
- name: Set up SSH
run: |
apt update && apt install -y openssh-client
mkdir -p ~/.ssh
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519
ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts
- name: Copy tar to server
run: scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} demo-app.tar ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}demo-app.tar
- name: Deploy on server
run: |
ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << EOF
cd ${{ secrets.DEPLOY_PATH }}
# Create/update .env with secrets
echo "DB_USER=${{ secrets.DB_USER }}" > .env
echo "DB_PASS=${{ secrets.DB_PASS }}" >> .env
echo "DB_NAME=${{ secrets.DB_NAME }}" >> .env
# Load and deploy
docker load -i demo-app.tar
docker compose down
docker compose --env-file .env up -d --remove-orphans
rm demo-app.tar
EOF
Reference in New Issue View Git Blame Copy Permalink