114 lines
3.2 KiB
YAML
114 lines
3.2 KiB
YAML
name: Build and Deploy Demo App
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
# ---------- TEST ----------
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.12"
|
|
|
|
- name: Install deps
|
|
run: pip install -r requirements.txt
|
|
|
|
- name: Run tests
|
|
env:
|
|
DB_USER: "" # force SQLite fallback in app.py
|
|
DB_PASS: ""
|
|
DB_NAME: ""
|
|
run: pytest
|
|
|
|
# ---------- BUILD ----------
|
|
build:
|
|
needs: test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Build Docker image
|
|
run: docker build -t demo-app:latest .
|
|
|
|
# ---------- SCAN ----------
|
|
scan:
|
|
needs: build
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
# Rebuild image in this job so it's available locally
|
|
- name: Build Docker image for scan
|
|
run: docker build -t demo-app:latest .
|
|
|
|
# Trivy via Docker (no GitHub Action)
|
|
- name: Scan image with Trivy
|
|
run: |
|
|
docker run --rm \
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
aquasec/trivy:latest \
|
|
image --exit-code 1 --severity CRITICAL,HIGH --no-progress demo-app:latest
|
|
|
|
# ---------- DEPLOY ----------
|
|
deploy:
|
|
needs: [build, scan]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
# Rebuild image for deployment
|
|
- name: Build Docker image for deploy
|
|
run: docker build -t demo-app:latest .
|
|
|
|
- name: Save Docker image to tar
|
|
run: docker save demo-app:latest > demo-app.tar
|
|
|
|
- name: Set up SSH
|
|
run: |
|
|
apt update && apt install -y openssh-client
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
|
|
chmod 600 ~/.ssh/id_ed25519
|
|
eval "$(ssh-agent -s)"
|
|
ssh-add ~/.ssh/id_ed25519
|
|
ssh-keyscan -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts
|
|
|
|
- name: Copy tar to server
|
|
run: scp -o StrictHostKeyChecking=no -P ${{ secrets.SERVER_PORT }} demo-app.tar ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }}:${{ secrets.DEPLOY_PATH }}demo-app.tar
|
|
|
|
- name: Deploy on server
|
|
run: |
|
|
ssh -o StrictHostKeyChecking=no -p ${{ secrets.SERVER_PORT }} ${{ secrets.SERVER_USER }}@${{ secrets.SERVER_HOST }} << 'EOF'
|
|
set -e
|
|
cd "${DEPLOY_PATH}"
|
|
|
|
# Create/update .env with DB secrets from CI
|
|
echo "DB_USER=${DB_USER}" > .env
|
|
echo "DB_PASS=${DB_PASS}" >> .env
|
|
echo "DB_NAME=${DB_NAME}" >> .env
|
|
|
|
# Load new image and restart stack
|
|
docker load -i demo-app.tar
|
|
docker compose down
|
|
docker compose --env-file .env up -d --remove-orphans
|
|
|
|
rm demo-app.tar
|
|
EOF
|
|
env:
|
|
DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
|
|
DB_USER: ${{ secrets.DB_USER }}
|
|
DB_PASS: ${{ secrets.DB_PASS }}
|
|
DB_NAME: ${{ secrets.DB_NAME }}
|
|
|