coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

ci: add ansible and CICD deployment
PR -> develop / Scan for secrets (Gitleaks) (pull_request) Failing after 4s
Details
PR -> develop / Scan for CVEs (Trivy) (pull_request) Successful in 2s
Details

Browse Source
This commit is contained in:
sangnn
2026-06-23 07:16:42 +00:00
parent a6d74d9316
commit a3b230e65d
24 changed files with 1077 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/pr-security-check.yml
+58
View File
@@ -0,0 +1,58 @@
name: PR -> develop
on:
pull_request:
branches:
- main
- develop
env:
GITLEAKS_VERSION: "8.30.1"
jobs:
# ── 1. Secret scan ────────────────────────────────────────────────────────────
gitleaks:
name: Scan for secrets (Gitleaks)
runs-on: stage-gatehouse-api
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Gitleaks
run: |
if command -v gitleaks >/dev/null 2>&1; then
echo "gitleaks already installed: $(gitleaks version)"
exit 0
fi
curl -sSfL \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
| tar xz gitleaks
mv gitleaks /usr/local/bin/gitleaks
- name: Run secret scan
run: gitleaks detect --source . --exit-code 1 --redact --verbose --log-level debug
# ── 2. CVE scan ───────────────────────────────────────────────────────────────
trivy:
name: Scan for CVEs (Trivy)
runs-on: stage-gatehouse-api
steps:
- uses: actions/checkout@v4
- name: Install Trivy
run: |
command -v trivy >/dev/null 2>&1 || \
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
| sh -s -- -b /usr/local/bin
- name: Run filesystem scan
run: |
trivy fs \
--exit-code 1 \
--severity HIGH,CRITICAL \
--no-progress \
.
.gitea/workflows/push-develop.yml
+91
View File
@@ -0,0 +1,91 @@
name: Push -> develop
on:
push:
branches:
- develop
jobs:
# ── 1. Build ──────────────────────────────────────────────────────────────────
build:
name: Build Docker images
runs-on: stage-gatehouse-api
outputs:
tag: ${{ steps.sha.outputs.tag }}
steps:
- uses: actions/checkout@v4
- name: Set image tag
id: sha
run: echo "tag=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
- name: Build api image
run: |
docker build \
-t "gatehouse-api:${{ steps.sha.outputs.tag }}" \
-t "gatehouse-api:latest" \
.
- name: Build job image
run: |
docker build \
-f Dockerfile.job \
-t "gatehouse-api-job:${{ steps.sha.outputs.tag }}" \
-t "gatehouse-api-job:latest" \
.
- name: Scan api image for vulnerabilities (Trivy)
run: |
command -v trivy >/dev/null 2>&1 || \
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
| sh -s -- -b /usr/local/bin
trivy image \
--exit-code 0 \
--severity HIGH,CRITICAL \
--no-progress \
"gatehouse-api:${{ steps.sha.outputs.tag }}"
- name: Scan job image for vulnerabilities (Trivy)
run: |
trivy image \
--exit-code 0 \
--severity HIGH,CRITICAL \
--no-progress \
"gatehouse-api-job:${{ steps.sha.outputs.tag }}"
# ── 2. Deploy ─────────────────────────────────────────────────────────────────
deploy:
name: Deploy
runs-on: stage-gatehouse-api
needs: build
env:
COMPOSE_DIR: /opt/gatehouse-api
steps:
- uses: actions/checkout@v4
- name: Deploy (rolling, zero-downtime)
run: |
cp docker-compose.yml "${COMPOSE_DIR}/docker-compose.yml"
mkdir -p "${COMPOSE_DIR}/docker"
cp docker/nginx.conf "${COMPOSE_DIR}/docker/nginx.conf"
bash deploy/deploy.sh "${{ needs.build.outputs.tag }}"
# ── 3. Alert ──────────────────────────────────────────────────────────────────
alert:
name: Notify on result
runs-on: stage-gatehouse-api
needs: deploy
if: always()
steps:
- name: Send notification
run: |
STATUS="${{ needs.deploy.result }}"
echo "TODO: send alert — deploy status: ${STATUS}"
# curl -X POST "${{ secrets.ALERT_WEBHOOK }}" \
# -H 'Content-Type: application/json' \
# -d "{\"text\": \"[gatehouse-api] Deploy ${STATUS} — tag: ${{ needs.build.outputs.tag }}\"}"
.gitea/workflows/push-main.yml
+91
View File
@@ -0,0 +1,91 @@
name: Push -> main
on:
push:
branches:
- main
jobs:
# ── 1. Build ──────────────────────────────────────────────────────────────────
build:
name: Build Docker images
runs-on: prod-gatehouse-api
outputs:
tag: ${{ steps.sha.outputs.tag }}
steps:
- uses: actions/checkout@v4
- name: Set image tag
id: sha
run: echo "tag=$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
- name: Build api image
run: |
docker build \
-t "gatehouse-api:${{ steps.sha.outputs.tag }}" \
-t "gatehouse-api:latest" \
.
- name: Build job image
run: |
docker build \
-f Dockerfile.job \
-t "gatehouse-api-job:${{ steps.sha.outputs.tag }}" \
-t "gatehouse-api-job:latest" \
.
- name: Scan api image for vulnerabilities (Trivy)
run: |
command -v trivy >/dev/null 2>&1 || \
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
| sh -s -- -b /usr/local/bin
trivy image \
--exit-code 0 \
--severity HIGH,CRITICAL \
--no-progress \
"gatehouse-api:${{ steps.sha.outputs.tag }}"
- name: Scan job image for vulnerabilities (Trivy)
run: |
trivy image \
--exit-code 0 \
--severity HIGH,CRITICAL \
--no-progress \
"gatehouse-api-job:${{ steps.sha.outputs.tag }}"
# ── 2. Deploy ─────────────────────────────────────────────────────────────────
deploy:
name: Deploy
runs-on: prod-gatehouse-api
needs: build
env:
COMPOSE_DIR: /opt/gatehouse-api
steps:
- uses: actions/checkout@v4
- name: Deploy (rolling, zero-downtime)
run: |
cp docker-compose.yml "${COMPOSE_DIR}/docker-compose.yml"
mkdir -p "${COMPOSE_DIR}/docker"
cp docker/nginx.conf "${COMPOSE_DIR}/docker/nginx.conf"
bash deploy/deploy.sh "${{ needs.build.outputs.tag }}"
# ── 3. Alert ──────────────────────────────────────────────────────────────────
alert:
name: Notify on result
runs-on: prod-gatehouse-api
needs: deploy
if: always()
steps:
- name: Send notification
run: |
STATUS="${{ needs.deploy.result }}"
echo "TODO: send alert — deploy status: ${STATUS}"
# curl -X POST "${{ secrets.ALERT_WEBHOOK }}" \
# -H 'Content-Type: application/json' \
# -d "{\"text\": \"[gatehouse-api] Deploy ${STATUS} — tag: ${{ needs.build.outputs.tag }}\"}"