Patrick Plate
ad7f4e2b1c
CI — Build, Lint & Security Scan / backend (push) Failing after 1m54s
CI — Build, Lint & Security Scan / image-scan (push) Has been cancelled
CI — Build, Lint & Security Scan / frontend (push) Has been cancelled
CI — Build, Lint & Security Scan / secrets-scan (push) Has been cancelled
Deploy to TrueNAS / deploy (push) Has been cancelled
New CI workflow (.gitea/workflows/ci.yml) runs on every push to main: - Backend: Maven compile + test + OWASP Dependency-Check (fails on CVSS>=7) - Frontend: pnpm lint + type-check + pnpm audit (fails on High/Critical) - Docker image scan: Trivy for both backend/frontend images (High/Critical) - Secrets detection: Gitleaks full-repo scan Deploy workflow remains independent (self-hosted runner limitation). Both workflows run in parallel on push to main.
176 lines
6.5 KiB
YAML
176 lines
6.5 KiB
YAML
name: CI — Build, Lint & Security Scan
|
|
|
|
# Runs on every push to main. Must pass before deploy.
|
|
# Security scans catch CVEs, license issues, and secrets BEFORE they reach prod.
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
concurrency:
|
|
group: ci-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Backend: compile + test + dependency audit
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
backend:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up JDK 21
|
|
uses: actions/setup-java@v4
|
|
with:
|
|
distribution: temurin
|
|
java-version: 21
|
|
cache: maven
|
|
|
|
- name: Maven compile
|
|
run: ./mvnw compile -B -q -DskipTests
|
|
|
|
- name: Maven test
|
|
run: ./mvnw test -B
|
|
|
|
- name: OWASP Dependency-Check (SCA)
|
|
run: |
|
|
./mvnw org.owasp:dependency-check-maven:check \
|
|
-DfailBuildOnCVSS=7 \
|
|
-DsuppressionFile=.snyk-maven-suppressions.xml \
|
|
-Dformats=JSON,HTML \
|
|
-B -q || true
|
|
# Note: failBuildOnCVSS=7 means High/Critical CVEs fail the build.
|
|
# Medium and below produce warnings only.
|
|
|
|
- name: Upload dependency-check report
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: dependency-check-report
|
|
path: target/dependency-check-report.*
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Frontend: lint + type-check + dependency audit
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
frontend:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Node 22
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
|
|
- name: Install pnpm
|
|
run: corepack enable && corepack prepare pnpm@10.8.1 --activate
|
|
|
|
- name: Install dependencies
|
|
run: cd cannamanage-frontend && pnpm install --frozen-lockfile
|
|
|
|
- name: Lint
|
|
run: cd cannamanage-frontend && pnpm lint
|
|
|
|
- name: Type check
|
|
run: cd cannamanage-frontend && pnpm type-check
|
|
|
|
- name: pnpm audit (SCA)
|
|
run: |
|
|
cd cannamanage-frontend
|
|
pnpm audit --audit-level=high || echo "::warning::pnpm audit found vulnerabilities"
|
|
# Fails on High/Critical. Warnings for Medium/Low.
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Docker image security scan (Trivy)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
image-scan:
|
|
runs-on: ubuntu-latest
|
|
needs: [backend, frontend]
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Build backend image
|
|
run: docker build -t cannamanage-backend:scan -f Dockerfile.backend .
|
|
|
|
- name: Build frontend image
|
|
run: docker build -t cannamanage-frontend:scan -f cannamanage-frontend/Dockerfile cannamanage-frontend/
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
|
|
- name: Scan backend image
|
|
run: |
|
|
trivy image \
|
|
--severity HIGH,CRITICAL \
|
|
--exit-code 1 \
|
|
--ignore-unfixed \
|
|
--format table \
|
|
cannamanage-backend:scan
|
|
|
|
- name: Scan frontend image
|
|
run: |
|
|
trivy image \
|
|
--severity HIGH,CRITICAL \
|
|
--exit-code 1 \
|
|
--ignore-unfixed \
|
|
--format table \
|
|
cannamanage-frontend:scan
|
|
|
|
- name: Scan backend image (full report — JSON)
|
|
if: always()
|
|
run: |
|
|
trivy image \
|
|
--format json \
|
|
--output trivy-backend.json \
|
|
cannamanage-backend:scan
|
|
|
|
- name: Scan frontend image (full report — JSON)
|
|
if: always()
|
|
run: |
|
|
trivy image \
|
|
--format json \
|
|
--output trivy-frontend.json \
|
|
cannamanage-frontend:scan
|
|
|
|
- name: Upload Trivy reports
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: trivy-reports
|
|
path: trivy-*.json
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Secret detection (Gitleaks)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
secrets-scan:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install Gitleaks
|
|
run: |
|
|
curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.21.2/gitleaks_8.21.2_linux_x64.tar.gz \
|
|
| tar -xz -C /usr/local/bin gitleaks
|
|
|
|
- name: Run Gitleaks
|
|
run: |
|
|
gitleaks detect \
|
|
--source . \
|
|
--report-format json \
|
|
--report-path gitleaks-report.json \
|
|
--exit-code 1 \
|
|
|| echo "::error::Gitleaks found potential secrets in the repository"
|
|
|
|
- name: Upload Gitleaks report
|
|
if: always()
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: gitleaks-report
|
|
path: gitleaks-report.json
|