fix: harden CI security gates, parallelize builds, externalize secrets
CI — Build, Lint & Security Scan / frontend (push) Has been cancelled
CI — Build, Lint & Security Scan / image-scan (push) Has been cancelled
CI — Build, Lint & Security Scan / secrets-scan (push) Has been cancelled
CI — Build, Lint & Security Scan / backend (push) Has been cancelled
Deploy to TrueNAS / deploy (push) Has been cancelled
CI — Build, Lint & Security Scan / frontend (push) Has been cancelled
CI — Build, Lint & Security Scan / image-scan (push) Has been cancelled
CI — Build, Lint & Security Scan / secrets-scan (push) Has been cancelled
CI — Build, Lint & Security Scan / backend (push) Has been cancelled
Deploy to TrueNAS / deploy (push) Has been cancelled
- Make OWASP, Gitleaks, pnpm audit blocking (remove || true fallbacks) - Add Maven -T 1C for parallel reactor threads - Fix parallel Docker build race condition (PID tracking + set -euo pipefail) - Externalize JWT/NextAuth secrets via env vars with dev-only defaults - Add .env.example with generation instructions - Add CI/CD infrastructure review document
This commit is contained in:
Patrick Plate
+16
-14
@@ -30,10 +30,10 @@ jobs:
|
||||
cache: maven
|
||||
|
||||
- name: Maven compile
|
||||
run: ./mvnw compile -B -q -DskipTests
|
||||
run: ./mvnw compile -B -q -DskipTests -T 1C
|
||||
|
||||
- name: Maven test
|
||||
run: ./mvnw test -B
|
||||
run: ./mvnw test -B -T 1C
|
||||
|
||||
- name: OWASP Dependency-Check (SCA)
|
||||
run: |
|
||||
@@ -41,9 +41,9 @@ jobs:
|
||||
-DfailBuildOnCVSS=7 \
|
||||
-DsuppressionFile=.snyk-maven-suppressions.xml \
|
||||
-Dformats=JSON,HTML \
|
||||
-B -q || true
|
||||
# Note: failBuildOnCVSS=7 means High/Critical CVEs fail the build.
|
||||
# Medium and below produce warnings only.
|
||||
-B -q
|
||||
# failBuildOnCVSS=7: High/Critical CVEs fail the build.
|
||||
# Suppress known false positives in .snyk-maven-suppressions.xml.
|
||||
|
||||
- name: Upload dependency-check report
|
||||
if: always()
|
||||
@@ -80,8 +80,8 @@ jobs:
|
||||
- name: pnpm audit (SCA)
|
||||
run: |
|
||||
cd cannamanage-frontend
|
||||
pnpm audit --audit-level=high || echo "::warning::pnpm audit found vulnerabilities"
|
||||
# Fails on High/Critical. Warnings for Medium/Low.
|
||||
pnpm audit --audit-level=high
|
||||
# Fails on High/Critical. Use .pnpmauditrc or --ignore for known exceptions.
|
||||
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
# Docker image security scan (Trivy)
|
||||
@@ -92,11 +92,14 @@ jobs:
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Build backend image
|
||||
run: docker build -t cannamanage-backend:scan -f Dockerfile.backend .
|
||||
|
||||
- name: Build frontend image
|
||||
run: docker build -t cannamanage-frontend:scan -f cannamanage-frontend/Dockerfile cannamanage-frontend/
|
||||
- name: Build images (parallel)
|
||||
run: |
|
||||
set -euo pipefail
|
||||
docker build -t cannamanage-backend:scan -f Dockerfile.backend . &
|
||||
PID1=$!
|
||||
docker build -t cannamanage-frontend:scan -f cannamanage-frontend/Dockerfile cannamanage-frontend/ &
|
||||
PID2=$!
|
||||
wait $PID1 $PID2
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
@@ -164,8 +167,7 @@ jobs:
|
||||
--source . \
|
||||
--report-format json \
|
||||
--report-path gitleaks-report.json \
|
||||
--exit-code 1 \
|
||||
|| echo "::error::Gitleaks found potential secrets in the repository"
|
||||
--exit-code 1
|
||||
|
||||
- name: Upload Gitleaks report
|
||||
if: always()
|
||||
|
||||
Reference in New Issue
Block a user