nietzshn
76cb35cc98
CI Pipeline / HTML Lint (push) Successful in 7s
Deploy QA / Build and Push (push) Successful in 15s
CI Pipeline / Build Docker Image (push) Successful in 56s
Deploy QA / Deploy to QA (push) Failing after 2s
CI Pipeline / Security Scan (push) Successful in 11s
Deploy QA / Notification (push) Failing after 1s
85 lines
2.1 KiB
YAML
85 lines
2.1 KiB
YAML
name: CI Pipeline
|
|
|
|
on:
|
|
push:
|
|
branches-ignore:
|
|
- 'renovate/**'
|
|
pull_request:
|
|
branches:
|
|
- dev
|
|
- staging
|
|
- main
|
|
|
|
env:
|
|
REGISTRY_URL: ${{ vars.REGISTRY_URL }}
|
|
IMAGE_NAME: ${{ vars.IMAGE_NAME }}
|
|
|
|
jobs:
|
|
lint:
|
|
name: HTML Lint
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install html-validate
|
|
run: npm install -g html-validate
|
|
|
|
- name: Validate HTML
|
|
run: |
|
|
set -euo pipefail
|
|
html-validate src/index.html || true
|
|
echo "::notice::HTML validation completed (non-blocking)"
|
|
|
|
build:
|
|
name: Build Docker Image
|
|
runs-on: ubuntu-latest
|
|
needs: lint
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Cache Docker layers
|
|
uses: actions/cache@v4
|
|
with:
|
|
path: /tmp/.buildx-cache
|
|
key: ci-buildx-${{ gitea.sha }}
|
|
restore-keys: |
|
|
ci-buildx-
|
|
|
|
- name: Build image
|
|
run: |
|
|
set -euo pipefail
|
|
docker buildx build \
|
|
--cache-from=type=local,src=/tmp/.buildx-cache \
|
|
--cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max \
|
|
--load \
|
|
--build-arg APP_VERSION=ci-${{ gitea.sha }} \
|
|
--build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \
|
|
--build-arg GIT_COMMIT=${{ gitea.sha }} \
|
|
--build-arg GIT_BRANCH=${{ gitea.ref_name }} \
|
|
-t ci-image:latest \
|
|
.
|
|
|
|
- name: Move cache
|
|
run: |
|
|
set -euo pipefail
|
|
rm -rf /tmp/.buildx-cache
|
|
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
|
|
|
|
security-scan:
|
|
name: Security Scan
|
|
runs-on: ubuntu-latest
|
|
needs: build
|
|
steps:
|
|
- name: Run Trivy vulnerability scanner
|
|
run: |
|
|
docker run --rm \
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
aquasec/trivy:latest \
|
|
image --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed ci-image:latest
|
|
|