CI/CD Pipeline #46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly security scan | |
| permissions: | |
| contents: read | |
| pages: write | |
| id-token: write | |
| security-events: write | |
| jobs: | |
| # Code Quality & Testing | |
| test: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: [3.8, 3.11] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Cache pip dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | |
| - name: Install Python dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| - name: Install additional dev dependencies | |
| run: | | |
| pip install black flake8 pytest-cov | |
| - name: Check formatting with black | |
| run: black --check backend/src cli/src | |
| - name: Lint with flake8 | |
| run: flake8 backend/src cli/src --max-line-length=88 --ignore=E203,W503 | |
| - name: Run Python tests | |
| run: | | |
| # Set PYTHONPATH to include backend/src | |
| export PYTHONPATH="${PYTHONPATH}:${PWD}/backend/src" | |
| pytest backend/tests/ -v --cov=backend/src --cov-report=term-missing | |
| # Security Analysis | |
| security: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' || github.event_name == 'schedule' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.11' | |
| - name: Install security tools | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install safety bandit | |
| - name: Run Bandit security scan | |
| run: bandit -r backend/src cli/src -f json -o bandit-report.json || true | |
| - name: Run Safety dependency scan | |
| run: safety check --file requirements.txt --output json || true | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: python, javascript | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| # Frontend Build & Deploy | |
| frontend: | |
| runs-on: ubuntu-latest | |
| needs: test | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| cache-dependency-path: frontend/package.json | |
| - name: Install frontend dependencies | |
| run: | | |
| cd frontend | |
| npm ci | |
| - name: Build frontend | |
| run: | | |
| cd frontend | |
| npm run build | |
| - name: Setup Pages | |
| uses: actions/configure-pages@v4 | |
| - name: Upload Pages artifact | |
| uses: actions/upload-pages-artifact@v3 | |
| with: | |
| path: ./frontend/build | |
| # Deploy to GitHub Pages | |
| deploy: | |
| runs-on: ubuntu-latest | |
| needs: [test, frontend] | |
| if: github.ref == 'refs/heads/main' | |
| environment: | |
| name: github-pages | |
| url: ${{ steps.deployment.outputs.page_url }} | |
| steps: | |
| - name: Deploy to GitHub Pages | |
| id: deployment | |
| uses: actions/deploy-pages@v4 | |
| # Dependency Review (for PRs only) | |
| dependency-review: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v3 | |
| # Release (on main push with version tags) | |
| release: | |
| runs-on: ubuntu-latest | |
| needs: [test, security] | |
| if: github.ref == 'refs/heads/main' && contains(github.event.head_commit.message, 'release:') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| - name: Create Release | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| tag_name: v${{ github.run_number }} | |
| name: Release v${{ github.run_number }} | |
| generate_release_notes: true | |
| files: | | |
| requirements.txt | |
| README.md |