updated ci with trivy #121
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI Pipeline | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| jobs: | |
| # Export Requirements | |
| export-requirements: | |
| name: Export Requirements | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Poetry | |
| run: | | |
| curl -sSL https://install.python-poetry.org | python3 - | |
| export PATH="$HOME/.local/bin:$PATH" | |
| - name: Export Requirements | |
| run: | | |
| poetry export -f requirements.txt --output app/requirements.txt --without-hashes | |
| poetry export -f requirements.txt --with dev --output app/requirements-dev.txt --without-hashes | |
| # Build Dev Docker Image for Testing | |
| build-dev-image: | |
| name: Build Dev Docker Image | |
| runs-on: ubuntu-latest | |
| needs: export-requirements | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Docker Hub Login | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_API_KEY }} | |
| - name: Build Dev Docker Image | |
| run: | | |
| docker buildx build \ | |
| --target builder \ | |
| --platform linux/amd64 \ | |
| --file development/Dockerfile.prod \ | |
| --build-arg REQUIREMENTS_FILE=requirements-dev.txt \ | |
| --tag ${{ secrets.DOCKER_USERNAME }}/${{ secrets.HEROKU_APP_NAME }}:dev \ | |
| --push . | |
| # Test and Lint Stage | |
| test-and-lint: | |
| name: Test, Lint, and Security Scan with Trivy | |
| runs-on: ubuntu-latest | |
| needs: build-dev-image | |
| services: | |
| postgres: | |
| image: postgres:latest | |
| env: | |
| POSTGRES_DB: users | |
| POSTGRES_USER: runner | |
| POSTGRES_PASSWORD: runner | |
| ports: | |
| - 5432:5432 | |
| options: >- | |
| --health-cmd="pg_isready -U runner" | |
| --health-interval=10s | |
| --health-timeout=5s | |
| --health-retries=5 | |
| env: | |
| DATABASE_URL: postgresql://runner:runner@localhost:5432/users | |
| DJANGO_ALLOWED_HOSTS: "localhost 127.0.0.1 [::1]" # For local testing | |
| SECRET_KEY: ${{ secrets.SECRET_KEY }} | |
| steps: | |
| - name: Docker Hub Login | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_API_KEY }} | |
| - name: Pull Dev Docker Image | |
| run: | | |
| docker pull ${{ secrets.DOCKER_USERNAME }}/${{ secrets.HEROKU_APP_NAME }}:dev | |
| - name: Run Tests and Linting Inside Docker Container | |
| run: | | |
| docker run --rm \ | |
| --network=host \ | |
| -e DATABASE_URL=postgresql://runner:runner@localhost:5432/users \ | |
| -e DJANGO_ALLOWED_HOSTS="localhost 127.0.0.1 [::1]" \ | |
| -e SECRET_KEY=${{ secrets.SECRET_KEY }} \ | |
| ${{ secrets.DOCKER_USERNAME }}/${{ secrets.HEROKU_APP_NAME }}:dev \ | |
| bash -c " | |
| export DEBUG=1 && | |
| pytest -p no:warnings --cov=. && | |
| black . --check --exclude='migrations|env' && | |
| ruff check . --fix --exclude 'tests/*,movies/migrations/*,tasks.py,drf_project/settings.py' && | |
| export DEBUG=0 && | |
| python manage.py check --deploy --fail-level=WARNING | |
| " | |
| - name: Cache Trivy DB | |
| uses: actions/cache@v3 | |
| with: | |
| path: ./trivy_cache | |
| key: ${{ runner.os }}-trivy-db | |
| restore-keys: | | |
| ${{ runner.os }}-trivy-db | |
| - name: Security Scan with Trivy | |
| env: | |
| TRIVY_CACHE_DIR: ./trivy_cache | |
| run: | | |
| docker run --rm \ | |
| -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v $TRIVY_CACHE_DIR:/root/.cache/trivy \ | |
| aquasec/trivy image \ | |
| --scanners vuln \ | |
| --severity MEDIUM,HIGH,CRITICAL \ | |
| ${{ secrets.DOCKER_USERNAME }}/${{ secrets.HEROKU_APP_NAME }}:dev | |
| # Build Production Docker Image | |
| build-prod-image: | |
| name: Build and Deploy Production Docker Image to Heroku | |
| runs-on: ubuntu-latest | |
| needs: test-and-lint | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Heroku CLI | |
| run: | | |
| curl https://cli-assets.heroku.com/install.sh | sh | |
| - name: Docker Login to Heroku Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: registry.heroku.com | |
| username: _ | |
| password: ${{ secrets.HEROKU_API_KEY }} | |
| - name: Build and Tag Prod Docker Image for Heroku | |
| env: | |
| DJANGO_ALLOWED_HOSTS: ".herokuapp.com" # For production | |
| run: | | |
| docker build \ | |
| --platform linux/amd64 \ | |
| --file development/Dockerfile.prod \ | |
| --build-arg REQUIREMENTS_FILE=requirements.txt \ | |
| --tag registry.heroku.com/${{ secrets.HEROKU_APP_NAME }}/web . | |
| - name: Push Prod Docker Image to Heroku | |
| run: | | |
| docker push registry.heroku.com/${{ secrets.HEROKU_APP_NAME }}/web | |
| - name: Release to Heroku | |
| env: | |
| HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }} | |
| run: | | |
| heroku container:release web --app ${{ secrets.HEROKU_APP_NAME }} |