CS673OLSum25Team2/.github/workflows/ci.yml at main · BUMETCS673/CS673OLSum25Team2 · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: CI/CD - Docker Test, Audit, and Deploy MERN

on:
  push:
    branches: ["**"]
  pull_request:

jobs:
  build-test-security:
    name: Test (Docker), Security Audit, and Coverage
    runs-on: ubuntu-latest

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      - name: Set up Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 21

      # ✅ Cache dependencies for backend
      - name: Cache Backend Dependencies
        uses: actions/cache@v3
        with:
          path: code/backend/node_modules
          key: ${{ runner.os }}-backend-${{ hashFiles('code/backend/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-backend-

      # ✅ Cache dependencies for frontend
      - name: Cache Frontend Dependencies
        uses: actions/cache@v3
        with:
          path: code/frontend/node_modules
          key: ${{ runner.os }}-frontend-${{ hashFiles('code/frontend/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-frontend-

      - name: Write .env files for backend and frontend
        working-directory: ./code
        run: |
          # Backend .env
          cat <<EOF > backend/.env
          PORT=5500
          NODE_ENV=development
          MONGO_URI=your_mongodb_atlas_connection_string
          SECRET=your_jwt_secret_here
          OPENAI_API_KEY=your_openai_api_key_here
          FIREBASE_API_KEY=your_firebase_api_key
          FIREBASE_AUTH_DOMAIN=your_project_id.firebaseapp.com
          FIREBASE_PROJECT_ID=your_firebase_project_id
          FIREBASE_STORAGE_BUCKET=your_project_id.firebasestorage.app
          FIREBASE_MESSAGING_SENDER_ID=your_sender_id
          FIREBASE_APP_ID=your_firebase_app_id
          EOF

          # Frontend .env
          echo "VITE_GOOGLE_CLIENT_ID=your_google_client_id_here" > frontend/.env

      - name: Validate Docker Compose
        working-directory: ./code
        run: docker compose config

      - name: Start Test Containers
        working-directory: ./code
        run: docker compose --profile test up -d --build

      - name: Wait for backend-test container to finish
        run: docker wait my-magical-bedtime-backend-test || true

      - name: Backend Test Logs
        working-directory: ./code
        run: docker logs my-magical-bedtime-backend-test

      - name: Frontend Test Logs
        working-directory: ./code
        run: docker logs my-magical-bedtime-frontend-test

      - name: Fix permissions before copying coverage
        working-directory: ./code
        run: |
          sudo chmod -R 777 ./backend/coverage || true
          sudo chown -R runner:runner ./backend/coverage || true

      - name: Copy coverage report from container
        working-directory: ./code
        run: |
          mkdir -p ./backend/coverage
          sudo rm -f ./backend/coverage/tmp-cobertura.xml || true
          docker cp my-magical-bedtime-backend-test:/app/coverage/cobertura-coverage.xml ./backend/coverage/tmp-cobertura.xml
          mv -f ./backend/coverage/tmp-cobertura.xml ./backend/coverage/cobertura-coverage.xml

      - name: Stop Test Containers
        working-directory: ./code
        run: docker compose --profile test down

      - name: Verify coverage file
        run: test -f ./code/backend/coverage/cobertura-coverage.xml && echo "✅ Found coverage file"

      - name: Upload code coverage
        uses: 5monkeys/cobertura-action@master
        with:
          path: ./code/backend/coverage/cobertura-coverage.xml
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          minimum_coverage: 75

      - name: Run npm audit (backend)
        working-directory: ./code/backend
        run: npm audit --audit-level=high

      - name: Run npm audit (frontend)
        working-directory: ./code/frontend
        run: npm audit --audit-level=high

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: javascript

      - name: Static Analysis (CodeQL)
        uses: github/codeql-action/analyze@v2

      - name: Docker Image Security Scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'node:latest'
          format: 'table'

  deploy-backend:
    name: Deploy Backend to Heroku
    runs-on: ubuntu-latest
    needs: [build-test-security]
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Deploy Backend to Heroku
        env:
          HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}
        run: |
          git remote add heroku https://heroku:$HEROKU_API_KEY@git.heroku.com/mymagicalbedtime.git
          git subtree push --prefix code/backend heroku main

      - name: Confirm Deployment
        run: |
          echo "✅ Deployed at: https://mymagicalbedtime-25abceb2c11f.herokuapp.com/"