Skip to content

Migrate Jenkins pipelines to GitHub Actions#196

Open
devin-ai-integration[bot] wants to merge 3 commits into
DevOpsfrom
devin/1778097214-migrate-jenkins-to-gh-actions
Open

Migrate Jenkins pipelines to GitHub Actions#196
devin-ai-integration[bot] wants to merge 3 commits into
DevOpsfrom
devin/1778097214-migrate-jenkins-to-gh-actions

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented May 6, 2026

Copy link
Copy Markdown

Summary

Migrates the existing Jenkins-based CI/CD pipelines (Jenkinsfile, GitOps/Jenkinsfile, and the shared vars/*.groovy library) to native GitHub Actions workflows.

What changed

  • Added .github/workflows/ci.yml — mirrors the original Jenkinsfile stages on push / pull_request to DevOps and on manual workflow_dispatch:

    • Checkout (replaces Workspace cleanup + Git: Code Checkout)
    • JDK 17 (Temurin) with Maven cache
    • Trivy filesystem scan (aquasecurity/trivy-action@master)
    • OWASP Dependency Check (dependency-check/Dependency-Check_Action@1.1.0) + report upload
    • SonarQube scan + Quality Gate (SonarSource/sonarqube-scan-action@v5, SonarSource/sonarqube-quality-gate-action@v1) — runs only when SONAR_TOKEN and SONAR_HOST_URL secrets are configured
    • Docker build via docker/build-push-action (uses repo Dockerfile); pushes to Docker Hub only on push/workflow_dispatch and only when DOCKERHUB_USERNAME + DOCKERHUB_TOKEN secrets are set
    • Archives *.xml reports as a build artifact (replaces archiveArtifacts artifacts: '*.xml')
    • On success, dispatches the CD workflow with the Docker tag (replaces build job: "BankApp-CD")
  • Added .github/workflows/cd.yml — mirrors GitOps/Jenkinsfile:

    • Triggered by the CI workflow's dispatch (or repository_dispatch / manual run) with a docker_tag input
    • Updates the trainwithshubham/bankapp-eks:<tag> image reference in the bankapp deployment manifest under kubernetes/
    • Commits and pushes the change back to DevOps (uses GITOPS_TOKEN if set, otherwise the default GITHUB_TOKEN); appends [skip ci] to avoid retrigger loops
  • Removed Jenkins infrastructure: Jenkinsfile, GitOps/Jenkinsfile, and the entire vars/ shared library (16 .groovy files + README).

  • Updated Dockerfile to use currently-available base images. The previous maven:3.8.3-openjdk-17 and openjdk:17-alpine tags were removed/deprecated from Docker Hub and the build was unable to resolve them. Switched to:

    • maven:3.9-eclipse-temurin-17 (build stage)
    • eclipse-temurin:17-jre-alpine (runtime stage)

    Verified the multi-stage build succeeds locally with the new base images.

Required repo secrets to fully enable the pipeline

The workflow runs out-of-the-box for the build/scan stages. The following GitHub Actions secrets need to be set for the corresponding stages to do real work (otherwise they no-op safely):

Secret Purpose
DOCKERHUB_USERNAME Docker Hub user that owns the published bankapp image (defaults to madhupdevops to match the prior Jenkins config if not set)
DOCKERHUB_TOKEN Docker Hub access token — required to actually push the image
SONAR_TOKEN SonarQube token — required to run the analysis
SONAR_HOST_URL SonarQube server URL
GITOPS_TOKEN (optional) PAT with contents:write for the manifest commit-back step. The default GITHUB_TOKEN works for same-repo pushes; only needed if pushing to a different repo or to bypass branch protections

Notable nuances

  • Original Jenkinsfile did not run mvn test directly — the Dockerfile builds with -DskipTests=true. The migration preserves this behavior.
  • The original GitOps/Jenkinsfile sed-edited kubernetes/bankapp-deployment.yaml, but the actual file in the repo is kubernetes/bankapp-deployment.yml. The new CD workflow tries .yaml first then falls back to .yml, so it works either way.
  • Trivy is configured with exit-code: '0' to match the original trivy fs . (no failure threshold). It's also marked continue-on-error: true because the action's DB downloads occasionally rate-limit on public runners — matching the informational nature of the original step.
  • OWASP Dependency Check is also continue-on-error: true, mirroring how the original Jenkins job didn't gate on dependency-check findings (it just published the report).
  • The Quality Gate step is continue-on-error: true to match abortPipeline: false in the Groovy helper.

Review & Testing Checklist for Human

  • Configure the DOCKERHUB_USERNAME / DOCKERHUB_TOKEN repo secrets and run the CI workflow once (push to DevOps or workflow_dispatch) to confirm the image is pushed and the CD workflow updates the manifest as expected.
  • Configure SONAR_TOKEN / SONAR_HOST_URL (or accept that those stages are skipped) and confirm SonarQube reflects a fresh analysis.
  • Verify the bot account / GITHUB_TOKEN push from CD does not run afoul of branch protection on DevOps. If protected, set GITOPS_TOKEN to a PAT with the necessary permissions.
  • Confirm you're OK with the Dockerfile base image updates — the old openjdk:17-alpine and maven:3.8.3-openjdk-17 tags no longer exist on Docker Hub, so this change is required for the build to succeed anywhere fresh.
  • Confirm you're OK removing the Jenkins infrastructure (Jenkinsfile, GitOps/, vars/). The cicd.md and Jenkins setup notes in README.md are intentionally left untouched in this PR — happy to follow up to update docs if desired.

Notes

  • Image tag defaults to short commit SHA when triggered by push/PR. Manual workflow_dispatch runs accept a custom tag, mirroring the original DOCKER_TAG parameter.
  • The Jenkins vars/ shared library was removed entirely since it was specific to Jenkins shared library conventions and has no equivalent in GitHub Actions (the logic is inlined into ci.yml / cd.yml).

Link to Devin session: https://app.devin.ai/sessions/6a9cd1872abc4779b36d38ed1f69559e
Requested by: @vanessasalas-cog


Devin Review

Status Commit
⚪ Not started

Run Devin Review

💡 Connect your GitHub account to enable automatic code reviews.

Open in Devin Review (Staging)

Co-Authored-By: vanessa.salas <vanessa.salas@cognition.ai>
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration Bot and others added 2 commits May 6, 2026 19:59
Co-Authored-By: vanessa.salas <vanessa.salas@cognition.ai>
Co-Authored-By: vanessa.salas <vanessa.salas@cognition.ai>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant