CI/CD overhaul: scans, Dependabot, GitVersion release + image publishing#46
Merged
Conversation
Replaces the single build-image.yml with a personal-website-style setup, adapted for .NET 8: - ci.yml: restore/build the deployable projects (api + migrator), docker build (no push), and a report-only Trivy filesystem scan -> Security tab. - codeql.yml: CodeQL analysis for csharp (security-and-quality), PRs + weekly schedule. - gitleaks.yml: full-history secret scan, PRs + weekly schedule. - release.yml: GitVersion-driven tag, GHCR image publish gated on a Trivy image scan (fails on fixable HIGH/CRITICAL), and a generated GitHub Release. Image name lowercased for GHCR. - sdk-publish.yml: C# SDK -> GitHub Packages (NuGet) and generated JS SDK -> GitHub Packages (npm), retargeted from the stale data443 feed to the D4M13N-D3V namespace. Decoupled from releases so SDK-gen issues never block image publishing. - dependabot.yml: nuget + github-actions + docker, weekly, grouped. Also fixes the misspelled swagger output path in comissions.app.api.csproj (commissions -> comissions) that broke SDK generation. Docker build verified locally against root context.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replaces the single
build-image.ymlwith a personal-website-style pipeline, adapted for this .NET 8 repo.New workflows
ci.ymlcodeql.ymlcsharp(security-and-quality), PRs + weekly.gitleaks.ymlrelease.ymlsdk-publish.ymlD4M13N-D3V. Decoupled from releases.dependabot.ymlnuget+github-actions+docker, weekly, grouped.Also
comissions.app.api.csproj(commissions→comissions) that broke SDK generation.build-image.yml.dependencies/ci/dockerlabels used by Dependabot.Verified locally
docker build -f src/comissions.app.api/Dockerfile .succeeds with root context (matches the workflow config).Notes / follow-ups
ghcr.io/d4m13n-d3v/comissions-app-core-api(lowercased for GHCR).swagger.json(dummy Auth0/DB env supplied). They're intentionally decoupled so SDK-gen problems never block image releases — but please sanity-check the firstsdk-publishrun; the swagger-gen post-build target is the fragile part.Closes #6? No — credential rotation is still a separate manual task.