Skip to content

CI/CD overhaul: scans, Dependabot, GitVersion release + image publishing#46

Merged
D4M13N-D3V merged 1 commit into
mainfrom
ci/pipeline-overhaul
Jun 1, 2026
Merged

CI/CD overhaul: scans, Dependabot, GitVersion release + image publishing#46
D4M13N-D3V merged 1 commit into
mainfrom
ci/pipeline-overhaul

Conversation

@D4M13N-D3V

Copy link
Copy Markdown
Owner

What

Replaces the single build-image.yml with a personal-website-style pipeline, adapted for this .NET 8 repo.

New workflows

File Purpose
ci.yml Restore/build deployable projects (api + migrator), docker build (no push), report-only Trivy fs scan → Security tab. PRs + main.
codeql.yml CodeQL csharp (security-and-quality), PRs + weekly.
gitleaks.yml Full-history secret scan, PRs + weekly.
release.yml GitVersion tag → GHCR image publish gated on a Trivy image scan (fails on fixable HIGH/CRITICAL) → generated GitHub Release.
sdk-publish.yml C# SDK → GitHub Packages (NuGet) + generated JS SDK → GitHub Packages (npm), retargeted to D4M13N-D3V. Decoupled from releases.
dependabot.yml nuget + github-actions + docker, weekly, grouped.

Also

  • Fixes the misspelled swagger output path in comissions.app.api.csproj (commissionscomissions) that broke SDK generation.
  • Removes the obsolete build-image.yml.
  • Adds dependencies / ci / docker labels used by Dependabot.

Verified locally

  • All 6 YAML files parse.
  • docker build -f src/comissions.app.api/Dockerfile . succeeds with root context (matches the workflow config).
  • API + migrator projects build in Release.

Notes / follow-ups

  • Image: ghcr.io/d4m13n-d3v/comissions-app-core-api (lowercased for GHCR).
  • The SDK jobs boot the API headless to generate swagger.json (dummy Auth0/DB env supplied). They're intentionally decoupled so SDK-gen problems never block image releases — but please sanity-check the first sdk-publish run; the swagger-gen post-build target is the fragile part.
  • GHCR package visibility may default to private; flip to public in package settings if you want pulls without auth.
  • No real unit tests exist yet — the CI "Test" step is a placeholder to fill once test projects are added.

Closes #6? No — credential rotation is still a separate manual task.

Replaces the single build-image.yml with a personal-website-style setup,
adapted for .NET 8:

- ci.yml: restore/build the deployable projects (api + migrator), docker
  build (no push), and a report-only Trivy filesystem scan -> Security tab.
- codeql.yml: CodeQL analysis for csharp (security-and-quality), PRs +
  weekly schedule.
- gitleaks.yml: full-history secret scan, PRs + weekly schedule.
- release.yml: GitVersion-driven tag, GHCR image publish gated on a Trivy
  image scan (fails on fixable HIGH/CRITICAL), and a generated GitHub
  Release. Image name lowercased for GHCR.
- sdk-publish.yml: C# SDK -> GitHub Packages (NuGet) and generated JS SDK
  -> GitHub Packages (npm), retargeted from the stale data443 feed to the
  D4M13N-D3V namespace. Decoupled from releases so SDK-gen issues never
  block image publishing.
- dependabot.yml: nuget + github-actions + docker, weekly, grouped.

Also fixes the misspelled swagger output path in comissions.app.api.csproj
(commissions -> comissions) that broke SDK generation.

Docker build verified locally against root context.
@D4M13N-D3V D4M13N-D3V added the ci CI/CD label Jun 1, 2026
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@D4M13N-D3V D4M13N-D3V merged commit 7a914ae into main Jun 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci CI/CD

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Rotate all leaked credentials (Stripe, Auth0, imgcdn, Postgres)

2 participants