Add security notice clarifying placeholder tokens in git history #74
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly security scan | |
| jobs: | |
| lint: | |
| name: Lint Code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run ESLint | |
| run: npm run lint | |
| - name: Check Prettier formatting | |
| run: npx prettier --check "**/*.{js,json,md}" | |
| test-node: | |
| name: Test Node.js | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| strategy: | |
| matrix: | |
| node-version: [16.x, 18.x, 20.x] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run tests with coverage | |
| run: npm test -- --coverage | |
| - name: Upload coverage | |
| if: matrix.node-version == '18.x' | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| file: ./coverage/lcov.info | |
| flags: unittests | |
| name: codecov-umbrella | |
| test-python: | |
| name: Test Python | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| strategy: | |
| matrix: | |
| python-version: ['3.9', '3.10', '3.11'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Cache pip | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install pytest pytest-cov flake8 black | |
| - name: Lint with flake8 | |
| run: flake8 python-automation --count --max-complexity=10 --max-line-length=100 | |
| - name: Check formatting with black | |
| run: black --check python-automation | |
| - name: Run tests | |
| run: pytest --cov=python-automation --cov-report=xml | |
| - name: Upload coverage | |
| if: matrix.python-version == '3.11' | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| file: ./coverage.xml | |
| flags: python | |
| name: codecov-python | |
| test-powershell: | |
| name: Test PowerShell | |
| runs-on: windows-latest | |
| needs: lint | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Pester tests | |
| shell: pwsh | |
| run: | | |
| Install-Module -Name Pester -Force -SkipPublisherCheck | |
| Import-Module Pester | |
| $config = New-PesterConfiguration | |
| $config.Run.Path = './tests' | |
| $config.Output.Verbosity = 'Detailed' | |
| $config.CodeCoverage.Enabled = $true | |
| Invoke-Pester -Configuration $config | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Run npm audit | |
| run: npm audit --production | |
| continue-on-error: true | |
| - name: Run pip safety check | |
| run: | | |
| pip install safety | |
| safety check --file requirements.txt | |
| continue-on-error: true | |
| build-docker: | |
| name: Build Docker Images | |
| runs-on: ubuntu-latest | |
| needs: [test-node, test-python, test-powershell] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build and push API image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./infrastructure/Dockerfile.api | |
| push: true | |
| tags: | | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-api:latest | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-api:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push Python image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./infrastructure/Dockerfile.python | |
| push: true | |
| tags: | | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-python:latest | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-python:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push PowerShell image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./infrastructure/Dockerfile.powershell | |
| push: true | |
| tags: | | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-powershell:latest | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-powershell:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| deploy: | |
| name: Deploy to Production | |
| runs-on: ubuntu-latest | |
| needs: [build-docker, security-scan] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| environment: production | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploy to Kubernetes | |
| run: | | |
| echo "Deployment step - configure kubectl and apply manifests" | |
| # kubectl apply -f infrastructure/kubernetes/ | |
| - name: Verify deployment | |
| run: | | |
| echo "Verify deployment health" | |
| # kubectl rollout status deployment/adobe-automation-api | |
| release: | |
| name: Create Release | |
| runs-on: ubuntu-latest | |
| needs: deploy | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Create Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| files: | | |
| dist/* | |
| reports/* | |
| generate_release_notes: true |