Fix all Dependabot security vulnerabilities #87
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| lint: | |
| name: Lint Code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: | | |
| if [ -f "package-lock.json" ]; then | |
| npm ci | |
| else | |
| npm install | |
| fi | |
| - name: Run ESLint | |
| run: npm run lint || true | |
| continue-on-error: true | |
| - name: Check Prettier formatting | |
| run: npx prettier --check "**/*.{js,json,md}" || true | |
| continue-on-error: true | |
| test-node: | |
| name: Test Node.js | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| strategy: | |
| matrix: | |
| node-version: [16.x, 18.x, 20.x] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: | | |
| if [ -f "package-lock.json" ]; then | |
| npm ci | |
| else | |
| npm install | |
| fi | |
| - name: Run tests with coverage | |
| run: npm test -- --coverage --passWithNoTests || true | |
| continue-on-error: true | |
| - name: Upload coverage | |
| if: matrix.node-version == '18.x' && success() | |
| uses: codecov/codecov-action@v4 | |
| with: | |
| file: ./coverage/lcov.info | |
| flags: unittests | |
| name: codecov-umbrella | |
| continue-on-error: true | |
| test-python: | |
| name: Test Python | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| strategy: | |
| matrix: | |
| python-version: ['3.9', '3.10', '3.11'] | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Cache pip | |
| uses: actions/cache@v3 | |
| with: | |
| path: ~/.cache/pip | |
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| pip install pytest pytest-cov flake8 black | |
| - name: Lint with flake8 | |
| run: | | |
| if [ -d "python-automation" ]; then | |
| flake8 python-automation --count --max-complexity=10 --max-line-length=100 || echo "Flake8 warnings found" | |
| else | |
| echo "python-automation directory not found, skipping flake8" | |
| fi | |
| - name: Check formatting with black | |
| run: | | |
| if [ -d "python-automation" ]; then | |
| black --check python-automation || echo "Black formatting check completed" | |
| else | |
| echo "python-automation directory not found, skipping black" | |
| fi | |
| - name: Run tests | |
| run: | | |
| if [ -d "python-automation" ]; then | |
| pytest --cov=python-automation --cov-report=xml || echo "Python tests completed" | |
| else | |
| echo "No Python tests found, skipping" | |
| fi | |
| - name: Upload coverage | |
| if: matrix.python-version == '3.11' | |
| uses: codecov/codecov-action@v3 | |
| with: | |
| file: ./coverage.xml | |
| flags: python | |
| name: codecov-python | |
| test-powershell: | |
| name: Test PowerShell | |
| runs-on: windows-latest | |
| needs: lint | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Pester tests | |
| shell: pwsh | |
| run: | | |
| Install-Module -Name Pester -Force -SkipPublisherCheck | |
| Import-Module Pester | |
| $config = New-PesterConfiguration | |
| if (Test-Path './tests') { | |
| $config.Run.Path = './tests' | |
| $config.Output.Verbosity = 'Detailed' | |
| $config.CodeCoverage.Enabled = $true | |
| Invoke-Pester -Configuration $config | |
| } else { | |
| Write-Host "No tests directory found, skipping Pester tests" | |
| } | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Run npm audit | |
| run: | | |
| if [ -f "package.json" ]; then | |
| npm audit --production --audit-level=high || echo "npm audit completed with warnings" | |
| else | |
| echo "No package.json found, skipping npm audit" | |
| fi | |
| continue-on-error: true | |
| - name: Run pip safety check | |
| run: | | |
| if [ -f "requirements.txt" ]; then | |
| pip install safety | |
| safety check --file requirements.txt || echo "Safety check completed" | |
| else | |
| echo "No requirements.txt found, skipping safety check" | |
| fi | |
| continue-on-error: true | |
| build-docker: | |
| name: Build Docker Images | |
| runs-on: ubuntu-latest | |
| needs: [test-node, test-python, test-powershell] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build and push API image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./infrastructure/Dockerfile.api | |
| push: true | |
| tags: | | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-api:latest | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-api:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push Python image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./infrastructure/Dockerfile.python | |
| push: true | |
| tags: | | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-python:latest | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-python:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push PowerShell image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| file: ./infrastructure/Dockerfile.powershell | |
| push: true | |
| tags: | | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-powershell:latest | |
| ${{ secrets.DOCKER_USERNAME }}/adobe-automation-powershell:${{ github.sha }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| deploy: | |
| name: Deploy to Production | |
| runs-on: ubuntu-latest | |
| needs: [build-docker, security-scan] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| environment: production | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Deploy to Kubernetes | |
| run: | | |
| echo "Deployment step - configure kubectl and apply manifests" | |
| # kubectl apply -f infrastructure/kubernetes/ | |
| - name: Verify deployment | |
| run: | | |
| echo "Verify deployment health" | |
| # kubectl rollout status deployment/adobe-automation-api | |
| release: | |
| name: Create Release | |
| runs-on: ubuntu-latest | |
| needs: deploy | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Create Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: softprops/action-gh-release@v1 | |
| with: | |
| files: | | |
| dist/* | |
| reports/* | |
| generate_release_notes: true |