Trivy Removal: - Remove entire docker-security-scan job from security workflow - Remove Trivy vulnerability scanner from release workflow - Remove Trivy filesystem scan and related steps - Update security summary to reflect Trivy removal - Eliminates GitHub API authentication issues YAML Syntax Fixes: - Fix indentation errors in ci.yml (line 31) - Fix indentation errors in docs.yml (line 30) - Correct 'with:' block alignment with 'uses:' statements - Fix token parameter indentation (8 spaces standard) - Applied across all workflow files consistently Result: - All workflows now have valid YAML syntax - No more Trivy-related GitHub API calls - Cleaner, simpler security workflow - Workflows ready for successful execution
		
			
				
	
	
		
			341 lines
		
	
	
		
			9.3 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			341 lines
		
	
	
		
			9.3 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| name: CI/CD Pipeline - Northern Thailand Ping River Monitor
 | |
| 
 | |
| on:
 | |
|   push:
 | |
|     branches: [ main, develop ]
 | |
|   pull_request:
 | |
|     branches: [ main ]
 | |
|   schedule:
 | |
|     # Run tests daily at 2 AM UTC
 | |
|     - cron: '0 2 * * *'
 | |
| 
 | |
| env:
 | |
|   PYTHON_VERSION: '3.11'
 | |
|   REGISTRY: git.b4l.co.th
 | |
|   IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
 | |
|   # GitHub token for better rate limits and authentication
 | |
|   GH_TOKEN: ${{ secrets.GH_TOKEN }}
 | |
| 
 | |
| jobs:
 | |
|   # Test job
 | |
|   test:
 | |
|     name: Test Suite
 | |
|     runs-on: ubuntu-latest
 | |
|     strategy:
 | |
|       matrix:
 | |
|         python-version: ['3.9', '3.10', '3.11', '3.12']
 | |
|     
 | |
|     steps:
 | |
|     - name: Checkout code
 | |
|       uses: actions/checkout@v4
 | |
|       with:
 | |
|         token: ${{ secrets.CI_BOT_TOKEN }}
 | |
|       
 | |
|     - name: Set up Python ${{ matrix.python-version }}
 | |
|       uses: actions/setup-python@v4
 | |
|       with:
 | |
|         python-version: ${{ matrix.python-version }}
 | |
|         
 | |
|     - name: Cache pip dependencies
 | |
|       uses: actions/cache@v3
 | |
|       with:
 | |
|         path: ~/.cache/pip
 | |
|         key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements*.txt') }}
 | |
|         restore-keys: |
 | |
|           ${{ runner.os }}-pip-
 | |
|           
 | |
|     - name: Install dependencies
 | |
|       run: |
 | |
|         python -m pip install --upgrade pip --root-user-action=ignore
 | |
|         pip install --root-user-action=ignore -r requirements.txt
 | |
|         pip install --root-user-action=ignore -r requirements-dev.txt
 | |
|         
 | |
|     - name: Lint with flake8
 | |
|       run: |
 | |
|         flake8 src/ --count --select=E9,F63,F7,F82 --show-source --statistics
 | |
|         flake8 src/ --count --exit-zero --max-complexity=10 --max-line-length=100 --statistics
 | |
|         
 | |
|     - name: Type check with mypy
 | |
|       run: |
 | |
|         mypy src/ --ignore-missing-imports
 | |
|         
 | |
|     - name: Format check with black
 | |
|       run: |
 | |
|         black --check src/ *.py
 | |
|         
 | |
|     - name: Import sort check
 | |
|       run: |
 | |
|         isort --check-only src/ *.py
 | |
|         
 | |
|     - name: Run integration tests
 | |
|       run: |
 | |
|         python tests/test_integration.py
 | |
|         
 | |
|     - name: Run station management tests
 | |
|       run: |
 | |
|         python tests/test_station_management.py
 | |
|         
 | |
|     - name: Test application startup
 | |
|       run: |
 | |
|         timeout 10s python run.py --test || true
 | |
|         
 | |
|     - name: Security scan with bandit
 | |
|       run: |
 | |
|         bandit -r src/ -f json -o bandit-report.json || true
 | |
|         
 | |
|     - name: Upload test artifacts
 | |
|       uses: actions/upload-artifact@v3
 | |
|       if: always()
 | |
|       with:
 | |
|         name: test-results-${{ matrix.python-version }}
 | |
|         path: |
 | |
|           bandit-report.json
 | |
|           *.log
 | |
| 
 | |
|   # Code quality job
 | |
|   code-quality:
 | |
|     name: Code Quality
 | |
|     runs-on: ubuntu-latest
 | |
|     
 | |
|     steps:
 | |
|     - name: Checkout code
 | |
|       uses: actions/checkout@v4
 | |
|       with:
 | |
|         token: ${{ secrets.CI_BOT_TOKEN }}
 | |
|       
 | |
|     - name: Set up Python
 | |
|       uses: actions/setup-python@v4
 | |
|       with:
 | |
|         python-version: ${{ env.PYTHON_VERSION }}
 | |
|         
 | |
|     - name: Install dependencies
 | |
|       run: |
 | |
|         python -m pip install --upgrade pip --root-user-action=ignore
 | |
|         pip install --root-user-action=ignore -r requirements-dev.txt
 | |
|         
 | |
|     - name: Run safety check
 | |
|       run: |
 | |
|         safety check -r requirements.txt --json --output safety-report.json || true
 | |
|         
 | |
|     - name: Run bandit security scan
 | |
|       run: |
 | |
|         bandit -r src/ -f json -o bandit-report.json || true
 | |
|         
 | |
|     - name: Upload security reports
 | |
|       uses: actions/upload-artifact@v3
 | |
|       with:
 | |
|         name: security-reports
 | |
|         path: |
 | |
|           safety-report.json
 | |
|           bandit-report.json
 | |
| 
 | |
|   # Build Docker image
 | |
|   build:
 | |
|     name: Build Docker Image
 | |
|     runs-on: ubuntu-latest
 | |
|     needs: test
 | |
|     
 | |
|     steps:
 | |
|     - name: Checkout code
 | |
|       uses: actions/checkout@v4
 | |
|       with:
 | |
|         token: ${{ secrets.CI_BOT_TOKEN }}
 | |
|       
 | |
|     - name: Set up Docker Buildx
 | |
|       uses: docker/setup-buildx-action@v3
 | |
|       
 | |
|     - name: Log in to Container Registry
 | |
|       uses: docker/login-action@v3
 | |
|       with:
 | |
|         registry: ${{ env.REGISTRY }}
 | |
|         username: ${{ github.actor }}
 | |
|         password: ${{ secrets.GITEA_TOKEN }}
 | |
|         
 | |
|     - name: Extract metadata
 | |
|       id: meta
 | |
|       uses: docker/metadata-action@v5
 | |
|       with:
 | |
|         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 | |
|         tags: |
 | |
|           type=ref,event=branch
 | |
|           type=ref,event=pr
 | |
|           type=sha,prefix={{branch}}-
 | |
|           type=raw,value=latest,enable={{is_default_branch}}
 | |
|           
 | |
|     - name: Build and push Docker image
 | |
|       uses: docker/build-push-action@v5
 | |
|       with:
 | |
|         context: .
 | |
|         platforms: linux/amd64,linux/arm64
 | |
|         push: true
 | |
|         tags: ${{ steps.meta.outputs.tags }}
 | |
|         labels: ${{ steps.meta.outputs.labels }}
 | |
|         cache-from: type=gha
 | |
|         cache-to: type=gha,mode=max
 | |
|       env:
 | |
|         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
 | |
|         
 | |
|     - name: Test Docker image
 | |
|       run: |
 | |
|         docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} python run.py --test
 | |
| 
 | |
|   # Integration test with services
 | |
|   integration-test:
 | |
|     name: Integration Test with Services
 | |
|     runs-on: ubuntu-latest
 | |
|     needs: build
 | |
|     
 | |
|     services:
 | |
|       victoriametrics:
 | |
|         image: victoriametrics/victoria-metrics:latest
 | |
|         ports:
 | |
|           - 8428:8428
 | |
|         options: >-
 | |
|           --health-cmd "wget --quiet --tries=1 --spider http://localhost:8428/health"
 | |
|           --health-interval 30s
 | |
|           --health-timeout 10s
 | |
|           --health-retries 3
 | |
|           
 | |
|     steps:
 | |
|     - name: Checkout code
 | |
|       uses: actions/checkout@v4
 | |
|       with:
 | |
|         token: ${{ secrets.CI_BOT_TOKEN }}
 | |
|       
 | |
|     - name: Wait for VictoriaMetrics
 | |
|       run: |
 | |
|         timeout 60s bash -c 'until curl -f http://localhost:8428/health; do sleep 2; done'
 | |
|         
 | |
|     - name: Set up Python
 | |
|       uses: actions/setup-python@v4
 | |
|       with:
 | |
|         python-version: ${{ env.PYTHON_VERSION }}
 | |
|         
 | |
|     - name: Install dependencies
 | |
|       run: |
 | |
|         python -m pip install --upgrade pip --root-user-action=ignore
 | |
|         pip install --root-user-action=ignore -r requirements.txt
 | |
|         
 | |
|     - name: Test with VictoriaMetrics
 | |
|       env:
 | |
|         DB_TYPE: victoriametrics
 | |
|         VM_HOST: localhost
 | |
|         VM_PORT: 8428
 | |
|       run: |
 | |
|         python run.py --test
 | |
|         
 | |
|     - name: Start API server
 | |
|       env:
 | |
|         DB_TYPE: victoriametrics
 | |
|         VM_HOST: localhost
 | |
|         VM_PORT: 8428
 | |
|       run: |
 | |
|         python run.py --web-api &
 | |
|         sleep 10
 | |
|         
 | |
|     - name: Test API endpoints
 | |
|       run: |
 | |
|         curl -f http://localhost:8000/health
 | |
|         curl -f http://localhost:8000/stations
 | |
|         curl -f http://localhost:8000/metrics
 | |
| 
 | |
|   # Deploy to staging (only on develop branch)
 | |
|   deploy-staging:
 | |
|     name: Deploy to Staging
 | |
|     runs-on: ubuntu-latest
 | |
|     needs: [test, build, integration-test]
 | |
|     if: github.ref == 'refs/heads/develop'
 | |
|     environment:
 | |
|       name: staging
 | |
|       url: https://staging.ping-river-monitor.b4l.co.th
 | |
|       
 | |
|     steps:
 | |
|     - name: Checkout code
 | |
|       uses: actions/checkout@v4
 | |
|       with:
 | |
|         token: ${{ secrets.CI_BOT_TOKEN }}
 | |
|       
 | |
|     - name: Deploy to staging
 | |
|       run: |
 | |
|         echo "Deploying to staging environment..."
 | |
|         # Add your staging deployment commands here
 | |
|         # Example: kubectl, docker-compose, or webhook call
 | |
|         
 | |
|     - name: Health check staging
 | |
|       run: |
 | |
|         sleep 30
 | |
|         curl -f https://staging.ping-river-monitor.b4l.co.th/health
 | |
| 
 | |
|   # Deploy to production (only on main branch, manual approval)
 | |
|   deploy-production:
 | |
|     name: Deploy to Production
 | |
|     runs-on: ubuntu-latest
 | |
|     needs: [test, build, integration-test]
 | |
|     if: github.ref == 'refs/heads/main'
 | |
|     environment:
 | |
|       name: production
 | |
|       url: https://ping-river-monitor.b4l.co.th
 | |
|       
 | |
|     steps:
 | |
|     - name: Checkout code
 | |
|       uses: actions/checkout@v4
 | |
|       with:
 | |
|         token: ${{ secrets.CI_BOT_TOKEN }}
 | |
|       
 | |
|     - name: Deploy to production
 | |
|       run: |
 | |
|         echo "Deploying to production environment..."
 | |
|         # Add your production deployment commands here
 | |
|         
 | |
|     - name: Health check production
 | |
|       run: |
 | |
|         sleep 30
 | |
|         curl -f https://ping-river-monitor.b4l.co.th/health
 | |
|         
 | |
|     - name: Notify deployment
 | |
|       run: |
 | |
|         echo "✅ Production deployment successful!"
 | |
|         echo "🌐 URL: https://ping-river-monitor.b4l.co.th"
 | |
|         echo "📊 Grafana: https://grafana.ping-river-monitor.b4l.co.th"
 | |
| 
 | |
|   # Performance test (only on main branch)
 | |
|   performance-test:
 | |
|     name: Performance Test
 | |
|     runs-on: ubuntu-latest
 | |
|     needs: deploy-production
 | |
|     if: github.ref == 'refs/heads/main'
 | |
|     
 | |
|     steps:
 | |
|     - name: Checkout code
 | |
|       uses: actions/checkout@v4
 | |
|       with:
 | |
|         token: ${{ secrets.CI_BOT_TOKEN }}
 | |
|       
 | |
|     - name: Install Apache Bench
 | |
|       run: |
 | |
|         sudo apt-get update
 | |
|         sudo apt-get install -y apache2-utils
 | |
|         
 | |
|     - name: Performance test API endpoints
 | |
|       run: |
 | |
|         # Test health endpoint
 | |
|         ab -n 100 -c 10 https://ping-river-monitor.b4l.co.th/health
 | |
|         
 | |
|         # Test stations endpoint
 | |
|         ab -n 50 -c 5 https://ping-river-monitor.b4l.co.th/stations
 | |
|         
 | |
|         # Test metrics endpoint
 | |
|         ab -n 50 -c 5 https://ping-river-monitor.b4l.co.th/metrics
 | |
| 
 | |
|   # Cleanup old artifacts
 | |
|   cleanup:
 | |
|     name: Cleanup
 | |
|     runs-on: ubuntu-latest
 | |
|     if: always()
 | |
|     needs: [test, build, integration-test]
 | |
|     
 | |
|     steps:
 | |
|     - name: Clean up old Docker images
 | |
|       run: |
 | |
|         echo "Cleaning up old Docker images..."
 | |
|         # Add cleanup commands for old images/artifacts |