promethus/.github/workflows/ci.yml at main · AlphaSudo/promethus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
# .github/workflows/ci.yml
# Prometheus Banking Platform - Continuous Integration Pipeline
# Triggers on push to main/develop and PRs to main

name: CI

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main]

env:
  JAVA_VERSION: '21'
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}/prometheus-app

jobs:
  # ═══════════════════════════════════════════════════════════════════════════
  # BUILD & TEST
  # ═══════════════════════════════════════════════════════════════════════════
  build:
    name: Build & Test
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Set up JDK 21
      uses: actions/setup-java@v4
      with:
        java-version: ${{ env.JAVA_VERSION }}
        distribution: 'temurin'
        cache: gradle

    - name: Grant execute permission for gradlew
      run: |
        if [ -d "services" ]; then
          find services -name "gradlew" -exec chmod +x {} \;
        fi

    - name: Build all services
      run: |
        echo "Build step - services not yet created"
        # cd services/account-service && ./gradlew build -x test
        # cd services/transaction-service && ./gradlew build -x test
        # cd services/api-gateway && ./gradlew build -x test

    - name: Run Unit Tests
      run: |
        echo "Unit tests - services not yet created"
        # cd services/account-service && ./gradlew test

    - name: Run Integration Tests
      run: |
        echo "Integration tests - services not yet created"
        # cd services/account-service && ./gradlew integrationTest

  # ═══════════════════════════════════════════════════════════════════════════
  # SECURITY SCANNING
  # ═══════════════════════════════════════════════════════════════════════════
  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    needs: build

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Run Trivy vulnerability scanner (filesystem)
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'table'
        exit-code: '0'  # Don't fail on vulnerabilities for now
        severity: 'CRITICAL,HIGH'

  # ═══════════════════════════════════════════════════════════════════════════
  # KUBERNETES MANIFEST SCANNING
  # ═══════════════════════════════════════════════════════════════════════════
  kubescape-scan:
    name: Kubernetes Security Scan
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Kubescape scan
      uses: kubescape/github-action@main
      with:
        files: "k8s/"
        framework: nsa
        format: sarif
        outputFile: kubescape-results.sarif
      continue-on-error: true  # Don't fail build on security warnings

    - name: Upload Kubescape results
      uses: github/codeql-action/upload-sarif@v3
      if: always()
      with:
        sarif_file: kubescape-results.sarif
      continue-on-error: true

  # ═══════════════════════════════════════════════════════════════════════════
  # DOCKER BUILD & PUSH (only on main branch)
  # ═══════════════════════════════════════════════════════════════════════════
  push-image:
    name: Build & Push Docker Image
    runs-on: ubuntu-latest
    needs: [build, security-scan]
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'

    permissions:
      contents: read
      packages: write

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3

    - name: Login to GitHub Container Registry
      uses: docker/login-action@v3
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Extract metadata for Docker
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
        tags: |
          type=sha,prefix=
          type=raw,value=latest

    - name: Build and push Docker image
      uses: docker/build-push-action@v5
      with:
        context: ./services
        file: ./services/Dockerfile.dev.template
        push: false  # Set to true when services are ready
        tags: ${{ steps.meta.outputs.tags }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha
        cache-to: type=gha,mode=max