name: Build Multi-Arch Container Image on: push: branches: - main - develop tags: - "v*" pull_request: branches: - main - develop env: REGISTRY: gitea-http.taildb3494.ts.net IMAGE_NAME: will/unitforge jobs: test: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Install uv uses: astral-sh/setup-uv@v3 with: version: "latest" - name: Set up Python run: uv python install 3.11 - name: Install dependencies run: | uv venv uv pip install -e ".[dev]" - name: Run linting run: | source .venv/bin/activate make lint - name: Run tests run: | source .venv/bin/activate make test-cov - name: Security check run: | source .venv/bin/activate make security-check build-and-push: needs: test runs-on: ubuntu-latest if: github.event_name != 'pull_request' steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver-opts: network=host - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.CONTAINER_REGISTRY_USERNAME }} password: ${{ secrets.CONTAINER_REGISTRY_PASSWORD }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=raw,value=latest,enable={{is_default_branch}} type=sha,prefix={{branch}}- - name: Verify vendor assets run: | if [ ! -f frontend/static/vendor/bootstrap/css/bootstrap.min.css ]; then echo "Error: Missing bootstrap CSS file" exit 1 fi if [ ! -f frontend/static/vendor/bootstrap/js/bootstrap.bundle.min.js ]; then echo "Error: Missing bootstrap JS file" exit 1 fi if [ ! -f frontend/static/vendor/fontawesome/css/all.min.css ]; then echo "Error: Missing FontAwesome CSS file" exit 1 fi if [ ! -f frontend/static/vendor/fontawesome/webfonts/fa-solid-900.woff2 ]; then echo "Error: Missing FontAwesome font file" exit 1 fi if [ ! -f frontend/static/img/osi-logo.svg ]; then echo "Error: Missing OSI logo" exit 1 fi echo "All vendor assets verified" - name: Build and push multi-arch image uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max build-args: | BUILDKIT_INLINE_CACHE=1 - name: Image digest run: echo ${{ steps.build.outputs.digest }} security-scan: needs: build-and-push runs-on: ubuntu-latest if: github.event_name != 'pull_request' steps: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} format: "sarif" output: "trivy-results.sarif" - name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v2 if: always() with: sarif_file: "trivy-results.sarif" deploy-staging: needs: [build-and-push, security-scan] runs-on: ubuntu-latest if: github.ref == 'refs/heads/develop' environment: staging steps: - name: Deploy to staging run: | echo "Deploying ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:develop to staging environment" # Add your staging deployment commands here # This could include updating k8s manifests, helm charts, etc. deploy-production: needs: [build-and-push, security-scan] runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/v') environment: production steps: - name: Deploy to production run: | echo "Deploying ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }} to production environment" # Add your production deployment commands here # This could include updating k8s manifests, helm charts, etc.