Upload files to ".gitea/workflow"
This commit is contained in:
194
.gitea/workflow/test.yml
Normal file
194
.gitea/workflow/test.yml
Normal file
@@ -0,0 +1,194 @@
|
||||
name: Flask CI/CD Pipeline
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ main ]
|
||||
|
||||
env:
|
||||
IMAGE_NAME: 10.0.2.109:3000/gitea/arcade
|
||||
|
||||
jobs:
|
||||
format-and-auto-fix:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: "3.11"
|
||||
|
||||
- name: Install formatting dependencies
|
||||
run: |
|
||||
python -m venv venv
|
||||
. venv/bin/activate
|
||||
pip install --upgrade pip
|
||||
pip install -r requirements.txt
|
||||
pip install ruff
|
||||
|
||||
- name: Run Ruff auto-fix and formatting
|
||||
run: |
|
||||
. venv/bin/activate
|
||||
python -m ruff check . --fix --exclude venv,.venv
|
||||
python -m ruff format . --exclude venv,.venv
|
||||
|
||||
- name: Commit and push formatting changes
|
||||
run: |
|
||||
if [ -n "$(git status --porcelain)" ]; then
|
||||
git config --global user.name "gitea-actions[bot]"
|
||||
git config --global user.email "gitea-actions[bot]@local"
|
||||
git add .
|
||||
git commit -m "Auto-fix code style"
|
||||
git push
|
||||
else
|
||||
echo "No formatting changes to commit"
|
||||
fi
|
||||
|
||||
test-and-verify:
|
||||
needs: format-and-auto-fix
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Scan repository and git history for leaked secrets with Gitleaks
|
||||
run: |
|
||||
docker run --rm \
|
||||
-v "$PWD":/repo \
|
||||
ghcr.io/gitleaks/gitleaks:latest \
|
||||
git /repo --verbose
|
||||
|
||||
- name: Set up Python
|
||||
uses: actions/setup-python@v5
|
||||
with:
|
||||
python-version: "3.11"
|
||||
|
||||
- name: Install test and security dependencies
|
||||
run: |
|
||||
python -m venv venv
|
||||
. venv/bin/activate
|
||||
pip install --upgrade pip
|
||||
pip install -r requirements.txt
|
||||
pip install pytest pytest-cov pip-audit
|
||||
|
||||
- name: Run pytest with coverage
|
||||
run: |
|
||||
. venv/bin/activate
|
||||
PYTHONPATH=. pytest --cov=. --cov-report=term-missing
|
||||
|
||||
- name: Run lightweight input fuzzing against Flask test client
|
||||
run: |
|
||||
. venv/bin/activate
|
||||
python - <<'PY'
|
||||
import random
|
||||
import string
|
||||
from app import app
|
||||
|
||||
client = app.test_client()
|
||||
|
||||
samples = [
|
||||
"",
|
||||
"abc",
|
||||
"🔥",
|
||||
"één test",
|
||||
"<script>alert(1)</script>",
|
||||
"\x00",
|
||||
" " * 100,
|
||||
"a" * 10000,
|
||||
"🙂🙃😅",
|
||||
"漢字かなカナ",
|
||||
"\n\t\r",
|
||||
]
|
||||
|
||||
alphabet = string.ascii_letters + string.digits + string.punctuation + " 🙂🔥éäöü漢字\n\t"
|
||||
|
||||
for _ in range(100):
|
||||
size = random.randint(0, 512)
|
||||
samples.append("".join(random.choice(alphabet) for _ in range(size)))
|
||||
|
||||
for value in samples:
|
||||
response = client.post("/", data={"tekst": value})
|
||||
assert response.status_code == 200, f"Unexpected status code for input length {len(value)}"
|
||||
body = response.get_data(as_text=True)
|
||||
assert "Spiegelbeeld:" in body, "Expected response marker not found"
|
||||
|
||||
print(f"Lightweight fuzzing completed successfully for {len(samples)} inputs.")
|
||||
PY
|
||||
|
||||
- name: Scan Python dependencies with pip-audit
|
||||
run: |
|
||||
. venv/bin/activate
|
||||
pip-audit
|
||||
|
||||
- name: Start Flask app and run smoke test
|
||||
run: |
|
||||
. venv/bin/activate
|
||||
python app.py &
|
||||
APP_PID=$!
|
||||
sleep 5
|
||||
curl -f http://127.0.0.1:5000
|
||||
kill $APP_PID
|
||||
|
||||
build-scan-and-push-image:
|
||||
needs: test-and-verify
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Log in to Gitea container registry
|
||||
run: |
|
||||
echo "${{ secrets.DOCKER_PASSWORD }}" | docker login 10.0.2.109:3000 -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
|
||||
|
||||
- name: Build Docker images
|
||||
run: |
|
||||
docker build --pull -t $IMAGE_NAME:latest .
|
||||
docker build --pull -t $IMAGE_NAME:${{ gitea.sha }} .
|
||||
|
||||
- name: Verify Flask is available in container image
|
||||
run: |
|
||||
docker run --rm $IMAGE_NAME:latest python -c "import flask"
|
||||
|
||||
- name: Clean up old test containers
|
||||
run: |
|
||||
docker stop arcade-test || true
|
||||
docker rm -f arcade-test || true
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y wget gnupg lsb-release apt-transport-https
|
||||
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
|
||||
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y trivy
|
||||
|
||||
- name: Scan container image with Trivy
|
||||
run: |
|
||||
trivy image --exit-code 0 --severity HIGH,CRITICAL $IMAGE_NAME:latest
|
||||
|
||||
- name: Push container images
|
||||
run: |
|
||||
docker push $IMAGE_NAME:latest
|
||||
docker push $IMAGE_NAME:${{ gitea.sha }}
|
||||
|
||||
deploy-updated-container:
|
||||
needs: build-scan-and-push-image
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Redeploy container over SSH
|
||||
uses: appleboy/ssh-action@master
|
||||
with:
|
||||
host: 10.0.2.109
|
||||
username: ${{ secrets.SSH_USERNAME }}
|
||||
key: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||
script: |
|
||||
cd ~/docker-compose/arcade/
|
||||
docker compose -f docker-compose.stable.yml down
|
||||
docker compose -f docker-compose.ci.yml pull
|
||||
docker compose -f docker-compose.ci.yml up -d
|
||||
Reference in New Issue
Block a user