lionel
0920051437
Some checks failed
Flask CI/CD Pipeline / format-and-auto-fix (push) Successful in 16s
Flask CI/CD Pipeline / test-and-verify (push) Successful in 32s
Flask CI/CD Pipeline / build-scan-and-push-image (push) Successful in 34s
Flask CI/CD Pipeline / deploy-updated-container (push) Failing after 3s
201 lines
6.0 KiB
YAML
201 lines
6.0 KiB
YAML
name: Flask CI/CD Pipeline
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
|
|
env:
|
|
IMAGE_NAME: git.onlionel.com/lionel/arcade
|
|
|
|
jobs:
|
|
format-and-auto-fix:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Inspect environment
|
|
run: |
|
|
uname -a
|
|
cat /etc/os-release || true
|
|
which python || true
|
|
python --version || true
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.11"
|
|
|
|
- name: Install formatting dependencies
|
|
run: |
|
|
python -m venv venv
|
|
. venv/bin/activate
|
|
pip install --upgrade pip
|
|
pip install -r requirements.txt
|
|
pip install ruff
|
|
|
|
- name: Run Ruff auto-fix and formatting
|
|
run: |
|
|
. venv/bin/activate
|
|
python -m ruff check . --fix --exclude venv,.venv
|
|
python -m ruff format . --exclude venv,.venv
|
|
|
|
- name: Commit and push formatting changes
|
|
run: |
|
|
if [ -n "$(git status --porcelain)" ]; then
|
|
git config --global user.name "gitea-actions[bot]"
|
|
git config --global user.email "gitea-actions[bot]@local"
|
|
git add .
|
|
git commit -m "Auto-fix code style"
|
|
git push
|
|
else
|
|
echo "No formatting changes to commit"
|
|
fi
|
|
|
|
test-and-verify:
|
|
needs: format-and-auto-fix
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Scan repository and git history for leaked secrets with Gitleaks
|
|
run: |
|
|
docker run --rm \
|
|
-v "$PWD":/repo \
|
|
ghcr.io/gitleaks/gitleaks:latest \
|
|
git /repo --verbose
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: "3.11"
|
|
|
|
- name: Install test and security dependencies
|
|
run: |
|
|
python -m venv venv
|
|
. venv/bin/activate
|
|
pip install --upgrade pip
|
|
pip install -r requirements.txt
|
|
pip install pytest pytest-cov pip-audit
|
|
|
|
- name: Run pytest with coverage
|
|
run: |
|
|
. venv/bin/activate
|
|
PYTHONPATH=. pytest --cov=. --cov-report=term-missing
|
|
|
|
- name: Run lightweight input fuzzing against Flask test client
|
|
run: |
|
|
. venv/bin/activate
|
|
python - <<'PY'
|
|
import random
|
|
import string
|
|
from app import app
|
|
|
|
client = app.test_client()
|
|
|
|
samples = [
|
|
"",
|
|
"abc",
|
|
"🔥",
|
|
"één test",
|
|
"<script>alert(1)</script>",
|
|
"\x00",
|
|
" " * 100,
|
|
"a" * 10000,
|
|
"🙂🙃😅",
|
|
"漢字かなカナ",
|
|
"\n\t\r",
|
|
]
|
|
|
|
alphabet = string.ascii_letters + string.digits + string.punctuation + " 🙂🔥éäöü漢字\n\t"
|
|
|
|
for _ in range(100):
|
|
size = random.randint(0, 512)
|
|
samples.append("".join(random.choice(alphabet) for _ in range(size)))
|
|
|
|
for value in samples:
|
|
response = client.post("/", data={"tekst": value})
|
|
assert response.status_code == 200, f"Unexpected status code for input length {len(value)}"
|
|
body = response.get_data(as_text=True)
|
|
assert "Spiegelbeeld:" in body, "Expected response marker not found"
|
|
|
|
print(f"Lightweight fuzzing completed successfully for {len(samples)} inputs.")
|
|
PY
|
|
|
|
- name: Scan Python dependencies with pip-audit
|
|
run: |
|
|
. venv/bin/activate
|
|
pip-audit
|
|
|
|
- name: Start Flask app and run smoke test
|
|
run: |
|
|
. venv/bin/activate
|
|
python app.py &
|
|
APP_PID=$!
|
|
sleep 5
|
|
curl -f http://127.0.0.1:5000
|
|
kill $APP_PID
|
|
|
|
build-scan-and-push-image:
|
|
needs: test-and-verify
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Log in to Gitea container registry
|
|
run: |
|
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login https://git.onlionel.com -u "${{ secrets.REGISTRY_USERNAME }}" --password-stdin
|
|
|
|
- name: Build Docker images
|
|
run: |
|
|
docker build --pull -t $IMAGE_NAME:latest .
|
|
docker build --pull -t $IMAGE_NAME:${{ gitea.sha }} .
|
|
|
|
- name: Verify Flask is available in container image
|
|
run: |
|
|
docker run --rm $IMAGE_NAME:latest python -c "import flask"
|
|
|
|
- name: Clean up old test containers
|
|
run: |
|
|
docker stop arcade-test || true
|
|
docker rm -f arcade-test || true
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y wget gnupg lsb-release apt-transport-https
|
|
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
|
|
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/trivy.list
|
|
sudo apt-get update
|
|
sudo apt-get install -y trivy
|
|
|
|
- name: Scan container image with Trivy
|
|
run: |
|
|
trivy image --exit-code 0 --severity HIGH,CRITICAL $IMAGE_NAME:latest
|
|
|
|
- name: Push container images
|
|
run: |
|
|
docker push $IMAGE_NAME:latest
|
|
docker push $IMAGE_NAME:${{ gitea.sha }}
|
|
|
|
deploy-updated-container:
|
|
needs: build-scan-and-push-image
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Redeploy container over SSH
|
|
uses: appleboy/ssh-action@master
|
|
with:
|
|
host: 10.0.2.109
|
|
username: ${{ secrets.SSH_USERNAME }}
|
|
key: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
script: |
|
|
cd ~/docker-compose/arcade/
|
|
docker compose -f docker-compose.stable.yml down
|
|
docker compose -f docker-compose.ci.yml pull
|
|
docker compose -f docker-compose.ci.yml up -d |