db_kyc_project/.gitea/workflows/ci.yml

name: CI/CD Pipeline

on:
  push:
    branches: [dev]
  pull_request:
    branches: [main]

jobs:
  lint-sast:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.12'

      - name: Run linter (flake8)
        run: |
          python -m venv venv
          source venv/bin/activate
          pip install flake8
          flake8 . --ignore=E501 --exclude=venv          
        continue-on-error: true
      - name: Run Semgrep (SAST)
        run: |
          pip install semgrep
          semgrep --config . --jobs 1 --max-memory 4000          
  deploy:
    needs: lint-sast
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main'
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Set up SSH
        run: |
          mkdir -p ~/.ssh
          echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
          chmod 600 ~/.ssh/id_rsa
          ssh-keyscan -H ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts          

      - name: Copy app to server
        run: |
          TARGET=${{ secrets.TEST_SERVER }}
          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
            TARGET=${{ secrets.PROD_SERVER }}
          fi
          scp -r . "$TARGET:~/app"          

      - name: Deploy app remotely
        run: |
          TARGET=${{ secrets.TEST_SERVER }}
          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
            TARGET=${{ secrets.PROD_SERVER }}
          fi
          ssh "$TARGET" 'cd ~/app && bash deploy.sh'