63 lines
1.6 KiB
YAML
63 lines
1.6 KiB
YAML
name: CI/CD Pipeline
|
|
|
|
on:
|
|
push:
|
|
branches: [dev]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
jobs:
|
|
lint-sast:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v4
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install flake8 in venv
|
|
run: |
|
|
python -m venv venv
|
|
source venv/bin/activate
|
|
pip install flake8
|
|
flake8 db_kyc_project/
|
|
|
|
- name: Run Semgrep (SAST)
|
|
run: |
|
|
curl -sSL https://semgrep.dev/install.sh | sh
|
|
./semgrep/semgrep scan --config auto --error
|
|
|
|
deploy:
|
|
needs: lint-sast
|
|
runs-on: ubuntu-latest
|
|
if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main'
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Set up SSH
|
|
run: |
|
|
mkdir -p ~/.ssh
|
|
echo "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_rsa
|
|
chmod 600 ~/.ssh/id_rsa
|
|
ssh-keyscan -H ${{ secrets.SERVER_HOST }} >> ~/.ssh/known_hosts
|
|
|
|
- name: Copy app to server
|
|
run: |
|
|
TARGET=${{ secrets.TEST_SERVER }}
|
|
if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
|
|
TARGET=${{ secrets.PROD_SERVER }}
|
|
fi
|
|
scp -r . "$TARGET:/home/deploy/app"
|
|
|
|
- name: Deploy app remotely
|
|
run: |
|
|
TARGET=${{ secrets.TEST_SERVER }}
|
|
if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
|
|
TARGET=${{ secrets.PROD_SERVER }}
|
|
fi
|
|
ssh "$TARGET" 'cd /home/deploy/app && bash deploy.sh'
|