182 lines
5.0 KiB
YAML
Executable File
182 lines
5.0 KiB
YAML
Executable File
name: CI/CD Pipeline
|
|
# Updated: Dynamic tag for release, CodeQL v4, Node.js 24 support
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
tags: [ 'v*' ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
|
|
env:
|
|
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
|
|
|
|
jobs:
|
|
lint:
|
|
name: Lint Ansible Playbooks
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.12'
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install ansible ansible-lint yamllint
|
|
|
|
- name: Lint YAML files
|
|
run: |
|
|
yamllint .
|
|
continue-on-error: true
|
|
|
|
- name: Lint Ansible playbooks
|
|
run: |
|
|
ansible-lint playbooks/*.yml || echo "Linting completed with warnings"
|
|
continue-on-error: true
|
|
|
|
- name: Validate Ansible syntax
|
|
run: |
|
|
mkdir -p test-inventory
|
|
cat > test-inventory/hosts <<EOF
|
|
[all]
|
|
localhost ansible_connection=local
|
|
EOF
|
|
for playbook in playbooks/*.yml; do
|
|
ansible-playbook -i test-inventory/hosts --syntax-check "$playbook"
|
|
done
|
|
|
|
test-ubuntu:
|
|
name: Test on Ubuntu
|
|
runs-on: ubuntu-latest
|
|
needs: lint
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- ubuntu_version: '22.04'
|
|
allow_failure: false
|
|
- ubuntu_version: '24.04'
|
|
allow_failure: false
|
|
- ubuntu_version: '25.04'
|
|
allow_failure: true
|
|
|
|
continue-on-error: ${{ matrix.allow_failure }}
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.11'
|
|
|
|
- name: Install Ansible
|
|
run: |
|
|
python -m pip install --upgrade pip
|
|
pip install ansible
|
|
|
|
- name: Create simple test inventory
|
|
run: |
|
|
mkdir -p test-inventory
|
|
cat > test-inventory/hosts <<EOF
|
|
[wordpress_servers]
|
|
localhost ansible_connection=local
|
|
EOF
|
|
|
|
- name: Test syntax for all playbooks
|
|
run: |
|
|
echo "Testing syntax for all playbooks..."
|
|
for playbook in playbooks/*.yml; do
|
|
echo "Checking $playbook..."
|
|
ansible-playbook -i test-inventory/hosts "$playbook" --syntax-check
|
|
done
|
|
|
|
- name: Test variable loading
|
|
run: |
|
|
echo "Testing variable loading and basic validation..."
|
|
ansible-playbook -i test-inventory/hosts \
|
|
playbooks/lemp-wordpress.yml \
|
|
--extra-vars "mysql_root_password=test123 wordpress_db_password=test123 wp_admin_password=test123" \
|
|
--list-tasks \
|
|
-v
|
|
|
|
- name: Test on Ubuntu ${{ matrix.ubuntu_version }} container
|
|
run: |
|
|
echo "Testing basic container setup for Ubuntu ${{ matrix.ubuntu_version }}..."
|
|
docker run --rm ubuntu:${{ matrix.ubuntu_version }} /bin/bash -c "
|
|
set -e &&
|
|
grep '^NAME=' /etc/os-release &&
|
|
grep '^VERSION_ID=' /etc/os-release &&
|
|
bash --version > /dev/null &&
|
|
echo 'Ubuntu ${{ matrix.ubuntu_version }} container test successful'"
|
|
|
|
|
|
|
|
security-scan:
|
|
name: Security Scanning
|
|
runs-on: ubuntu-latest
|
|
needs: lint
|
|
permissions:
|
|
security-events: write
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
if: always()
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
release:
|
|
name: Create Release
|
|
runs-on: ubuntu-latest
|
|
needs: [test-ubuntu, security-scan]
|
|
if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push'
|
|
permissions:
|
|
contents: write
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Get current tag
|
|
id: get_tag
|
|
run: |
|
|
echo "latest_tag=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
|
|
echo "Using tag: ${GITHUB_REF_NAME}"
|
|
|
|
- name: Generate changelog
|
|
run: |
|
|
echo "# Release Notes" > CHANGELOG_RELEASE.md
|
|
echo "" >> CHANGELOG_RELEASE.md
|
|
echo "## Changes since ${{ steps.get_tag.outputs.latest_tag }}" >> CHANGELOG_RELEASE.md
|
|
echo "" >> CHANGELOG_RELEASE.md
|
|
git log ${{ steps.get_tag.outputs.latest_tag }}..HEAD --pretty=format:"- %s (%h)" >> CHANGELOG_RELEASE.md || echo "- No changes since last release" >> CHANGELOG_RELEASE.md
|
|
|
|
- name: Create Release
|
|
uses: softprops/action-gh-release@v2
|
|
with:
|
|
tag_name: ${{ steps.get_tag.outputs.latest_tag }}
|
|
name: Release ${{ steps.get_tag.outputs.latest_tag }}
|
|
body_path: CHANGELOG_RELEASE.md
|
|
draft: false
|
|
prerelease: false
|