Files
ansible-lemp-wordpress/.github/workflows/ci-cd.yml

169 lines
4.8 KiB
YAML
Executable File

name: CI/CD Pipeline
# Updated: Dynamic tag for release, CodeQL v4, Node.js 24 support
on:
push:
branches: [ main, develop ]
tags: [ 'v*' ]
pull_request:
branches: [ main ]
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
lint:
name: Lint Ansible Playbooks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install ansible ansible-lint yamllint
- name: Lint YAML files
run: |
yamllint .
continue-on-error: true
- name: Lint Ansible playbooks
run: |
ansible-lint playbooks/*.yml || echo "Linting completed with warnings"
continue-on-error: true
- name: Validate Ansible syntax
run: |
for playbook in playbooks/*.yml; do
ansible-playbook --syntax-check "$playbook"
done
test-ubuntu:
name: Test on Ubuntu
runs-on: ubuntu-latest
needs: lint
strategy:
matrix:
ubuntu_version: ['22.04', '24.04', '25.04']
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Ansible
run: |
python -m pip install --upgrade pip
pip install ansible
- name: Create simple test inventory
run: |
mkdir -p test-inventory
cat > test-inventory/hosts <<EOF
[wordpress_servers]
localhost ansible_connection=local
EOF
- name: Test syntax for all playbooks
run: |
echo "Testing syntax for all playbooks..."
for playbook in playbooks/*.yml; do
echo "Checking $playbook..."
ansible-playbook "$playbook" --syntax-check
done
- name: Test variable loading
run: |
echo "Testing variable loading and basic validation..."
ansible-playbook -i test-inventory/hosts \
playbooks/lemp-wordpress.yml \
--extra-vars "mysql_root_password=test123 wordpress_db_password=test123 wp_admin_password=test123" \
--list-tasks \
-v
- name: Test on Ubuntu ${{ matrix.ubuntu_version }} container
run: |
echo "Testing basic container setup for Ubuntu ${{ matrix.ubuntu_version }}..."
docker run --rm ubuntu:${{ matrix.ubuntu_version }} /bin/bash -c "
export DEBIAN_FRONTEND=noninteractive &&
apt-get update -o Acquire::Retries=5 -o Acquire::http::Timeout=30 || apt-get update -o Acquire::Retries=5 -o Acquire::http::Timeout=30 &&
apt-get install -y --no-install-recommends python3 ca-certificates &&
python3 --version &&
echo 'Ubuntu ${{ matrix.ubuntu_version }} container test successful'"
security-scan:
name: Security Scanning
runs-on: ubuntu-latest
needs: lint
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: 'trivy-results.sarif'
release:
name: Create Release
runs-on: ubuntu-latest
needs: [test-ubuntu, security-scan]
if: startsWith(github.ref, 'refs/tags/') && github.event_name == 'push'
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
- name: Get current tag
id: get_tag
run: |
echo "latest_tag=${GITHUB_REF_NAME}" >> $GITHUB_OUTPUT
echo "Using tag: ${GITHUB_REF_NAME}"
- name: Generate changelog
run: |
echo "# Release Notes" > CHANGELOG_RELEASE.md
echo "" >> CHANGELOG_RELEASE.md
echo "## Changes since ${{ steps.get_tag.outputs.latest_tag }}" >> CHANGELOG_RELEASE.md
echo "" >> CHANGELOG_RELEASE.md
git log ${{ steps.get_tag.outputs.latest_tag }}..HEAD --pretty=format:"- %s (%h)" >> CHANGELOG_RELEASE.md || echo "- No changes since last release" >> CHANGELOG_RELEASE.md
- name: Create Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ steps.get_tag.outputs.latest_tag }}
name: Release ${{ steps.get_tag.outputs.latest_tag }}
body_path: CHANGELOG_RELEASE.md
draft: false
prerelease: false