This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| permissions: | |
| contents: read | |
| packages: write | |
| on: | |
| push: | |
| branches: [ main, develop , devops ] | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| NODE_VERSION: '18' | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run linting | |
| run: npm run lint | |
| - name: Build application | |
| run: npm run build | |
| - name: Run tests (когда добавишь тесты) | |
| run: echo "Tests will be added later" | |
| # run: npm test | |
| build: | |
| needs: test | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' | |
| outputs: | |
| image: ${{ steps.image.outputs.image }} | |
| digest: ${{ steps.build.outputs.digest }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=sha | |
| - name: Build and push Docker image | |
| id: build | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Output image | |
| id: image | |
| run: | | |
| echo "image=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_OUTPUT | |
| deploy: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/devops' | |
| environment: production | |
| steps: | |
| - name: Deploy to production server | |
| uses: appleboy/ssh-action@v1 | |
| with: | |
| host: ${{ secrets.SERVER_HOST }} | |
| username: ${{ secrets.SERVER_USER }} | |
| key: ${{ secrets.SERVER_SSH_KEY }} | |
| script: | | |
| echo ${{ secrets.CR_PAT }} | docker login ghcr.io -u ${{ secrets.GH_USER }} --password-stdin | |
| docker pull ghcr.io/komarutech/frontend:devops | |
| docker stop frontend || true | |
| docker rm frontend || true | |
| docker run -d --name frontend -p 80:80 ghcr.io/komarutech/frontend:devops | |
| security: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run security audit | |
| run: npm audit --audit-level=moderate | |
| # - name: Scan Docker image for vulnerabilities | |
| # if: github.event_name == 'push' | |
| # uses: aquasecurity/trivy-action@master | |
| # with: | |
| # image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} | |
| # format: 'sarif' | |
| # output: 'trivy-results.sarif' | |
| # - name: Upload Trivy scan results | |
| # if: github.event_name == 'push' | |
| # uses: github/codeql-action/upload-sarif@v2 | |
| # with: | |
| # sarif_file: 'trivy-results.sarif' |