deploying #51
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Secured-CI-CD-pipeline | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| sonarq-integration: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v2 | |
| with: | |
| # Disabling shallow clone is recommended for improving relevancy of reporting | |
| fetch-depth: 0 | |
| - name: Test SonarQube connectivity | |
| run: | | |
| curl -v ${{ secrets.SONAR_HOST_URL }}/api/system/status | |
| - name: SonarQube Scan | |
| uses: sonarsource/sonarqube-scan-action@v2 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | |
| SONAR_PROJECT_KEY: ${{ secrets.SONAR_PROJECT_KEY }} | |
| SONAR_PROJECT_NAME: "Microservice-Based-Password-Manager-with-a-Secure-CI-CD-Pipeline" | |
| build-trivy-scan-and-push: | |
| runs-on: ubuntu-latest | |
| #needs: sonarq-integration # Uncomment to ensure SonarQube analysis completes before the build | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v1 | |
| - name: Build Docker image | |
| id: build-image | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: false | |
| tags: ${{ secrets.DOCKERHUB_USERNAME }}/web:latest | |
| - name: Scan image with Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ secrets.DOCKERHUB_USERNAME }}/web:latest | |
| - name: Push Docker image | |
| if: success() # Push only if Trivy scan succeeds | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: true | |
| tags: ${{ secrets.DOCKERHUB_USERNAME }}/web:latest | |
| build-and-zap-scan: | |
| runs-on: ubuntu-latest | |
| needs: build-trivy-scan-and-push | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Check Docker Compose version | |
| run: docker compose --version | |
| - name: Build and run Docker Compose | |
| env: | |
| MYSQL_DATABASE: ${{ secrets.MYSQL_DATABASE }} | |
| MYSQL_USER: ${{ secrets.MYSQL_USER }} | |
| MYSQL_PASSWORD: ${{ secrets.MYSQL_PASSWORD }} | |
| MYSQL_ROOT_PASSWORD: ${{ secrets.MYSQL_ROOT_PASSWORD }} | |
| DATABASE_URL: ${{ secrets.DATABASE_URL }} | |
| run: | | |
| docker compose up -d | |
| sleep 15 | |
| - name: Debug Docker containers | |
| run: docker ps | |
| - name: Get web container IP address and check accessibility | |
| id: get_ip | |
| run: | | |
| CONTAINER_ID=$(docker ps -qf "name=web") | |
| echo "Web Container ID: $CONTAINER_ID" | |
| CONTAINER_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $CONTAINER_ID) | |
| echo "Web Container IP: $CONTAINER_IP" | |
| echo "container_ip=$CONTAINER_IP" >> $GITHUB_ENV | |
| curl http://$CONTAINER_IP:8000 | |
| - name: ZAP Scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| target: http://${{ env.container_ip }}:8000 | |
| artifact_name: "zap-alerts" | |
| - name: Verify ZAP Alerts File Generation | |
| run: ls -l | grep report | |
| - name: Upload ZAP Alerts as Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: zap-alerts | |
| path: ./report_html.html | |
| deploy-to-ec2: | |
| runs-on: ubuntu-latest | |
| needs: build-trivy-scan-and-push | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Configure SSH for EC2 | |
| run: | | |
| echo "${{ secrets.EC2_PRIVATE_KEY }}" > ec2_key.pem | |
| chmod 600 ec2_key.pem | |
| echo "Connecting to EC2 Host: ${{ secrets.K8S_HOST }}" | |
| - name: SSH into EC2 and deploy | |
| run: | | |
| ssh -v -o StrictHostKeyChecking=no -i ec2_key.pem ubuntu@${{ secrets.K8S_HOST }} << EOF | |
| kompose version | |
| kompose convert -f docker-compose.yml | |
| kubectl apply -f /home/ubuntu/ | |
| kubectl get pods | |
| EOF |