nxtkofi
aab08d5e0f
- Add Trivy fs scan for CRITICAL/HIGH severity vulnerabilities - Upload results as SARIF to GitHub/Forgejo Security tab - Add to both GitHub Actions and Forgejo workflows
69 lines
1.4 KiB
YAML
69 lines
1.4 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: [main, dev]
|
|
pull_request:
|
|
branches: [main, dev]
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: pnpm/action-setup@v4
|
|
with:
|
|
version: 9
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20
|
|
cache: 'pnpm'
|
|
|
|
- name: Install dependencies
|
|
run: pnpm install --frozen-lockfile
|
|
|
|
- name: Lint
|
|
run: pnpm lint
|
|
|
|
- name: Build
|
|
run: pnpm build
|
|
|
|
security:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Upload Trivy scan results
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always()
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
deploy-dev:
|
|
if: github.ref == 'refs/heads/dev'
|
|
needs: lint
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Deploy to Coolify (Dev)
|
|
run: |
|
|
curl -X POST "${{ secrets.COOLIFY_DEV_WEBHOOK }}"
|
|
|
|
deploy-prod:
|
|
if: github.ref == 'refs/heads/main'
|
|
needs: lint
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Deploy to Coolify (Prod)
|
|
run: |
|
|
curl -X POST "${{ secrets.COOLIFY_PROD_WEBHOOK }}"
|