Final GitHub Actions fixes #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| - 'feature/**' | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| env: | |
| AWS_REGION: us-east-1 | |
| AWS_ACCOUNT_ID: 851725513597 | |
| ECR_REGISTRY: 851725513597.dkr.ecr.us-east-1.amazonaws.com | |
| BACKEND_IMAGE: 851725513597.dkr.ecr.us-east-1.amazonaws.com/code-playground-backend | |
| FRONTEND_IMAGE: 851725513597.dkr.ecr.us-east-1.amazonaws.com/code-playground-frontend | |
| ECS_CLUSTER: code-playground-production | |
| jobs: | |
| test-backend: | |
| name: Test Backend | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '21' | |
| distribution: 'temurin' | |
| - name: Cache Gradle packages | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper | |
| key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| restore-keys: | | |
| ${{ runner.os }}-gradle- | |
| - name: Run tests | |
| working-directory: ./apps/backend | |
| run: | | |
| chmod +x gradlew | |
| ./gradlew test | |
| - name: Build application | |
| working-directory: ./apps/backend | |
| run: ./gradlew build | |
| - name: Upload test reports | |
| if: failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: backend-test-reports | |
| path: apps/backend/build/reports/tests/ | |
| test-frontend: | |
| name: Test Frontend | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| - name: Install dependencies | |
| working-directory: ./apps/frontend | |
| run: npm ci | |
| - name: Run linter | |
| working-directory: ./apps/frontend | |
| run: npm run lint | |
| - name: Type check | |
| working-directory: ./apps/frontend | |
| run: npm run type-check | |
| - name: Build application | |
| working-directory: ./apps/frontend | |
| run: npm run build | |
| build-and-push: | |
| name: Build and Push Docker Images to ECR | |
| needs: [test-backend, test-frontend] | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build and push Backend image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./apps/backend | |
| platforms: linux/amd64 | |
| push: true | |
| tags: | | |
| ${{ env.BACKEND_IMAGE }}:${{ github.sha }} | |
| ${{ env.BACKEND_IMAGE }}:latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push Frontend image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./apps/frontend | |
| platforms: linux/amd64 | |
| push: true | |
| tags: | | |
| ${{ env.FRONTEND_IMAGE }}:${{ github.sha }} | |
| ${{ env.FRONTEND_IMAGE }}:latest | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| deploy-to-ecs: | |
| name: Deploy to ECS | |
| needs: build-and-push | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Force new deployment for Backend service | |
| run: | | |
| aws ecs update-service \ | |
| --cluster ${{ env.ECS_CLUSTER }} \ | |
| --service code-playground-backend \ | |
| --force-new-deployment \ | |
| --region ${{ env.AWS_REGION }} | |
| - name: Force new deployment for Frontend service | |
| run: | | |
| aws ecs update-service \ | |
| --cluster ${{ env.ECS_CLUSTER }} \ | |
| --service code-playground-frontend \ | |
| --force-new-deployment \ | |
| --region ${{ env.AWS_REGION }} | |
| - name: Wait for deployment to complete | |
| run: | | |
| aws ecs wait services-stable \ | |
| --cluster ${{ env.ECS_CLUSTER }} \ | |
| --services code-playground-backend code-playground-frontend \ | |
| --region ${{ env.AWS_REGION }} | |
| - name: Get ALB DNS name | |
| id: get-alb-dns | |
| run: | | |
| ALB_DNS=$(aws elbv2 describe-load-balancers \ | |
| --names code-playground-alb \ | |
| --query 'LoadBalancers[0].DNSName' \ | |
| --output text \ | |
| --region ${{ env.AWS_REGION }}) | |
| echo "alb_dns=$ALB_DNS" >> $GITHUB_OUTPUT | |
| - name: Run smoke tests | |
| run: | | |
| sleep 30 | |
| curl -f http://${{ steps.get-alb-dns.outputs.alb_dns }}/actuator/health || exit 1 | |
| curl -f http://${{ steps.get-alb-dns.outputs.alb_dns }}/ || exit 1 | |
| security-scan: | |
| name: Security Scanning | |
| runs-on: ubuntu-latest | |
| needs: [test-backend, test-frontend] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Run SAST with CodeQL | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| languages: 'java,javascript' |