name: Veza CD on: push: branches: ["main"] workflow_dispatch: inputs: environment: description: "Deployment environment" required: true default: "staging" type: choice options: - staging - production env: GIT_SSL_NO_VERIFY: "true" NODE_TLS_REJECT_UNAUTHORIZED: "0" jobs: build: name: Build and push images runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 # Push to registry: set repo secrets DOCKER_REGISTRY, DOCKER_REGISTRY_USERNAME, DOCKER_REGISTRY_PASSWORD # Example: DOCKER_REGISTRY=ghcr.io/org/repo or registry.example.com/veza - name: Build Backend Docker Image run: | docker build -t veza-backend-api:${{ github.sha }} -f veza-backend-api/Dockerfile.production veza-backend-api/ - name: Build Frontend Docker Image run: | docker build -t veza-frontend:${{ github.sha }} -f apps/web/Dockerfile.production apps/web/ - name: Build Stream Server Docker Image run: | docker build -t veza-stream-server:${{ github.sha }} -f veza-stream-server/Dockerfile.production veza-stream-server/ - name: Trivy vulnerability scan uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0 with: image-ref: "veza-backend-api:${{ github.sha }}" format: "table" exit-code: "1" severity: "CRITICAL,HIGH" - name: Trivy scan frontend uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0 with: image-ref: "veza-frontend:${{ github.sha }}" format: "table" exit-code: "1" severity: "CRITICAL,HIGH" - name: Trivy scan stream server uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0 with: image-ref: "veza-stream-server:${{ github.sha }}" format: "table" exit-code: "1" severity: "CRITICAL,HIGH" - name: Generate SBOM run: | mkdir -p sbom for svc in veza-backend-api veza-frontend veza-stream-server; do trivy image --format cyclonedx --output "sbom/${svc}-${{ github.sha }}.json" "${svc}:${{ github.sha }}" done - name: Upload SBOM artifacts uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: name: sbom path: sbom/ - name: Push Images to Registry if: vars.DOCKER_REGISTRY != '' run: | echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ vars.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin for svc in veza-backend-api veza-frontend veza-stream-server; do docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:latest" docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:latest" done - name: Install cosign if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true' uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1 with: cosign-release: "v2.2.0" - name: Sign images with cosign if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true' env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} run: | for svc in veza-backend-api veza-frontend veza-stream-server; do cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:latest" done - name: Build Summary run: | echo "## Build Summary" >> $GITHUB_STEP_SUMMARY echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY deploy: name: Deploy to ${{ github.event.inputs.environment || 'staging' }} runs-on: ubuntu-latest needs: build if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' environment: ${{ github.event.inputs.environment || 'staging' }} steps: - name: Deploy to Kubernetes if: vars.KUBE_CONFIG_SET == 'true' run: | KUBECONFIG="${{ runner.temp }}/kubeconfig" echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > "$KUBECONFIG" chmod 600 "$KUBECONFIG" export KUBECONFIG for svc in veza-backend-api veza-stream-server; do kubectl set image "deployment/${svc}" "${svc}=${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \ -n veza --record || echo "Skipping ${svc} (deployment not found)" done kubectl rollout status deployment/veza-backend-api -n veza --timeout=300s || true rm -f "$KUBECONFIG" - name: Deployment Summary run: | echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY echo "- Environment: ${{ github.event.inputs.environment || 'staging' }}" >> $GITHUB_STEP_SUMMARY smoke-post-deploy: name: Smoke tests post-deploy runs-on: ubuntu-latest needs: deploy if: vars.STAGING_URL != '' steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Node uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: node-version: "20" cache: "npm" - name: Install dependencies run: npm ci - name: Install Playwright run: npx playwright install chromium --with-deps - name: Run smoke tests env: PLAYWRIGHT_BASE_URL: ${{ vars.STAGING_URL }} run: | cd apps/web npx playwright test --config=playwright.config.smoke.ts