name: Veza CD on: push: branches: [ "main" ] workflow_dispatch: inputs: environment: description: 'Deployment environment' required: true default: 'staging' type: choice options: - staging - production jobs: deploy: name: Deploy to ${{ github.event.inputs.environment || 'staging' }} runs-on: ubuntu-latest if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch' environment: ${{ github.event.inputs.environment || 'staging' }} steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 # Push to registry: set repo secrets DOCKER_REGISTRY, DOCKER_REGISTRY_USERNAME, DOCKER_REGISTRY_PASSWORD # Example: DOCKER_REGISTRY=ghcr.io/org/repo or registry.example.com/veza - name: Build Backend Docker Image run: | cd veza-backend-api docker build -t veza-backend-api:${{ github.sha }} . - name: Build Frontend Docker Image run: | cd apps/web docker build -t veza-frontend:${{ github.sha }} . - name: Build Rust Services Docker Images run: | cd veza-chat-server docker build -t veza-chat-server:${{ github.sha }} . cd ../veza-stream-server docker build -t veza-stream-server:${{ github.sha }} . - name: Trivy vulnerability scan uses: aquasecurity/trivy-action@master with: image-ref: 'veza-backend-api:${{ github.sha }}' format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH' - name: Trivy scan frontend uses: aquasecurity/trivy-action@master with: image-ref: 'veza-frontend:${{ github.sha }}' format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH' - name: Trivy scan chat server uses: aquasecurity/trivy-action@master with: image-ref: 'veza-chat-server:${{ github.sha }}' format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH' - name: Trivy scan stream server uses: aquasecurity/trivy-action@master with: image-ref: 'veza-stream-server:${{ github.sha }}' format: 'table' exit-code: '1' severity: 'CRITICAL,HIGH' - name: Push Images to Registry if: ${{ secrets.DOCKER_REGISTRY != '' }} run: | echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ secrets.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do docker tag "${svc}:${{ github.sha }}" "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" docker tag "${svc}:${{ github.sha }}" "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest" docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest" done - name: Deploy to Kubernetes if: ${{ secrets.KUBE_CONFIG != '' }} run: | mkdir -p ~/.kube echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > ~/.kube/config for svc in veza-backend-api veza-chat-server veza-stream-server; do kubectl set image "deployment/${svc}" "${svc}=${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \ -n veza --record || echo "Skipping ${svc} (deployment not found)" done kubectl rollout status deployment/veza-backend-api -n veza --timeout=300s || true - name: Deployment Summary run: | echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY echo "- Chat Server: veza-chat-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY echo "- Environment: ${{ github.event.inputs.environment || 'staging' }}" >> $GITHUB_STEP_SUMMARY