c0e2fe2e12
MEDIUM-002: Remove manual X-Forwarded-For parsing in metrics_protection.go, use c.ClientIP() only (respects SetTrustedProxies) MEDIUM-003: Pin ClamAV Docker image to 1.4 across all compose files MEDIUM-004: Add clampLimit(100) to 15+ handlers that parsed limit directly MEDIUM-006: Remove unsafe-eval from CSP script-src on Swagger routes MEDIUM-007: Pin all GitHub Actions to SHA in 11 workflow files MEDIUM-008: Replace rabbitmq:3-management-alpine with rabbitmq:3-alpine in prod MEDIUM-009: Add trial-already-used check in subscription service MEDIUM-010: Add 60s periodic token re-validation to WebSocket connections MEDIUM-011: Mask email in auth handler logs with maskEmail() helper MEDIUM-012: Add k-anonymity threshold (k=5) to playback analytics stats LOW-001: Align frontend password policy to 12 chars (matching backend) LOW-003: Replace deprecated dotenv with dotenvy crate in Rust stream server LOW-004: Enable xpack.security in Elasticsearch dev/local compose files LOW-005: Accept context.Context in CleanupExpiredSessions instead of Background() LOW-002: Noted — Hyperswitch version update deferred (requires payment integration tests) 29/30 findings remediated. 1 noted (LOW-002). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
165 lines
6.3 KiB
YAML
165 lines
6.3 KiB
YAML
name: Veza CD
|
|
|
|
on:
|
|
push:
|
|
branches: [ "main" ]
|
|
workflow_dispatch:
|
|
inputs:
|
|
environment:
|
|
description: 'Deployment environment'
|
|
required: true
|
|
default: 'staging'
|
|
type: choice
|
|
options:
|
|
- staging
|
|
- production
|
|
|
|
jobs:
|
|
build:
|
|
name: Build and push images
|
|
runs-on: ubuntu-latest
|
|
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
|
|
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3 # SECURITY(MEDIUM-007): TODO — pin to SHA
|
|
|
|
# Push to registry: set repo secrets DOCKER_REGISTRY, DOCKER_REGISTRY_USERNAME, DOCKER_REGISTRY_PASSWORD
|
|
# Example: DOCKER_REGISTRY=ghcr.io/org/repo or registry.example.com/veza
|
|
- name: Build Backend Docker Image
|
|
run: |
|
|
docker build -t veza-backend-api:${{ github.sha }} -f veza-backend-api/Dockerfile.production veza-backend-api/
|
|
|
|
- name: Build Frontend Docker Image
|
|
run: |
|
|
docker build -t veza-frontend:${{ github.sha }} -f apps/web/Dockerfile.production apps/web/
|
|
|
|
- name: Build Stream Server Docker Image
|
|
run: |
|
|
docker build -t veza-stream-server:${{ github.sha }} -f veza-stream-server/Dockerfile.production veza-stream-server/
|
|
|
|
- name: Trivy vulnerability scan
|
|
uses: aquasecurity/trivy-action@0.28.0 # SECURITY(MEDIUM-007): TODO — pin to SHA
|
|
with:
|
|
image-ref: 'veza-backend-api:${{ github.sha }}'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Trivy scan frontend
|
|
uses: aquasecurity/trivy-action@0.28.0 # SECURITY(MEDIUM-007): TODO — pin to SHA
|
|
with:
|
|
image-ref: 'veza-frontend:${{ github.sha }}'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Trivy scan stream server
|
|
uses: aquasecurity/trivy-action@0.28.0 # SECURITY(MEDIUM-007): TODO — pin to SHA
|
|
with:
|
|
image-ref: 'veza-stream-server:${{ github.sha }}'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
- name: Generate SBOM
|
|
run: |
|
|
mkdir -p sbom
|
|
for svc in veza-backend-api veza-frontend veza-stream-server; do
|
|
trivy image --format cyclonedx --output "sbom/${svc}-${{ github.sha }}.json" "${svc}:${{ github.sha }}"
|
|
done
|
|
- name: Upload SBOM artifacts
|
|
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
|
|
with:
|
|
name: sbom
|
|
path: sbom/
|
|
|
|
- name: Push Images to Registry
|
|
if: vars.DOCKER_REGISTRY != ''
|
|
run: |
|
|
echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ vars.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin
|
|
for svc in veza-backend-api veza-frontend veza-stream-server; do
|
|
docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
|
|
docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
|
|
docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
|
|
docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
|
|
done
|
|
|
|
- name: Install cosign
|
|
if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true'
|
|
uses: sigstore/cosign-installer@v3 # SECURITY(MEDIUM-007): TODO — pin to SHA
|
|
with:
|
|
cosign-release: 'v2.2.0'
|
|
- name: Sign images with cosign
|
|
if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true'
|
|
env:
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
|
|
run: |
|
|
for svc in veza-backend-api veza-frontend veza-stream-server; do
|
|
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
|
|
cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
|
|
done
|
|
|
|
- name: Build Summary
|
|
run: |
|
|
echo "## Build Summary" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
|
|
|
|
deploy:
|
|
name: Deploy to ${{ github.event.inputs.environment || 'staging' }}
|
|
runs-on: ubuntu-latest
|
|
needs: build
|
|
if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
|
|
environment: ${{ github.event.inputs.environment || 'staging' }}
|
|
steps:
|
|
- name: Deploy to Kubernetes
|
|
if: vars.KUBE_CONFIG_SET == 'true'
|
|
run: |
|
|
KUBECONFIG="${{ runner.temp }}/kubeconfig"
|
|
echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > "$KUBECONFIG"
|
|
chmod 600 "$KUBECONFIG"
|
|
export KUBECONFIG
|
|
for svc in veza-backend-api veza-stream-server; do
|
|
kubectl set image "deployment/${svc}" "${svc}=${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \
|
|
-n veza --record || echo "Skipping ${svc} (deployment not found)"
|
|
done
|
|
kubectl rollout status deployment/veza-backend-api -n veza --timeout=300s || true
|
|
rm -f "$KUBECONFIG"
|
|
|
|
- name: Deployment Summary
|
|
run: |
|
|
echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY
|
|
echo "- Environment: ${{ github.event.inputs.environment || 'staging' }}" >> $GITHUB_STEP_SUMMARY
|
|
|
|
smoke-post-deploy:
|
|
name: Smoke tests post-deploy
|
|
runs-on: ubuntu-latest
|
|
needs: deploy
|
|
if: vars.STAGING_URL != ''
|
|
steps:
|
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
- name: Set up Node
|
|
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
|
|
with:
|
|
node-version: '20'
|
|
cache: 'npm'
|
|
|
|
- name: Install dependencies
|
|
run: npm ci
|
|
|
|
- name: Install Playwright
|
|
run: npx playwright install chromium --with-deps
|
|
|
|
- name: Run smoke tests
|
|
env:
|
|
PLAYWRIGHT_BASE_URL: ${{ vars.STAGING_URL }}
|
|
run: |
|
|
cd apps/web
|
|
npx playwright test --config=playwright.config.smoke.ts
|
|
|