veza/.github/workflows/cd.yml

name: Veza CD

on:
  push:
    branches: [ "main" ]
  workflow_dispatch:
    inputs:
      environment:
        description: 'Deployment environment'
        required: true
        default: 'staging'
        type: choice
        options:
          - staging
          - production

jobs:
  deploy:
    name: Deploy to ${{ github.event.inputs.environment || 'staging' }}
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
    environment: ${{ github.event.inputs.environment || 'staging' }}
    
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      # Push to registry: set repo secrets DOCKER_REGISTRY, DOCKER_REGISTRY_USERNAME, DOCKER_REGISTRY_PASSWORD
      # Example: DOCKER_REGISTRY=ghcr.io/org/repo or registry.example.com/veza
      - name: Build Backend Docker Image
        run: |
          cd veza-backend-api
          docker build -t veza-backend-api:${{ github.sha }} .          

      - name: Build Frontend Docker Image
        run: |
          cd apps/web
          docker build -t veza-frontend:${{ github.sha }} .          

      - name: Build Rust Services Docker Images
        run: |
          cd veza-chat-server
          docker build -t veza-chat-server:${{ github.sha }} .
          
          cd ../veza-stream-server
          docker build -t veza-stream-server:${{ github.sha }} .          

      - name: Trivy vulnerability scan
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'veza-backend-api:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

      - name: Trivy scan frontend
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'veza-frontend:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

      - name: Trivy scan chat server
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'veza-chat-server:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

      - name: Trivy scan stream server
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'veza-stream-server:${{ github.sha }}'
          format: 'table'
          exit-code: '1'
          severity: 'CRITICAL,HIGH'

      - name: Generate SBOM
        run: |
          mkdir -p sbom
          for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
            trivy image --format cyclonedx --output "sbom/${svc}-${{ github.sha }}.json" "${svc}:${{ github.sha }}"
          done          
      - name: Upload SBOM artifacts
        uses: actions/upload-artifact@v4
        with:
          name: sbom
          path: sbom/

      - name: Push Images to Registry
        if: ${{ secrets.DOCKER_REGISTRY != '' }}
        run: |
          echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ secrets.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin
          for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
            docker tag "${svc}:${{ github.sha }}" "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
            docker tag "${svc}:${{ github.sha }}" "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
            docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
            docker push "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
          done          

      - name: Install cosign
        if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }}
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: 'v2.2.0'
      - name: Sign images with cosign
        if: ${{ secrets.DOCKER_REGISTRY != '' && secrets.COSIGN_PRIVATE_KEY != '' }}
        env:
          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
        run: |
          echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key
          for svc in veza-backend-api veza-frontend veza-chat-server veza-stream-server; do
            cosign sign --key cosign.key --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
            cosign sign --key cosign.key --yes "${{ secrets.DOCKER_REGISTRY }}/${svc}:latest"
          done          

      - name: Deploy to Kubernetes
        if: ${{ secrets.KUBE_CONFIG != '' }}
        run: |
          mkdir -p ~/.kube
          echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > ~/.kube/config
          for svc in veza-backend-api veza-chat-server veza-stream-server; do
            kubectl set image "deployment/${svc}" "${svc}=${{ secrets.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \
              -n veza --record || echo "Skipping ${svc} (deployment not found)"
          done
          kubectl rollout status deployment/veza-backend-api -n veza --timeout=300s || true          

      - name: Deployment Summary
        run: |
          echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY
          echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- Chat Server: veza-chat-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
          echo "- Environment: ${{ github.event.inputs.environment || 'staging' }}" >> $GITHUB_STEP_SUMMARY          

  smoke-post-deploy:
    name: Smoke tests post-deploy
    runs-on: ubuntu-latest
    needs: deploy
    if: ${{ secrets.STAGING_URL != '' || vars.STAGING_URL != '' }}
    steps:
      - uses: actions/checkout@v4

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'

      - name: Install dependencies
        run: npm ci

      - name: Install Playwright
        run: npx playwright install chromium --with-deps

      - name: Run smoke tests
        env:
          PLAYWRIGHT_BASE_URL: ${{ secrets.STAGING_URL || vars.STAGING_URL }}
        run: |
          cd apps/web
          npx playwright test --config=playwright.config.smoke.ts