veza/.github/workflows/cd.yml

name: Veza CD

on:
    push:
        branches: ["main"]
    workflow_dispatch:
        inputs:
            environment:
                description: "Deployment environment"
                required: true
                default: "staging"
                type: choice
                options:
                    - staging
                    - production

env:
    GIT_SSL_NO_VERIFY: "true"
    NODE_TLS_REJECT_UNAUTHORIZED: "0"

jobs:
    build:
        name: Build and push images
        runs-on: ubuntu-latest
        if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'

        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Set up Docker Buildx
              uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0

            # Push to registry: set repo secrets DOCKER_REGISTRY, DOCKER_REGISTRY_USERNAME, DOCKER_REGISTRY_PASSWORD
            # Example: DOCKER_REGISTRY=ghcr.io/org/repo or registry.example.com/veza
            - name: Build Backend Docker Image
              run: |
                  docker build -t veza-backend-api:${{ github.sha }} -f veza-backend-api/Dockerfile.production veza-backend-api/                  

            - name: Build Frontend Docker Image
              run: |
                  docker build -t veza-frontend:${{ github.sha }} -f apps/web/Dockerfile.production apps/web/                  

            - name: Build Stream Server Docker Image
              run: |
                  docker build -t veza-stream-server:${{ github.sha }} -f veza-stream-server/Dockerfile.production veza-stream-server/                  

            - name: Trivy vulnerability scan
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-backend-api:${{ github.sha }}"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"

            - name: Trivy scan frontend
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-frontend:${{ github.sha }}"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"

            - name: Trivy scan stream server
              uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.28.0
              with:
                  image-ref: "veza-stream-server:${{ github.sha }}"
                  format: "table"
                  exit-code: "1"
                  severity: "CRITICAL,HIGH"

            - name: Generate SBOM
              run: |
                  mkdir -p sbom
                  for svc in veza-backend-api veza-frontend veza-stream-server; do
                    trivy image --format cyclonedx --output "sbom/${svc}-${{ github.sha }}.json" "${svc}:${{ github.sha }}"
                  done                  
            - name: Upload SBOM artifacts
              uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
              with:
                  name: sbom
                  path: sbom/

            - name: Push Images to Registry
              if: vars.DOCKER_REGISTRY != ''
              run: |
                  echo "${{ secrets.DOCKER_REGISTRY_PASSWORD }}" | docker login "${{ vars.DOCKER_REGISTRY }}" -u "${{ secrets.DOCKER_REGISTRY_USERNAME }}" --password-stdin
                  for svc in veza-backend-api veza-frontend veza-stream-server; do
                    docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
                    docker tag "${svc}:${{ github.sha }}" "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
                    docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
                    docker push "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
                  done                  

            - name: Install cosign
              if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true'
              uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
              with:
                  cosign-release: "v2.2.0"
            - name: Sign images with cosign
              if: vars.DOCKER_REGISTRY != '' && vars.COSIGN_ENABLED == 'true'
              env:
                  COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
                  COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
              run: |
                  for svc in veza-backend-api veza-frontend veza-stream-server; do
                    cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}"
                    cosign sign --key env://COSIGN_PRIVATE_KEY --yes "${{ vars.DOCKER_REGISTRY }}/${svc}:latest"
                  done                  

            - name: Build Summary
              run: |
                  echo "## Build Summary" >> $GITHUB_STEP_SUMMARY
                  echo "- Backend: veza-backend-api:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
                  echo "- Frontend: veza-frontend:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
                  echo "- Stream Server: veza-stream-server:${{ github.sha }}" >> $GITHUB_STEP_SUMMARY                  

    deploy:
        name: Deploy to ${{ github.event.inputs.environment || 'staging' }}
        runs-on: ubuntu-latest
        needs: build
        if: github.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
        environment: ${{ github.event.inputs.environment || 'staging' }}
        steps:
            - name: Deploy to Kubernetes
              if: vars.KUBE_CONFIG_SET == 'true'
              run: |
                  KUBECONFIG="${{ runner.temp }}/kubeconfig"
                  echo "${{ secrets.KUBE_CONFIG }}" | base64 -d > "$KUBECONFIG"
                  chmod 600 "$KUBECONFIG"
                  export KUBECONFIG
                  for svc in veza-backend-api veza-stream-server; do
                    kubectl set image "deployment/${svc}" "${svc}=${{ vars.DOCKER_REGISTRY }}/${svc}:${{ github.sha }}" \
                      -n veza --record || echo "Skipping ${svc} (deployment not found)"
                  done
                  kubectl rollout status deployment/veza-backend-api -n veza --timeout=300s || true
                  rm -f "$KUBECONFIG"                  

            - name: Deployment Summary
              run: |
                  echo "## Deployment Summary" >> $GITHUB_STEP_SUMMARY
                  echo "- Environment: ${{ github.event.inputs.environment || 'staging' }}" >> $GITHUB_STEP_SUMMARY                  

    smoke-post-deploy:
        name: Smoke tests post-deploy
        runs-on: ubuntu-latest
        needs: deploy
        if: vars.STAGING_URL != ''
        steps:
            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

            - name: Set up Node
              uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
              with:
                  node-version: "20"
                  cache: "npm"

            - name: Install dependencies
              run: npm ci

            - name: Install Playwright
              run: npx playwright install chromium --with-deps

            - name: Run smoke tests
              env:
                  PLAYWRIGHT_BASE_URL: ${{ vars.STAGING_URL }}
              run: |
                  cd apps/web
                  npx playwright test --config=playwright.config.smoke.ts