Skip to content
CI Pipeline - UnHackable

fix: job names in CI pipeline for consistency #11

Sign in to view logs

fix: job names in CI pipeline for consistency

fix: job names in CI pipeline for consistency #11

Workflow file for this run

.github/workflows/ci.yml at 59f3b08
name: CI Pipeline - UnHackable
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
workflow_dispatch:
env:
IMAGE_NAME: ${{ secrets.DOCKERHUB_USERNAME }}/unhackable
jobs:
# ============================================
# Stage 1: Code Quality & Linting
# WHY: Enforces coding standards, prevents technical debt,
# catches syntax errors early before expensive operations
# ============================================
lint:
name: Lint & Type Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run ESLint
run: npm run lint
- name: TypeScript Type Check
run: npx tsc --noEmit
# ============================================
# Stage 2: Unit Tests
# WHY: Validates business logic, prevents regressions,
# ensures code behaves as expected
# ============================================
test:
name: Unit Tests
runs-on: ubuntu-latest
needs: lint
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run unit tests
run: npm test --if-present
# ============================================
# Stage 3: SAST - Static Application Security Testing
# WHY: Detects OWASP Top 10 vulnerabilities in source code,
# implements shift-left security before deployment
# ============================================
sast:
name: SAST - CodeQL Analysis
runs-on: ubuntu-latest
needs: lint
permissions:
security-events: write
actions: read
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: javascript-typescript
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:javascript-typescript"
# ============================================
# Stage 4: SCA - Software Composition Analysis
# WHY: Identifies vulnerable dependencies (supply chain attacks),
# checks for known CVEs in npm packages
# ============================================
sca:
name: SCA - Dependency Check
runs-on: ubuntu-latest
needs: lint
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: NPM Audit (Security Check)
run: npm audit --audit-level=moderate || true
# ============================================
# Stage 5: Build Application
# WHY: Validates that the application compiles successfully,
# creates production-ready artifacts
# ============================================
build:
name: Build Application
runs-on: ubuntu-latest
needs: [test, sast, sca]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build Next.js application
run: npm run build
# ============================================
# Stage 6: Docker Build & Scan
# WHY: Packages application into container, scans for
# OS & library vulnerabilities before shipping
# ============================================
docker:
name: Docker Build & Scan
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
file: ./dockerfile
push: false
load: true
tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
# ----------------------------------------
# Image Scan with Trivy
# WHY: Detects OS & library vulnerabilities in container
# ----------------------------------------
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'table'
severity: 'CRITICAL,HIGH'
# ----------------------------------------
# Container Smoke Test
# WHY: Validates container starts and responds to health checks
# ----------------------------------------
- name: Run container smoke test
run: |
docker run -d --name test-container -p 3000:3000 ${{ env.IMAGE_NAME }}:${{ github.sha }}
sleep 15
curl --fail http://localhost:3000 || exit 1
echo "✅ Container health check passed!"
docker logs test-container
docker rm -f test-container
# ============================================
# Stage 7: Push to Registry
# WHY: Publishes trusted, scanned image to DockerHub,
# enables downstream CD pipeline deployment
# ============================================
push:
name: Push to DockerHub
runs-on: ubuntu-latest
needs: docker
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
file: ./dockerfile
push: true
tags: |
${{ env.IMAGE_NAME }}:latest
${{ env.IMAGE_NAME }}:${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Image pushed successfully
run: |
echo "Image pushed to DockerHub!"
echo "Tags: latest, ${{ github.sha }}"