From a1ddbeafc9430b70de68190a4f39cba375fffddb Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Thu, 11 Sep 2025 01:55:45 +0000 Subject: [PATCH] feat: Convert Jenkins pipelines to GitHub Actions workflows - Add CI workflow (.github/workflows/ci.yml) with security scanning stages: - Trivy filesystem vulnerability scanner - OWASP Dependency Check - SonarQube code analysis and quality gates - Docker build and push to madhupdevops/bankapp - Artifact uploads for security scan results - Add CD workflow (.github/workflows/cd.yml) with GitOps deployment: - Updates Kubernetes manifest (kubernetes/bankapp-deployment.yml) - Commits and pushes manifest changes - Email notifications with HTML formatting - Maintains same security-focused DevSecOps approach as Jenkins pipelines - Triggers: CI on push/PR to main/DevOps branches, CD after CI completion - Required secrets: SONAR_TOKEN, DOCKERHUB_TOKEN, EMAIL_PASSWORD Co-Authored-By: Arjun Mishra --- .github/workflows/cd.yml | 65 +++++++++++++++++++++++ .github/workflows/ci.yml | 109 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 174 insertions(+) create mode 100644 .github/workflows/cd.yml create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml new file mode 100644 index 00000000..3f9ebc19 --- /dev/null +++ b/.github/workflows/cd.yml @@ -0,0 +1,65 @@ +name: CD Pipeline + +on: + workflow_run: + workflows: ["CI Pipeline"] + types: [completed] + workflow_dispatch: + inputs: + docker_tag: + description: 'Docker tag from CI job' + required: true + +jobs: + deploy: + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: DevOps + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Verify Docker Image Tag + run: | + echo "DOCKER TAG RECEIVED: ${{ github.event.inputs.docker_tag || github.event.workflow_run.head_sha }}" + + - name: Update Kubernetes manifest + run: | + cd kubernetes + sed -i -e 's|trainwithshubham/bankapp-eks:.*|trainwithshubham/bankapp-eks:${{ github.event.inputs.docker_tag || github.event.workflow_run.head_sha }}|g' bankapp-deployment.yml + + - name: Commit and push changes + run: | + git config --local user.email "action@github.com" + git config --local user.name "GitHub Action" + git add kubernetes/bankapp-deployment.yml + git commit -m "Updated K8s Deployment Docker Image Version to ${{ github.event.inputs.docker_tag || github.event.workflow_run.head_sha }}" + git push + + - name: Send notification email + uses: dawidd6/action-send-mail@v3 + if: always() + with: + server_address: smtp.gmail.com + server_port: 587 + username: trainwithshubham@gmail.com + password: ${{ secrets.EMAIL_PASSWORD }} + subject: "BankApp Application Deployment - ${{ job.status }}" + html_body: | + + +
+

Project: ${{ github.repository }}

+
+
+

Run Number: ${{ github.run_number }}

+
+
+

URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

+
+ + + to: trainwithshubham@gmail.com + content_type: text/html diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..ff429de5 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,109 @@ +name: CI Pipeline + +on: + push: + branches: [main, DevOps] + pull_request: + branches: [main] + workflow_dispatch: + inputs: + docker_tag: + description: 'Docker image tag' + required: true + default: 'latest' + +env: + SONAR_HOST_URL: https://your-sonarqube-server.com + DOCKER_REGISTRY: madhupdevops + IMAGE_NAME: bankapp + +jobs: + security-and-build: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: DevOps + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: OWASP Dependency Check + uses: dependency-check/Dependency-Check_Action@main + with: + project: 'bankapp' + path: '.' + format: 'XML' + + - name: Set up SonarQube Scanner + uses: sonarqube-quality-gate-action/setup@master + + - name: SonarQube Scan + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ env.SONAR_HOST_URL }} + run: | + sonar-scanner \ + -Dsonar.projectName=bankapp \ + -Dsonar.projectKey=bankapp \ + -Dsonar.sources=. \ + -Dsonar.host.url=${{ env.SONAR_HOST_URL }} \ + -Dsonar.login=${{ secrets.SONAR_TOKEN }} + + - name: SonarQube Quality Gate + uses: sonarqube-quality-gate-action@master + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ env.DOCKER_REGISTRY }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: ${{ env.DOCKER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.docker_tag || github.sha }} + + - name: Upload security scan results + uses: actions/upload-artifact@v4 + if: always() + with: + name: security-scan-results + path: | + trivy-results.sarif + dependency-check-report.xml + target/sonar/report-task.txt + + - name: Trigger CD Pipeline + if: success() + uses: actions/github-script@v7 + with: + script: | + github.rest.actions.createWorkflowDispatch({ + owner: context.repo.owner, + repo: context.repo.repo, + workflow_id: 'cd.yml', + ref: 'DevOps', + inputs: { + docker_tag: '${{ github.event.inputs.docker_tag || github.sha }}' + } + });