feat: add GitHub Actions workflow for build, test, and Docker image management with security scanning

RandithaK · RandithaK · commit 3ca71fa3ff48 · 2025-12-17T01:04:47.000+05:30
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -0,0 +1,113 @@
+name: Build and Test
+
+on:
+  push:
+    branches:
+      - 'main'
+      - 'dev'
+
+permissions:
+  contents: read
+  packages: write
+  security-events: write # Required if you want to upload scan results to GitHub Security tab
+
+jobs:
+  build-test:
+    name: Build, Test & Push Image
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Use Node.js 20 and cache npm
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: package-lock.json
+
+      - name: Cache Next.js build artifacts
+        uses: actions/cache@v4
+        with:
+          path: ./.next/cache
+          key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('**/*.{js,jsx,ts,tsx,css,html}') }}
+          restore-keys: |
+            ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json') }}-
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linter
+        run: npm run lint
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v6
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build production bundle
+        run: npm run build
+
+      - name: Extract branch name
+        id: branch
+        run: |
+          BRANCH_NAME=${GITHUB_REF#refs/heads/}
+          echo "name=${BRANCH_NAME}" >> $GITHUB_OUTPUT
+
+      # --- NEW STEP: Required for advanced Docker caching and building ---
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/frontend_web
+          tags: |
+            type=raw,value=${{ steps.branch.outputs.name }}-{{sha}},enable=true
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      # --- NEW STEP: Build locally for scanning (Don't push yet) ---
+      - name: Build and export to Docker
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          load: true # This loads the image into the local Docker daemon
+          tags: local-image-scan:latest # A temporary tag just for scanning
+
+      # --- NEW STEP: Run the Security Scan ---
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: 'local-image-scan:latest'
+          format: 'table'
+          exit-code: '1'          # Fail the build if vulnerabilities are found
+          ignore-unfixed: true    # Don't fail on bugs that have no patch yet
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH' # Only fail on Critical and High issues
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Actual Push Step (Uses cache from previous build step)
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Image Summary
+        run: |
+          echo "### 🐳 Docker Image Built" >> $GITHUB_STEP_SUMMARY
+          echo "**Tags pushed:**" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
