gustcol · gustcol · Jan 26, 2026 · Jan 26, 2026 · Jan 26, 2026
diff --git a/.github/workflows/dedo-duro-analysis.yml b/.github/workflows/dedo-duro-analysis.yml
@@ -0,0 +1,206 @@
+name: Dedo-Duro AWS Analysis
+
+on:
+  # Run weekly on Monday at 6 AM UTC
+  schedule:
+    - cron: '0 6 * * 1'
+
+  # Allow manual trigger
+  workflow_dispatch:
+    inputs:
+      region:
+        description: 'AWS Region to analyze (leave empty for default)'
+        required: false
+        type: string
+      resource_types:
+        description: 'Comma-separated resource types (leave empty for all)'
+        required: false
+        type: string
+      output_format:
+        description: 'Output format'
+        required: false
+        default: 'html'
+        type: choice
+        options:
+          - html
+          - json
+          - csv
+      multi_region:
+        description: 'Analyze all regions'
+        required: false
+        default: false
+        type: boolean
+      environment_filter:
+        description: 'Environment filter (prod, test, dev)'
+        required: false
+        type: string
+
+env:
+  PYTHON_VERSION: '3.11'
+
+jobs:
+  analyze:
+    name: Run AWS Resource Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for OIDC authentication
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: 'pip'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        env:
+          INPUT_REGION: ${{ inputs.region }}
+          DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ inputs.region || secrets.AWS_DEFAULT_REGION || 'us-east-1' }}
+
+      - name: Run Dedo-Duro Analysis
+        id: analysis
+        env:
+          INPUT_REGION: ${{ inputs.region }}
+          INPUT_RESOURCE_TYPES: ${{ inputs.resource_types }}
+          INPUT_OUTPUT_FORMAT: ${{ inputs.output_format }}
+          INPUT_MULTI_REGION: ${{ inputs.multi_region }}
+          INPUT_ENVIRONMENT: ${{ inputs.environment_filter }}
+        run: |
+          # Build command with optional parameters using environment variables
+          CMD="python main.py"
+
+          # Add region if specified (validate alphanumeric and hyphens only)
+          if [ -n "$INPUT_REGION" ]; then
+            SAFE_REGION=$(echo "$INPUT_REGION" | grep -E '^[a-z0-9-]+$' || echo "")
+            if [ -n "$SAFE_REGION" ]; then
+              CMD="$CMD --region $SAFE_REGION"
+            fi
+          fi
+
+          # Add resource types if specified (validate alphanumeric, commas, underscores)
+          if [ -n "$INPUT_RESOURCE_TYPES" ]; then
+            SAFE_TYPES=$(echo "$INPUT_RESOURCE_TYPES" | grep -E '^[a-zA-Z0-9_,]+$' || echo "")
+            if [ -n "$SAFE_TYPES" ]; then
+              CMD="$CMD --resource-types $SAFE_TYPES"
+            fi
+          fi
+
+          # Add output format (choice type, already validated)
+          if [ -n "$INPUT_OUTPUT_FORMAT" ]; then
+            CMD="$CMD --output-format $INPUT_OUTPUT_FORMAT"
+          else
+            CMD="$CMD --output-format html"
+          fi
+
+          # Add multi-region flag if enabled
+          if [ "$INPUT_MULTI_REGION" = "true" ]; then
+            CMD="$CMD --multi-region"
+          fi
+
+          # Add environment filter if specified (validate alphanumeric only)
+          if [ -n "$INPUT_ENVIRONMENT" ]; then
+            SAFE_ENV=$(echo "$INPUT_ENVIRONMENT" | grep -E '^[a-zA-Z]+$' || echo "")
+            if [ -n "$SAFE_ENV" ]; then
+              CMD="$CMD --environment $SAFE_ENV"
+            fi
+          fi
+
+          # Run analysis
+          echo "Running: $CMD"
+          eval "$CMD"
+
+          # Set output file path
+          REPORT=$(ls aws-optimization-report.* 2>/dev/null | head -1)
+          echo "report_file=$REPORT" >> "$GITHUB_OUTPUT"
+
+      - name: Upload Report Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: dedo-duro-report-${{ github.run_number }}
+          path: |
+            aws-optimization-report.*
+          retention-days: 30
+
+      - name: Upload to S3 (optional)
+        if: ${{ secrets.REPORT_S3_BUCKET != '' }}
+        env:
+          REPORT_FILE: ${{ steps.analysis.outputs.report_file }}
+          S3_BUCKET: ${{ secrets.REPORT_S3_BUCKET }}
+        run: |
+          if [ -n "$REPORT_FILE" ] && [ -f "$REPORT_FILE" ]; then
+            TIMESTAMP=$(date +%Y-%m-%d)
+            aws s3 cp "$REPORT_FILE" "s3://${S3_BUCKET}/reports/${TIMESTAMP}/${REPORT_FILE}"
+            echo "Report uploaded to s3://${S3_BUCKET}/reports/${TIMESTAMP}/${REPORT_FILE}"
+          fi
+
+      - name: Create Summary
+        env:
+          REPORT_FILE: ${{ steps.analysis.outputs.report_file }}
+          INPUT_REGION: ${{ inputs.region }}
+          INPUT_OUTPUT_FORMAT: ${{ inputs.output_format }}
+        run: |
+          {
+            echo "## Dedo-Duro Analysis Complete"
+            echo ""
+            echo "**Report:** \`${REPORT_FILE:-no report}\`"
+            echo "**Region:** ${INPUT_REGION:-default}"
+            echo "**Format:** ${INPUT_OUTPUT_FORMAT:-html}"
+            echo ""
+            echo "Download the report from the Artifacts section above."
+          } >> "$GITHUB_STEP_SUMMARY"
+
+  notify:
+    name: Send Notifications
+    needs: analyze
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Send Slack Notification (optional)
+        if: ${{ secrets.SLACK_WEBHOOK_URL != '' }}
+        uses: slackapi/slack-github-action@v1.25.0
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+          ANALYZE_RESULT: ${{ needs.analyze.result }}
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+        with:
+          payload: |
+            {
+              "text": "Dedo-Duro AWS Analysis Complete",
+              "blocks": [
+                {
+                  "type": "header",
+                  "text": {
+                    "type": "plain_text",
+                    "text": "Dedo-Duro AWS Analysis Report"
+                  }
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Status:*\n${{ needs.analyze.result }}"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Run:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Details>"
+                    }
+                  ]
+                }
+              ]
+            }
diff --git a/.gitignore b/.gitignore
@@ -229,3 +229,4 @@ $RECYCLE.BIN/
 *.key
 credentials.json
 secrets.json
+.circleci