This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: User Management API CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| jobs: | |
| lint-and-test: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install flake8 pylint black bandit nose | |
| pip install -r requirements.txt | |
| - name: Run Black code formatter | |
| run: black --check . | |
| - name: Lint with flake8 | |
| run: | | |
| # stop the build if there are Python syntax errors or undefined names | |
| flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics | |
| # exit-zero treats all errors as warnings | |
| flake8 . --count --exit-zero --max-complexity=10 --max-line-length=120 --statistics | |
| - name: Run Pylint | |
| run: pylint **/*.py || true # Allow non-zero exit to not fail the workflow | |
| - name: Run Bandit security scanner | |
| run: bandit -r . -f custom | |
| - name: Run Tests | |
| run: nosetests tests.py | |
| docker-build-and-scan: | |
| needs: lint-and-test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| load: true | |
| tags: user-management-api:latest | |
| - name: Install Grype | |
| run: | | |
| curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: Scan image with Grype | |
| run: | | |
| grype user-management-api:latest --fail-on medium | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/python@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| command: test | |
| # Optional: Deploy to container registry | |
| # Uncomment and configure as needed | |
| # deploy: | |
| # needs: [lint-and-test, docker-build-and-scan, security-scan] | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - name: Push to Docker Hub | |
| # uses: docker/build-push-action@v5 | |
| # with: | |
| # push: true | |
| # tags: yourusername/user-management-api:latest |