Refactor CI workflows by removing security scan steps for API Docs, API Gateway, Frontend, and Service Adapters; update Docker build configurations for improved clarity and maintainability.

2025-09-15 09:42:07 +02:00
parent 63a3139896
commit 4ae22d4f5f
6 changed files with 4 additions and 220 deletions
--- a/.gitea/workflows/api-docs.yml
+++ b/.gitea/workflows/api-docs.yml
@@ -132,7 +132,7 @@ jobs:
      uses: actions/cache@v4
      with:
        path: ~/.npm
-        key: ${{ runner.os }}-node-18-${{ hashFiles('services/api-docs/package-lock.json') }}
+        key: ${{ runner.os }}-node-18-${{ hashFiles('services/api-docs/package.json') }}
        restore-keys: |
          ${{ runner.os }}-node-18-
          ${{ runner.os }}-node-
@@ -169,29 +169,3 @@ jobs:
    - name: Build Docker image (test only)
      run: docker build -t api-docs:test .
  security:
    runs-on: [self-hosted]
    needs: build
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Build Docker image for security scan
      run: |
        cd services/api-docs
        docker build -t api-docs:security-scan .
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@0.28.0
      with:
        image-ref: api-docs:security-scan
        format: 'sarif'
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'
--- a/.gitea/workflows/api-gateway.yml
+++ b/.gitea/workflows/api-gateway.yml
@@ -119,31 +119,3 @@ jobs:
    runs-on: [self-hosted]
    needs: build
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Set up JDK 17
      uses: actions/setup-java@v4
      with:
        java-version: '17'
        distribution: 'temurin'
        cache: maven
    - name: Build Docker image for security scan
      run: |
        cd services/api-gateway
        docker build -t api-gateway:security-scan .
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: api-gateway:security-scan
        format: 'sarif'
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -221,26 +221,3 @@ jobs:
    - name: Stop services
      if: always()
      run: docker-compose -f docker-compose.dev.yml down
  # Security and Quality Gates
  security-scan:
    runs-on: [self-hosted]
    needs: [api-gateway, service-adapters, api-docs, frontend]
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'sarif'
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'
--- a/.gitea/workflows/docker-build.yml
+++ b/.gitea/workflows/docker-build.yml
@@ -90,80 +90,3 @@ jobs:
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha,scope=frontend
        cache-to: type=gha,mode=max,scope=frontend
  security-scan:
    runs-on: ubuntu-latest
    needs: build-and-push
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Extract metadata for security scan
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: |
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend
        tags: |
          type=ref,event=branch
          type=ref,event=pr
          type=semver,pattern={{version}}
          type=semver,pattern={{major}}.{{minor}}
          type=semver,pattern={{major}}
          type=sha,prefix={{branch}}-
          type=raw,value=latest,enable={{is_default_branch}}
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: |
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway:${{ steps.meta.outputs.version }}
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters:${{ steps.meta.outputs.version }}
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs:${{ steps.meta.outputs.version }}
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:${{ steps.meta.outputs.version }}
        format: 'sarif'
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'
  deploy-staging:
    runs-on: ubuntu-latest
    needs: [build-and-push, security-scan]
    if: github.ref == 'refs/heads/develop'
    steps:
    - name: Deploy to staging
      run: |
        echo "Deploying to staging environment..."
        # Add your staging deployment commands here
        # This could include:
        # - Updating Kubernetes manifests
        # - Running helm charts
        # - Updating Docker Compose files
        # - Running database migrations
  deploy-production:
    runs-on: ubuntu-latest
    needs: [build-and-push, security-scan]
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
    - name: Deploy to production
      run: |
        echo "Deploying to production environment..."
        # Add your production deployment commands here
        # This could include:
        # - Updating Kubernetes manifests
        # - Running helm charts
        # - Updating Docker Compose files
        # - Running database migrations
        # - Health checks
        # - Rollback procedures
--- a/.gitea/workflows/frontend.yml
+++ b/.gitea/workflows/frontend.yml
@@ -151,34 +151,3 @@ jobs:
        configPath: './frontend/.lighthouserc.json'
        uploadArtifacts: true
        temporaryPublicStorage: true
  security:
    runs-on: [self-hosted]
    needs: build
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Set up Node.js 18
      uses: actions/setup-node@v4
      with:
        node-version: '18'
    - name: Build Docker image for security scan
      run: |
        cd frontend
        docker build -t frontend:security-scan .
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: frontend:security-scan
        format: 'sarif'
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'
--- a/.gitea/workflows/service-adapters.yml
+++ b/.gitea/workflows/service-adapters.yml
@@ -128,34 +128,3 @@ jobs:
    - name: Build Docker image (test only)
      run: docker build -t service-adapters:test .
  security:
    runs-on: [self-hosted]
    needs: build
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Set up Python 3.11
      uses: actions/setup-python@v4
      with:
        python-version: '3.11'
    - name: Build Docker image for security scan
      run: |
        cd services/service-adapters
        docker build -t service-adapters:security-scan .
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: service-adapters:security-scan
        format: 'sarif'
        output: 'trivy-results.sarif'
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'