labFusion/.gitea/workflows/docker-build.yml

name: Docker Build and Push

on:
  push:
    branches: [ main, develop ]
    tags: [ 'v*' ]
  pull_request:
    branches: [ main, develop ]

env:
  REGISTRY: gitea.example.com
  IMAGE_PREFIX: labfusion

jobs:
  build-and-push:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3
      
    - name: Login to Container Registry
      uses: docker/login-action@v3
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}
        
    - name: Extract metadata
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: |
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend
        tags: |
          type=ref,event=branch
          type=ref,event=pr
          type=semver,pattern={{version}}
          type=semver,pattern={{major}}.{{minor}}
          type=semver,pattern={{major}}
          type=sha,prefix={{branch}}-
          type=raw,value=latest,enable={{is_default_branch}}
          
    - name: Build and push API Gateway
      uses: docker/build-push-action@v5
      with:
        context: ./services/api-gateway
        platforms: linux/amd64,linux/arm64
        push: true
        tags: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway:${{ steps.meta.outputs.version }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha,scope=api-gateway
        cache-to: type=gha,mode=max,scope=api-gateway
        
    - name: Build and push Service Adapters
      uses: docker/build-push-action@v5
      with:
        context: ./services/service-adapters
        platforms: linux/amd64,linux/arm64
        push: true
        tags: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters:${{ steps.meta.outputs.version }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha,scope=service-adapters
        cache-to: type=gha,mode=max,scope=service-adapters
        
    - name: Build and push API Docs
      uses: docker/build-push-action@v5
      with:
        context: ./services/api-docs
        platforms: linux/amd64,linux/arm64
        push: true
        tags: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs:${{ steps.meta.outputs.version }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha,scope=api-docs
        cache-to: type=gha,mode=max,scope=api-docs
        
    - name: Build and push Frontend
      uses: docker/build-push-action@v5
      with:
        context: ./frontend
        platforms: linux/amd64,linux/arm64
        push: true
        tags: ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:${{ steps.meta.outputs.version }}
        labels: ${{ steps.meta.outputs.labels }}
        cache-from: type=gha,scope=frontend
        cache-to: type=gha,mode=max,scope=frontend

  security-scan:
    runs-on: ubuntu-latest
    needs: build-and-push
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
      
    - name: Extract metadata for security scan
      id: meta
      uses: docker/metadata-action@v5
      with:
        images: |
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend
        tags: |
          type=ref,event=branch
          type=ref,event=pr
          type=semver,pattern={{version}}
          type=semver,pattern={{major}}.{{minor}}
          type=semver,pattern={{major}}
          type=sha,prefix={{branch}}-
          type=raw,value=latest,enable={{is_default_branch}}
      
    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: |
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-gateway:${{ steps.meta.outputs.version }}
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/service-adapters:${{ steps.meta.outputs.version }}
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/api-docs:${{ steps.meta.outputs.version }}
          ${{ env.REGISTRY }}/${{ env.IMAGE_PREFIX }}/frontend:${{ steps.meta.outputs.version }}
        format: 'sarif'
        output: 'trivy-results.sarif'
        
    - name: Upload Trivy scan results
      uses: github/codeql-action/upload-sarif@v2
      if: always()
      with:
        sarif_file: 'trivy-results.sarif'

  deploy-staging:
    runs-on: ubuntu-latest
    needs: [build-and-push, security-scan]
    if: github.ref == 'refs/heads/develop'
    
    steps:
    - name: Deploy to staging
      run: |
        echo "Deploying to staging environment..."
        # Add your staging deployment commands here
        # This could include:
        # - Updating Kubernetes manifests
        # - Running helm charts
        # - Updating Docker Compose files
        # - Running database migrations

  deploy-production:
    runs-on: ubuntu-latest
    needs: [build-and-push, security-scan]
    if: startsWith(github.ref, 'refs/tags/v')
    
    steps:
    - name: Deploy to production
      run: |
        echo "Deploying to production environment..."
        # Add your production deployment commands here
        # This could include:
        # - Updating Kubernetes manifests
        # - Running helm charts
        # - Updating Docker Compose files
        # - Running database migrations
        # - Health checks
        # - Rollback procedures