CI/CD Pipeline #150
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run security scans daily at 2 AM | |
| - cron: '0 2 * * *' | |
| env: | |
| HUGO_VERSION: 0.128.0 | |
| NODE_VERSION: 20.x | |
| jobs: | |
| lint: | |
| name: Lint Code | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run ESLint | |
| run: npm run lint:js | |
| - name: Run Stylelint | |
| run: npm run lint:css | |
| - name: Check Markdown links | |
| uses: gaurav-nelson/github-action-markdown-link-check@v1 | |
| with: | |
| config-file: '.markdown-link-check.json' | |
| folder-path: 'content/' | |
| build: | |
| name: Build Hugo Site | |
| runs-on: ubuntu-latest | |
| needs: lint | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - name: Setup Hugo | |
| uses: peaceiris/actions-hugo@v2 | |
| with: | |
| hugo-version: ${{ env.HUGO_VERSION }} | |
| extended: true | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build site | |
| run: npm run build | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: public | |
| path: ./public | |
| validate-html: | |
| name: Validate HTML | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: public | |
| path: ./public | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Validate HTML | |
| run: npm run lint:html | |
| - name: Check for broken links | |
| uses: lycheeverse/lychee-action@v1 | |
| with: | |
| args: --verbose --no-progress './public/**/*.html' | |
| fail: true | |
| accessibility: | |
| name: Accessibility Testing | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: public | |
| path: ./public | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run axe accessibility tests | |
| run: | | |
| npm install -g @axe-core/cli | |
| axe ./public/**/*.html --config .axe.json | |
| - name: Run Pa11y accessibility tests | |
| run: | | |
| npm install -g pa11y | |
| find ./public -name "*.html" -type f | head -20 | xargs -I {} pa11y {} --reporter cli | |
| security: | |
| name: Security Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run npm audit | |
| run: npm audit --audit-level=high | |
| - name: Run Snyk Security Scan | |
| uses: snyk/actions/node@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| performance: | |
| name: Performance Testing | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: public | |
| path: ./public | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run Lighthouse CI | |
| run: | | |
| npm install -g @lhci/cli | |
| lhci autorun --config=.lighthouserc.json | |
| env: | |
| LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }} | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: 'javascript' | |
| queries: security-extended | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| fuzz: | |
| name: Fuzz Testing | |
| runs-on: ubuntu-latest | |
| needs: build | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: public | |
| path: ./public | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run JS fuzzing | |
| run: | | |
| npm install -g jsfuzz | |
| find ./static/js -name "*.js" -type f | xargs -I {} jsfuzz {} --timeout 30 | |
| - name: Run URL fuzzing with ffuf | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y ffuf | |
| # Start local server | |
| npm run serve & | |
| sleep 5 | |
| # Run fuzzing | |
| ffuf -w /usr/share/wordlists/dirb/common.txt -u http://localhost:8080/FUZZ -mc 200,301,302 -t 10 -timeout 5 |