CI/CD Pipeline - Provability Fabric Testbed #21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline - Provability Fabric Testbed | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| schedule: | |
| # Run dependency security scans weekly | |
| - cron: "0 2 * * 1" | |
| env: | |
| PYTHON_VERSION: "3.11" | |
| NODE_VERSION: "18" | |
| DOCKER_BUILDKIT: 1 | |
| jobs: | |
| # Dependency Management & Security | |
| dependency-management: | |
| name: 🔒 Dependency Management & Security | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: "npm" | |
| - name: Install Python dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install -r requirements.txt | |
| - name: Install Node.js dependencies | |
| run: npm ci | |
| - name: Run dependency security audit | |
| run: | | |
| python scripts/manage-deps.py --validate | |
| npm audit --audit-level=moderate | |
| - name: Generate dependency report | |
| run: python scripts/manage-deps.py --report | |
| - name: Upload dependency report | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: dependency-report | |
| path: dependency-report.json | |
| # Code Quality & Linting | |
| code-quality: | |
| name: ✨ Code Quality & Linting | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: | | |
| pip install -r requirements.txt | |
| npm ci | |
| - name: Run Python linting | |
| run: | | |
| black --check testbed/ | |
| isort --check-only testbed/ | |
| flake8 testbed/ --max-line-length=88 | |
| - name: Run Node.js linting | |
| run: npm run lint | |
| - name: Run type checking | |
| run: | | |
| mypy testbed/ | |
| npm run build | |
| - name: Run security scanning | |
| run: | | |
| bandit -r testbed/ -f json -o bandit-report.json | |
| npm audit --audit-level=moderate | |
| - name: Upload security reports | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: security-reports | |
| path: | | |
| bandit-report.json | |
| npm-audit.json | |
| # Testing | |
| testing: | |
| name: 🧪 Testing | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.9", "3.10", "3.11"] | |
| node-version: ["16", "18", "20"] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Set up Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: | | |
| pip install -r requirements.txt | |
| npm ci | |
| - name: Run Python tests | |
| run: | | |
| pytest testbed/tools/reporter/ -v --cov=testbed --cov-report=xml | |
| - name: Run Node.js tests | |
| run: npm test | |
| - name: Run E2E tests | |
| run: npm run test:e2e | |
| - name: Upload coverage reports | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: coverage-${{ matrix.python-version }}-${{ matrix.node-version }} | |
| path: | | |
| coverage.xml | |
| coverage/ | |
| # Security Testing | |
| security-testing: | |
| name: 🛡️ Security Testing | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Install dependencies | |
| run: | | |
| pip install -r requirements.txt | |
| - name: Run redteam tests | |
| run: | | |
| cd external/provability-fabric/tests/redteam | |
| python redteam_runner.py --kube-config ~/.kube/config | |
| - name: Run security gates | |
| run: | | |
| python testbed/tools/security-gates/security_gate_runner.py | |
| - name: Upload security test results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: security-test-results | |
| path: security-test-results/ | |
| # Performance Testing | |
| performance-testing: | |
| name: ⚡ Performance Testing | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up k6 | |
| uses: grafana/k6-action@v0.3.0 | |
| with: | |
| filename: external/provability-fabric/tests/load/edge_load.js | |
| - name: Run load tests | |
| run: | | |
| k6 run external/provability-fabric/tests/load/edge_load.js | |
| k6 run external/provability-fabric/tests/load/ledger_load.js | |
| - name: Upload performance results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: performance-results | |
| path: k6-results/ | |
| # Build & Package | |
| build: | |
| name: 🔨 Build & Package | |
| runs-on: ubuntu-latest | |
| needs: | |
| [ | |
| dependency-management, | |
| code-quality, | |
| testing, | |
| security-testing, | |
| performance-testing, | |
| ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: "npm" | |
| - name: Install dependencies | |
| run: | | |
| pip install -r requirements.txt | |
| npm ci | |
| - name: Build components | |
| run: | | |
| npm run build | |
| python -m pip install build | |
| python -m build | |
| - name: Create evidence pack | |
| run: | | |
| python testbed/tools/reporter/generate_testbed_report.py \ | |
| --config testbed/tools/reporter/config.yaml \ | |
| --output evidence \ | |
| --format both \ | |
| --time-range 168 \ | |
| --include-art-comparison \ | |
| --include-redteam-analysis | |
| - name: Upload build artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: build-artifacts | |
| path: | | |
| dist/ | |
| evidence/ | |
| build/ | |
| # Docker Build & Test | |
| docker: | |
| name: 🐳 Docker Build & Test | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build and push Docker images | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: | | |
| provability-fabric/testbed:latest | |
| provability-fabric/testbed:${{ github.sha }} | |
| provability-fabric/testbed:v${{ github.ref_name }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| # Deployment (Manual) | |
| deploy: | |
| name: 🚀 Deploy | |
| runs-on: ubuntu-latest | |
| needs: [docker] | |
| if: github.ref == 'refs/heads/main' | |
| environment: production | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Deploy to production | |
| run: | | |
| echo "Deploying to production environment..." | |
| # Add your deployment logic here | |
| - name: Notify deployment | |
| run: | | |
| echo "Deployment completed successfully!" | |
| # Dependency Updates | |
| dependency-updates: | |
| name: 🔄 Dependency Updates | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: "npm" | |
| - name: Check for dependency updates | |
| run: | | |
| pip install pip-review | |
| pip-review --local --interactive | |
| - name: Check npm outdated | |
| run: npm outdated | |
| - name: Create PR for updates | |
| uses: peter-evans/create-pull-request@v5 | |
| with: | |
| title: "chore: update dependencies" | |
| body: "Automated dependency updates from scheduled CI run" | |
| branch: dependency-updates | |
| delete-branch: true |