DockerStackPortainer/.github/workflows/test.yml at main · csaeum/DockerStackPortainer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: CI Tests

on:
  push:
    branches: [ main, develop ]
  pull_request:
    branches: [ main ]

jobs:
  validate-compose:
    name: Validate Docker Compose
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Set up Docker
        uses: docker/setup-buildx-action@v3

      - name: Create .env from example
        run: cp .env.example .env

      - name: Validate docker-compose.yaml
        run: docker-compose config > /dev/null

  yaml-lint:
    name: YAML Linting
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: YAML Lint
        uses: ibiqlik/action-yamllint@v3
        with:
          config_file: .yamllint.yml
          file_or_dir: docker-compose.yaml
          strict: true

  secrets-scan:
    name: Secrets Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Gitleaks scan
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

  security-check:
    name: Security Best Practices
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Check for .env in git
        run: |
          if git ls-files | grep -q "^\.env$"; then
            echo "❌ ERROR: .env file should not be committed!"
            exit 1
          else
            echo "✅ .env file is not tracked in git"
          fi

      - name: Check .env.example exists
        run: |
          if [ ! -f .env.example ]; then
            echo "❌ ERROR: .env.example is missing!"
            exit 1
          else
            echo "✅ .env.example exists"
          fi

      - name: Check .gitignore exists
        run: |
          if [ ! -f .gitignore ]; then
            echo "❌ ERROR: .gitignore is missing!"
            exit 1
          else
            echo "✅ .gitignore exists"
          fi

  stack-build-test:
    name: Test Stack Build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Create Docker network
        run: docker network create traefik_proxy_network

      - name: Create .env file
        run: |
          cat > .env << EOF
          COMPOSE_PROJECT_NAME=portainer-test
          HOSTRULE=Host(\`portainer.test.local\`)
          PROXY_NETWORK=traefik_proxy_network
          RESTART=unless-stopped
          EOF

      - name: Pull images
        run: docker-compose pull

      - name: Validate service starts
        run: |
          # Start container
          docker-compose up -d

          # Wait for container to be healthy
          sleep 10

          # Check if container is running
          if docker-compose ps | grep -q "Up"; then
            echo "✅ Portainer container started successfully"
          else
            echo "❌ ERROR: Portainer container failed to start"
            docker-compose logs
            exit 1
          fi

      - name: Cleanup
        if: always()
        run: |
          docker-compose down -v
          docker network rm traefik_proxy_network || true