From 519c27bd31f2986891f198c81aeea9faf9685e45 Mon Sep 17 00:00:00 2001 From: Arun Date: Mon, 25 Aug 2025 16:56:06 -0400 Subject: [PATCH] chore: remove unnecessary GitHub Actions workflows - Remove deploy.yml (production deployment pipeline) - Remove sbom-utils.yml (SBOM utilities workflow) - Streamline CI/CD to essential workflows only --- .github/workflows/deploy.yml | 139 ----------------- .github/workflows/sbom-utils.yml | 254 ------------------------------- 2 files changed, 393 deletions(-) delete mode 100644 .github/workflows/deploy.yml delete mode 100644 .github/workflows/sbom-utils.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index 66d8561..0000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,139 +0,0 @@ -name: Deploy to Production - -on: - push: - branches: [main] - tags: ["v*"] - workflow_dispatch: - inputs: - environment: - description: "Deployment environment" - required: true - default: "staging" - type: choice - options: - - staging - - production - -env: - NODE_VERSION: "18" - DOCKER_BUILDKIT: 1 - -jobs: - # Build and push Docker images - build-and-push: - name: Build & Push Images - runs-on: ubuntu-latest - outputs: - backend-image: ${{ steps.meta.outputs.backend-image }} - frontend-image: ${{ steps.meta.outputs.frontend-image }} - steps: - - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to Docker Hub - if: github.event_name != 'workflow_dispatch' || github.event.inputs.environment == 'production' - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Extract metadata - id: meta - run: | - if [[ $GITHUB_REF == refs/tags/* ]]; then - VERSION=${GITHUB_REF#refs/tags/} - else - VERSION=${{ github.sha }} - fi - - echo "backend-image=connectkit/backend:$VERSION" >> $GITHUB_OUTPUT - echo "frontend-image=connectkit/frontend:$VERSION" >> $GITHUB_OUTPUT - echo "version=$VERSION" >> $GITHUB_OUTPUT - - - name: Build and push backend image - uses: docker/build-push-action@v5 - with: - context: ./backend - file: ./docker/backend/Dockerfile - push: ${{ github.event_name != 'workflow_dispatch' || github.event.inputs.environment == 'production' }} - tags: ${{ steps.meta.outputs.backend-image }} - cache-from: type=gha - cache-to: type=gha,mode=max - target: production - - - name: Build and push frontend image - uses: docker/build-push-action@v5 - with: - context: ./frontend - file: ./docker/frontend/Dockerfile - push: ${{ github.event_name != 'workflow_dispatch' || github.event.inputs.environment == 'production' }} - tags: ${{ steps.meta.outputs.frontend-image }} - cache-from: type=gha - cache-to: type=gha,mode=max - target: production - - # Deploy to staging - deploy-staging: - name: Deploy to Staging - runs-on: ubuntu-latest - needs: [build-and-push] - if: github.ref == 'refs/heads/main' || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'staging') - environment: - name: staging - url: https://staging.connectkit.app - steps: - - name: Deploy to staging - run: | - echo "🚀 Deploying to staging environment..." - echo "Backend Image: ${{ needs.build-and-push.outputs.backend-image }}" - echo "Frontend Image: ${{ needs.build-and-push.outputs.frontend-image }}" - # Add your actual deployment commands here - # Example: kubectl, docker-compose, or deployment scripts - echo "✅ Staging deployment completed successfully!" - - # Deploy to production - deploy-production: - name: Deploy to Production - runs-on: ubuntu-latest - needs: [build-and-push, deploy-staging] - if: startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch' && github.event.inputs.environment == 'production') - environment: - name: production - url: https://connectkit.app - steps: - - name: Deploy to production - run: | - echo "🚀 Deploying to production environment..." - echo "Backend Image: ${{ needs.build-and-push.outputs.backend-image }}" - echo "Frontend Image: ${{ needs.build-and-push.outputs.frontend-image }}" - # Add your actual deployment commands here - # Example: kubectl, helm, or deployment scripts - echo "✅ Production deployment completed successfully!" - - - name: Create deployment summary - run: | - echo "## 🎉 Production Deployment Successful" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "### Deployment Details" >> $GITHUB_STEP_SUMMARY - echo "- **Version**: \`${{ needs.build-and-push.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY - echo "- **Backend Image**: \`${{ needs.build-and-push.outputs.backend-image }}\`" >> $GITHUB_STEP_SUMMARY - echo "- **Frontend Image**: \`${{ needs.build-and-push.outputs.frontend-image }}\`" >> $GITHUB_STEP_SUMMARY - echo "- **Environment**: Production" >> $GITHUB_STEP_SUMMARY - echo "- **URL**: https://connectkit.app" >> $GITHUB_STEP_SUMMARY - - # Post-deployment health check - health-check: - name: Health Check - runs-on: ubuntu-latest - needs: [deploy-staging] - if: always() && needs.deploy-staging.result == 'success' - steps: - - name: Check staging health - run: | - echo "🔍 Running health checks on staging environment..." - # Add health check commands here - # Example: curl health endpoints, run smoke tests - echo "✅ All health checks passed!" diff --git a/.github/workflows/sbom-utils.yml b/.github/workflows/sbom-utils.yml deleted file mode 100644 index 9424298..0000000 --- a/.github/workflows/sbom-utils.yml +++ /dev/null @@ -1,254 +0,0 @@ -name: SBOM Utilities (Reusable Workflow) - -on: - workflow_call: - inputs: - severity_threshold: - description: "Minimum severity level to report (low|medium|high|critical)" - required: false - type: string - default: "medium" - fail_on_critical: - description: "Fail build on critical vulnerabilities" - required: false - type: boolean - default: true - fail_on_high: - description: "Fail build on high vulnerabilities" - required: false - type: boolean - default: true - scan_docker_images: - description: "Include Docker image scanning" - required: false - type: boolean - default: true - generate_attestations: - description: "Generate attestation documents" - required: false - type: boolean - default: true - outputs: - sbom_compliant: - description: "Whether SBOM generation was successful" - value: ${{ jobs.sbom-generation.outputs.compliant }} - vulnerability_summary: - description: "Summary of vulnerability scan results" - value: ${{ jobs.sbom-generation.outputs.vuln_summary }} - -env: - NODE_VERSION: "18" - -jobs: - sbom-generation: - name: Enhanced SBOM Generation - runs-on: ubuntu-latest - timeout-minutes: 30 - outputs: - compliant: ${{ steps.evaluate.outputs.compliant }} - vuln_summary: ${{ steps.evaluate.outputs.vuln_summary }} - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} - cache: "npm" - - - name: Install dependencies - run: | - npm ci - npm ci --workspace=backend --omit=dev - npm ci --workspace=frontend --omit=dev - - - name: Install SBOM and security tools - run: | - # Install Syft for SBOM generation - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - - # Install Grype for vulnerability scanning - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - - # Verify installation - syft version - grype version - - - name: Build Docker images (if requested) - if: inputs.scan_docker_images - run: | - echo "🐳 Building Docker images for SBOM analysis..." - - # Build backend image - docker build -f docker/backend/Dockerfile --target production -t connectkit-backend:latest ./backend - - # Build frontend image - docker build -f docker/frontend/Dockerfile --target production -t connectkit-frontend:latest ./frontend - - echo "✅ Docker images built successfully" - - - name: Generate comprehensive SBOM - env: - SEVERITY_THRESHOLD: ${{ inputs.severity_threshold }} - run: | - echo "🔍 Generating comprehensive SBOM with threshold: $SEVERITY_THRESHOLD" - - # Run our enhanced SBOM generator - npm run sbom:generate - - - name: Scan Docker images for SBOM (if requested) - if: inputs.scan_docker_images - run: | - echo "🐳 Scanning Docker images..." - - # Scan backend Docker image - syft connectkit-backend:latest -o json > sbom-output/sbom-backend-docker.json - - # Scan frontend Docker image - syft connectkit-frontend:latest -o json > sbom-output/sbom-frontend-docker.json - - echo "✅ Docker image SBOMs generated" - - - name: Enhanced vulnerability analysis - env: - SEVERITY_THRESHOLD: ${{ inputs.severity_threshold }} - run: | - echo "🔐 Running enhanced vulnerability analysis..." - - # Note: vulnerability-check.js handles exit codes based on thresholds - # We'll capture the results for evaluation in next step - npm run sbom:check || echo "vuln_check_failed=true" >> $GITHUB_ENV - - - name: Generate attestation documents - if: inputs.generate_attestations - run: | - echo "📋 Generating attestation documents..." - - # Create SBOM attestation with current timestamp - cat > sbom-output/sbom-attestation.json << EOF - { - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://cyclonedx.org/bom", - "subject": [ - { - "name": "pkg:npm/connectkit@1.0.0", - "digest": { - "sha256": "$(sha256sum package.json | cut -d' ' -f1)" - } - } - ], - "predicate": { - "timestamp": "$(date -u +%Y-%m-%dT%H:%M:%SZ)", - "generator": "ConnectKit CI/CD Pipeline", - "sbom_formats": ["cyclonedx-json", "spdx-json", "syft-json"], - "vulnerability_scanned": true, - "license_reviewed": true - } - } - EOF - - echo "✅ Attestation documents generated" - - - name: Evaluate compliance and results - id: evaluate - run: | - echo "📊 Evaluating SBOM compliance and results..." - - # Check if compliance report exists - if [ -f "sbom-output/compliance-report.json" ]; then - # Parse compliance results - OVERALL_COMPLIANT=$(jq -r '.ntia_minimum_elements.compliant and .executive_order_14028.compliant and .license_compliance.compliant' sbom-output/compliance-report.json) - VULN_PASSED=$(jq -r '.vulnerability_assessment.passed' sbom-output/compliance-report.json) - - # Get vulnerability summary - CRITICAL=$(jq -r '.vulnerability_assessment.findings.critical' sbom-output/compliance-report.json) - HIGH=$(jq -r '.vulnerability_assessment.findings.high' sbom-output/compliance-report.json) - MEDIUM=$(jq -r '.vulnerability_assessment.findings.medium' sbom-output/compliance-report.json) - LOW=$(jq -r '.vulnerability_assessment.findings.low' sbom-output/compliance-report.json) - - VULN_SUMMARY="Critical: $CRITICAL, High: $HIGH, Medium: $MEDIUM, Low: $LOW" - - echo "compliant=$OVERALL_COMPLIANT" >> $GITHUB_OUTPUT - echo "vuln_summary=$VULN_SUMMARY" >> $GITHUB_OUTPUT - - # Summary for GitHub - echo "## 📊 SBOM Generation Results" >> $GITHUB_STEP_SUMMARY - echo "- **NTIA Compliance**: ✅ Passed" >> $GITHUB_STEP_SUMMARY - echo "- **Executive Order 14028**: ✅ Passed" >> $GITHUB_STEP_SUMMARY - echo "- **License Compliance**: ✅ Passed" >> $GITHUB_STEP_SUMMARY - echo "- **Vulnerability Assessment**: $([ "$VULN_PASSED" = "true" ] && echo "✅ Passed" || echo "❌ Failed")" >> $GITHUB_STEP_SUMMARY - echo "- **Vulnerability Summary**: $VULN_SUMMARY" >> $GITHUB_STEP_SUMMARY - - # Fail job if vulnerability thresholds exceeded and strict mode enabled - if [ "$VULN_PASSED" != "true" ]; then - if [ "${{ inputs.fail_on_critical }}" = "true" ] && [ "$CRITICAL" -gt 0 ]; then - echo "❌ Build failed: Critical vulnerabilities found ($CRITICAL) and fail_on_critical=true" - exit 1 - elif [ "${{ inputs.fail_on_high }}" = "true" ] && [ "$HIGH" -gt 5 ]; then - echo "❌ Build failed: High vulnerabilities exceed threshold ($HIGH > 5) and fail_on_high=true" - exit 1 - else - echo "⚠️ Vulnerabilities found but below failure thresholds" - fi - fi - else - echo "❌ Compliance report not found" - echo "compliant=false" >> $GITHUB_OUTPUT - echo "vuln_summary=Report not generated" >> $GITHUB_OUTPUT - exit 1 - fi - - - name: Upload SBOM artifacts - uses: actions/upload-artifact@v4 - if: always() - with: - name: sbom-artifacts-${{ github.run_number }} - path: | - sbom-output/ - .sbom/ - retention-days: 30 - - - name: Create SBOM summary comment (for PRs) - if: github.event_name == 'pull_request' - uses: actions/github-script@v7 - with: - script: | - const fs = require('fs'); - - let summary = '## 🔍 SBOM Analysis Results\\n\\n'; - - try { - const report = JSON.parse(fs.readFileSync('sbom-output/compliance-report.json', 'utf8')); - const vulnAssessment = report.vulnerability_assessment; - - summary += `### Vulnerability Summary\\n`; - summary += `- **Critical**: ${vulnAssessment.findings.critical}\\n`; - summary += `- **High**: ${vulnAssessment.findings.high}\\n`; - summary += `- **Medium**: ${vulnAssessment.findings.medium}\\n`; - summary += `- **Low**: ${vulnAssessment.findings.low}\\n\\n`; - - summary += `### Compliance Status\\n`; - summary += `- **NTIA Minimum Elements**: ${report.ntia_minimum_elements.compliant ? '✅' : '❌'}\\n`; - summary += `- **Executive Order 14028**: ${report.executive_order_14028.compliant ? '✅' : '❌'}\\n`; - summary += `- **License Compliance**: ${report.license_compliance.compliant ? '✅' : '❌'}\\n`; - summary += `- **Vulnerability Assessment**: ${vulnAssessment.passed ? '✅' : '❌'}\\n\\n`; - - if (report.recommendations && report.recommendations.length > 0) { - summary += `### Recommendations\\n`; - report.recommendations.forEach((rec, index) => { - summary += `${index + 1}. **[${rec.priority}]** ${rec.action}\\n`; - }); - } - - } catch (error) { - summary += '❌ Could not parse compliance report\\n'; - } - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: summary - });