From 6a9e3794857b6d93486474289edc3c681504c770 Mon Sep 17 00:00:00 2001 From: Jan Klattenhoff Date: Wed, 12 Mar 2025 20:39:10 +0100 Subject: [PATCH] feat(workflows): add performance benchmarking and security scans --- .gitea/workflows/benchmark.yml | 241 +++++++++++++++++++++++++ .gitea/workflows/ci.yml | 313 ++++++++++++++++++++++++++------- .gitea/workflows/release.yml | 236 ++++++++++++++++++++++++- .gitea/workflows/security.yml | 257 +++++++++++++++++++++++++++ 4 files changed, 979 insertions(+), 68 deletions(-) create mode 100644 .gitea/workflows/benchmark.yml create mode 100644 .gitea/workflows/security.yml diff --git a/.gitea/workflows/benchmark.yml b/.gitea/workflows/benchmark.yml new file mode 100644 index 0000000..bd89714 --- /dev/null +++ b/.gitea/workflows/benchmark.yml @@ -0,0 +1,241 @@ +name: Performance Benchmarking + +on: + schedule: + - cron: '0 0 * * 1' # Run weekly on Monday at midnight + workflow_dispatch: # Allow manual triggering + +jobs: + backend-benchmark: + name: "Backend Performance Benchmark" + container: + image: "cimg/openjdk:23.0-node" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + + - name: "Setup Gradle" + working-directory: ./backend + run: chmod +x ./gradlew + + - name: "Cache Gradle dependencies" + uses: https://github.com/actions/cache@v4 + with: + path: | + ~/.gradle/caches + ~/.gradle/wrapper + backend/.gradle + key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }} + restore-keys: | + gradle-${{ runner.os }}- + + - name: "Set up JMH" + working-directory: ./backend + run: | + cat <> build.gradle.kts + + plugins { + id("me.champeau.jmh") version "0.7.2" + } + + jmh { + iterations.set(5) + fork.set(1) + warmupIterations.set(3) + benchmarkMode.set(listOf("thrpt")) + resultFormat.set("JSON") + resultsFile.set(file("\$buildDir/reports/jmh/results.json")) + } + EOT + + - name: "Run JMH Benchmarks" + working-directory: ./backend + run: ./gradlew jmh + + - name: "Upload JMH Results" + uses: actions/upload-artifact@v4 + with: + name: jmh-benchmark-results + path: backend/build/reports/jmh/ + retention-days: 90 + + - name: "Analyze Performance" + working-directory: ./backend + run: | + echo "### Backend Performance Benchmark Results" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Full results have been uploaded as an artifact. Summary below:" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Parse JMH results and display top 5 slowest operations + echo "#### Top 5 Slowest Operations" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Benchmark | Mode | Score | Units |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- | --- | --- |" >> $GITHUB_STEP_SUMMARY + + if [ -f build/reports/jmh/results.json ]; then + jq -r '.[] | "\(.benchmark) | \(.mode) | \(.primaryMetric.score) | \(.primaryMetric.scoreUnit)"' build/reports/jmh/results.json | + sort -t '|' -k3 -n | + head -5 >> $GITHUB_STEP_SUMMARY + else + echo "No benchmark results found" >> $GITHUB_STEP_SUMMARY + fi + + frontend-benchmark: + name: "Frontend Performance Benchmark" + container: + image: catthehacker/ubuntu:act-latest + steps: + - name: "Checkout" + uses: actions/checkout@v4 + + - name: "Install Bun" + uses: oven-sh/setup-bun@v2 + with: + bun-version: latest + + - name: "Cache Dependencies" + uses: actions/cache@v4 + with: + path: frontend/node_modules + key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }} + restore-keys: | + ${{ runner.os }}-bun- + + - name: "Install dependencies" + working-directory: ./frontend + run: bun install --frozen-lockfile + + - name: "Set up Lighthouse CI" + working-directory: ./frontend + run: | + bun add -D @lhci/cli puppeteer + + # Create Lighthouse CI config + cat < lighthouserc.js + module.exports = { + ci: { + collect: { + startServerCommand: 'bun run build && bun run serve:dist', + url: ['http://localhost:8080/'], + numberOfRuns: 3, + }, + upload: { + target: 'filesystem', + outputDir: './.lighthouse', + }, + assert: { + preset: 'lighthouse:recommended', + assertions: { + 'categories:performance': ['error', {minScore: 0.8}], + 'categories:accessibility': ['error', {minScore: 0.9}], + 'categories:best-practices': ['error', {minScore: 0.9}], + 'categories:seo': ['error', {minScore: 0.9}], + } + }, + }, + }; + EOT + + # Add serve command for Lighthouse + jq '.scripts += {"serve:dist": "bunx serve -s dist"}' package.json > package.json.new + mv package.json.new package.json + + - name: "Run Lighthouse CI" + working-directory: ./frontend + run: bunx lhci autorun || true + + - name: "Upload Lighthouse Results" + uses: actions/upload-artifact@v4 + with: + name: lighthouse-results + path: frontend/.lighthouse/ + retention-days: 90 + + - name: "Analyze Frontend Performance" + working-directory: ./frontend + run: | + echo "### Frontend Performance Benchmark Results" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Full results have been uploaded as an artifact. Summary below:" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Extract scores from the JSON report + if [ -d .lighthouse ]; then + REPORT=$(find .lighthouse -name "*.json" | grep -v "manifest" | head -1) + + if [ -n "$REPORT" ]; then + PERF_SCORE=$(jq '.categories.performance.score * 100' $REPORT) + ACCESS_SCORE=$(jq '.categories.accessibility.score * 100' $REPORT) + BP_SCORE=$(jq '.categories["best-practices"].score * 100' $REPORT) + SEO_SCORE=$(jq '.categories.seo.score * 100' $REPORT) + + echo "#### Lighthouse Scores" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Category | Score |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY + echo "| Performance | $PERF_SCORE% |" >> $GITHUB_STEP_SUMMARY + echo "| Accessibility | $ACCESS_SCORE% |" >> $GITHUB_STEP_SUMMARY + echo "| Best Practices | $BP_SCORE% |" >> $GITHUB_STEP_SUMMARY + echo "| SEO | $SEO_SCORE% |" >> $GITHUB_STEP_SUMMARY + + # Extract opportunities for improvement + echo "" >> $GITHUB_STEP_SUMMARY + echo "#### Top Improvement Opportunities" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + jq -r '.audits | to_entries[] | select(.value.score != null and .value.score < 1 and .value.details.type == "opportunity") | "\(.value.title) | \(.value.displayValue)"' $REPORT | + head -5 | + awk '{print "- " $0}' >> $GITHUB_STEP_SUMMARY + else + echo "No Lighthouse reports found" >> $GITHUB_STEP_SUMMARY + fi + else + echo "No Lighthouse results directory found" >> $GITHUB_STEP_SUMMARY + fi + + performance-report: + name: "Performance Report" + needs: [backend-benchmark, frontend-benchmark] + if: always() + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: "Generate Historical Comparison" + run: | + echo "# ๐Ÿ“Š Performance Benchmarking Report" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Get previous tag for comparison + LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "None") + PREV_TAG=$(git describe --tags --abbrev=0 "$LATEST_TAG"^1 2>/dev/null || echo "None") + + echo "### Benchmark Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Current benchmarks run against: $LATEST_TAG" >> $GITHUB_STEP_SUMMARY + echo "Previous benchmarks compared to: $PREV_TAG" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + echo "Performance reports have been uploaded as artifacts. Review them for detailed metrics." >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Check status of benchmark jobs + BACKEND_STATUS="${{ needs.backend-benchmark.result }}" + FRONTEND_STATUS="${{ needs.frontend-benchmark.result }}" + + echo "| Component | Status |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY + + if [ "$BACKEND_STATUS" == "success" ]; then + echo "| Backend Benchmark | โœ… Complete |" >> $GITHUB_STEP_SUMMARY + else + echo "| Backend Benchmark | โš ๏ธ Issues occurred |" >> $GITHUB_STEP_SUMMARY + fi + + if [ "$FRONTEND_STATUS" == "success" ]; then + echo "| Frontend Benchmark | โœ… Complete |" >> $GITHUB_STEP_SUMMARY + else + echo "| Frontend Benchmark | โš ๏ธ Issues occurred |" >> $GITHUB_STEP_SUMMARY + fi \ No newline at end of file diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index a19b587..f663c9c 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -1,117 +1,304 @@ -name: CI +name: Optimized CI on: pull_request: + push: + branches: + - main + - 'feature/**' + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true jobs: - checkstyle: - name: "Checkstyle Main" + backend-lint: + name: "Backend Checkstyle & Tests" container: image: "cimg/openjdk:23.0-node" steps: - name: "Checkout" uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: "Cache Gradle dependencies" uses: https://github.com/actions/cache@v4 with: path: | ~/.gradle/caches ~/.gradle/wrapper - key: gradle-${{ runner.os }}-common + backend/.gradle + key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }} restore-keys: | gradle-${{ runner.os }}- - - name: "Prepare Gradle" + + - name: "Setup Gradle" working-directory: ./backend - run: gradle clean - - name: "Check" + run: chmod +x ./gradlew + + - name: "Run Checkstyle" working-directory: ./backend - run: gradle checkstyleMain + run: ./gradlew checkstyleMain checkstyleTest --parallel --build-cache + + - name: "Run Tests" + working-directory: ./backend + run: ./gradlew test --parallel --build-cache + + - name: "Upload Test Results" + if: always() + uses: actions/upload-artifact@v4 + with: + name: backend-test-results + path: backend/build/reports/tests/ + retention-days: 7 + - name: "Stop Gradle" + if: always() working-directory: ./backend - run: gradle --stop + run: ./gradlew --stop - eslint: - name: eslint + backend-build: + name: "Backend Build & Package" + needs: backend-lint + container: + image: "cimg/openjdk:23.0-node" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + + - name: "Cache Gradle dependencies" + uses: https://github.com/actions/cache@v4 + with: + path: | + ~/.gradle/caches + ~/.gradle/wrapper + backend/.gradle + key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }} + restore-keys: | + gradle-${{ runner.os }}- + + - name: "Setup Gradle" + working-directory: ./backend + run: chmod +x ./gradlew + + - name: "Build JAR" + working-directory: ./backend + run: ./gradlew bootJar --parallel --build-cache + + - name: "Upload Artifacts" + uses: actions/upload-artifact@v4 + with: + name: backend-jar + path: backend/build/libs/*.jar + retention-days: 5 + + - name: "Stop Gradle" + if: always() + working-directory: ./backend + run: ./gradlew --stop + + frontend-lint: + name: "Frontend Lint & Format" container: image: catthehacker/ubuntu:act-latest steps: - - name: Checkout Code + - name: "Checkout Code" uses: actions/checkout@v4 - - name: Install bun + + - name: "Install Bun" uses: oven-sh/setup-bun@v2 - - uses: actions/cache@v4 - working-directory: ./frontend with: - path: | - frontend/node_modules/ - key: ${{ runner.os }}-bun- + bun-version: latest + + - name: "Cache Dependencies" + uses: actions/cache@v4 + with: + path: frontend/node_modules + key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }} restore-keys: | ${{ runner.os }}-bun- - - name: Install dependencies - run: | - cd frontend - bun install - - name: Run Eslint - run: | - cd frontend - bun run lint + + - name: "Install dependencies" + working-directory: ./frontend + run: bun install --frozen-lockfile + + - name: "Run ESLint" + working-directory: ./frontend + run: bun run lint + + - name: "Run Prettier Check" + working-directory: ./frontend + run: bun run format:check - prettier: - name: prettier + frontend-test: + name: "Frontend Tests" + needs: frontend-lint container: image: catthehacker/ubuntu:act-latest steps: - - name: Checkout Code + - name: "Checkout Code" uses: actions/checkout@v4 - - name: Install bun + + - name: "Install Bun" uses: oven-sh/setup-bun@v2 - - uses: actions/cache@v4 - working-directory: ./frontend with: - path: | - frontend/node_modules/ - key: ${{ runner.os }}-bun- + bun-version: latest + + - name: "Cache Dependencies" + uses: actions/cache@v4 + with: + path: frontend/node_modules + key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }} restore-keys: | ${{ runner.os }}-bun- - - name: Install dependencies - run: | - cd frontend - bun install - - name: Run prettier - run: | - cd frontend - bun run format:check + + - name: "Install dependencies" + working-directory: ./frontend + run: bun install --frozen-lockfile + + - name: "Run Tests" + working-directory: ./frontend + run: bun run test --no-watch --browsers=ChromeHeadless + + - name: "Upload Test Results" + if: always() + uses: actions/upload-artifact@v4 + with: + name: frontend-test-results + path: frontend/coverage/ + retention-days: 7 - test-build: - name: test-build + frontend-build: + name: "Frontend Build" + needs: frontend-test container: image: catthehacker/ubuntu:act-latest steps: - - name: Checkout Code + - name: "Checkout Code" uses: actions/checkout@v4 - - name: Install bun + + - name: "Install Bun" uses: oven-sh/setup-bun@v2 - - uses: actions/cache@v4 - working-directory: ./frontend with: - path: | - frontend/node_modules/ - key: ${{ runner.os }}-bun- + bun-version: latest + + - name: "Cache Dependencies" + uses: actions/cache@v4 + with: + path: frontend/node_modules + key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }} restore-keys: | ${{ runner.os }}-bun- - - uses: actions/cache@v4 - working-directory: ./frontend + + - name: "Cache Build" + uses: actions/cache@v4 with: - path: | - frontend/dist/ - key: ${{ runner.os }}-dist- + path: frontend/dist + key: ${{ runner.os }}-dist-${{ github.sha }} restore-keys: | ${{ runner.os }}-dist- - - name: Install dependencies + + - name: "Install dependencies" + working-directory: ./frontend + run: bun install --frozen-lockfile + + - name: "Production Build" + working-directory: ./frontend + run: bun run build --configuration production + + - name: "Upload Build Artifacts" + uses: actions/upload-artifact@v4 + with: + name: frontend-build + path: frontend/dist/ + retention-days: 5 + + pr-analysis: + name: "PR Quality Analysis" + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + needs: [backend-build, frontend-build] + steps: + - name: "Checkout Code" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: "Setup Node.js" + uses: actions/setup-node@v4 + with: + node-version: 20 + + - name: "Code Size Analysis" run: | - cd frontend - bun install - - name: Test build + echo "### PR Size Analysis :mag:" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Metric | Value |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY + echo "| Files changed | $(git diff --name-only origin/${{ github.base_ref }} | wc -l) |" >> $GITHUB_STEP_SUMMARY + echo "| Lines added | $(git diff --stat origin/${{ github.base_ref }} | tail -n 1 | awk '{print $4}') |" >> $GITHUB_STEP_SUMMARY + echo "| Lines removed | $(git diff --stat origin/${{ github.base_ref }} | tail -n 1 | awk '{print $6}') |" >> $GITHUB_STEP_SUMMARY + + - name: "PR Summary" run: | - cd frontend - bun run build + echo "### PR Summary :clipboard:" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "#### Modified Files by Type" >> $GITHUB_STEP_SUMMARY + echo "| File Type | Count |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY + echo "| Java (.java) | $(git diff --name-only origin/${{ github.base_ref }} | grep "\.java$" | wc -l) |" >> $GITHUB_STEP_SUMMARY + echo "| TypeScript (.ts) | $(git diff --name-only origin/${{ github.base_ref }} | grep "\.ts$" | wc -l) |" >> $GITHUB_STEP_SUMMARY + echo "| HTML (.html) | $(git diff --name-only origin/${{ github.base_ref }} | grep "\.html$" | wc -l) |" >> $GITHUB_STEP_SUMMARY + echo "| CSS/SCSS (.css/.scss) | $(git diff --name-only origin/${{ github.base_ref }} | grep -E "\.(css|scss)$" | wc -l) |" >> $GITHUB_STEP_SUMMARY + echo "| Configuration files | $(git diff --name-only origin/${{ github.base_ref }} | grep -E "\.(json|yml|yaml|properties|xml|gradle|kts)$" | wc -l) |" >> $GITHUB_STEP_SUMMARY + + - name: "Add Test Analysis" + run: | + echo "### Test Coverage Impact :test_tube:" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Component | Status |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY + + JAVA_FILES=$(git diff --name-only origin/${{ github.base_ref }} | grep "\.java$" | wc -l) + JAVA_TEST_FILES=$(git diff --name-only origin/${{ github.base_ref }} | grep "Test\.java$" | wc -l) + + TS_FILES=$(git diff --name-only origin/${{ github.base_ref }} | grep "\.ts$" | grep -v "\.spec\.ts$" | wc -l) + TS_TEST_FILES=$(git diff --name-only origin/${{ github.base_ref }} | grep "\.spec\.ts$" | wc -l) + + if [ $JAVA_FILES -gt 0 ] && [ $JAVA_TEST_FILES -eq 0 ]; then + echo "| Backend | โš ๏ธ Java code changes without test updates |" >> $GITHUB_STEP_SUMMARY + elif [ $JAVA_FILES -gt 0 ] && [ $JAVA_TEST_FILES -gt 0 ]; then + echo "| Backend | โœ… Java code changes with test updates |" >> $GITHUB_STEP_SUMMARY + elif [ $JAVA_FILES -eq 0 ]; then + echo "| Backend | โž– No Java code changes |" >> $GITHUB_STEP_SUMMARY + fi + + if [ $TS_FILES -gt 0 ] && [ $TS_TEST_FILES -eq 0 ]; then + echo "| Frontend | โš ๏ธ TypeScript code changes without test updates |" >> $GITHUB_STEP_SUMMARY + elif [ $TS_FILES -gt 0 ] && [ $TS_TEST_FILES -gt 0 ]; then + echo "| Frontend | โœ… TypeScript code changes with test updates |" >> $GITHUB_STEP_SUMMARY + elif [ $TS_FILES -eq 0 ]; then + echo "| Frontend | โž– No TypeScript code changes |" >> $GITHUB_STEP_SUMMARY + fi + + merge-readiness: + name: "Merge Readiness Check" + needs: [backend-lint, backend-build, frontend-lint, frontend-test, frontend-build] + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: "Merge Status" + run: | + echo "### PR Readiness Status :rocket:" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY + echo "| Backend Checkstyle | โœ… Passed |" >> $GITHUB_STEP_SUMMARY + echo "| Backend Tests | โœ… Passed |" >> $GITHUB_STEP_SUMMARY + echo "| Backend Build | โœ… Passed |" >> $GITHUB_STEP_SUMMARY + echo "| Frontend Lint | โœ… Passed |" >> $GITHUB_STEP_SUMMARY + echo "| Frontend Tests | โœ… Passed |" >> $GITHUB_STEP_SUMMARY + echo "| Frontend Build | โœ… Passed |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "โœ… **This PR is ready to merge!**" >> $GITHUB_STEP_SUMMARY \ No newline at end of file diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 596c53d..d21e124 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -1,4 +1,5 @@ -name: Release +name: Release Workflow + on: push: branches: @@ -11,16 +12,241 @@ permissions: contents: read jobs: + verify: + name: "Verify Main Branch" + uses: ./.gitea/workflows/ci.yml + + prepare-release: + name: "Prepare Release" + needs: verify + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: "Setup Node.js" + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: 'npm' + + - name: "Cache npm dependencies" + uses: actions/cache@v4 + with: + path: ~/.npm + key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-npm- + + - name: "Install dependencies" + run: npm ci + + - name: "Generate Release Notes" + id: release-notes + run: | + LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0") + + echo "### Changes since $LATEST_TAG" > release-notes.md + echo "" >> release-notes.md + + # Add category headers + echo "#### ๐Ÿš€ Features" >> release-notes.md + git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^feat" >> release-notes.md + echo "" >> release-notes.md + echo "" >> release-notes.md + + echo "#### ๐Ÿ› Bug Fixes" >> release-notes.md + git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^fix" >> release-notes.md + echo "" >> release-notes.md + echo "" >> release-notes.md + + echo "#### โ™ป๏ธ Code Refactoring" >> release-notes.md + git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^refactor" >> release-notes.md + echo "" >> release-notes.md + echo "" >> release-notes.md + + echo "#### ๐Ÿงช Tests" >> release-notes.md + git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^test" >> release-notes.md + echo "" >> release-notes.md + echo "" >> release-notes.md + + echo "#### ๐Ÿ“š Documentation" >> release-notes.md + git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^docs" >> release-notes.md + echo "" >> release-notes.md + echo "" >> release-notes.md + + echo "#### ๐Ÿงน Chores" >> release-notes.md + git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^chore" >> release-notes.md + echo "" >> release-notes.md + echo "" >> release-notes.md + + echo "#### โš™๏ธ CI" >> release-notes.md + git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^ci" >> release-notes.md + echo "" >> release-notes.md + echo "" >> release-notes.md + + echo "#### ๐Ÿ”ง Build System" >> release-notes.md + git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^build" >> release-notes.md + echo "" >> release-notes.md + echo "" >> release-notes.md + + cat release-notes.md + + # Save for next steps + echo "release_notes=$(cat release-notes.md | base64 -w 0)" >> $GITHUB_OUTPUT + + - name: "Upload Release Notes" + uses: actions/upload-artifact@v4 + with: + name: release-notes + path: release-notes.md + retention-days: 7 + release: - name: Release + name: "Semantic Release" + needs: prepare-release permissions: contents: write issues: write pull-requests: write id-token: write + outputs: + new_release_version: ${{ steps.semantic-release.outputs.new_release_version }} + new_release_published: ${{ steps.semantic-release.outputs.new_release_published }} steps: - - name: Create Release - uses: https://git.kjan.de/actions/semantic-release@main + - name: "Checkout" + uses: actions/checkout@v4 with: + fetch-depth: 0 + + - name: "Setup Node.js" + uses: actions/setup-node@v4 + with: + node-version: 20 + cache: 'npm' + + - name: "Install dependencies" + run: npm ci + + - name: "Download Release Notes" + uses: actions/download-artifact@v4 + with: + name: release-notes + path: ./ + + - name: "Create Release" + id: semantic-release + uses: https://git.kjan.de/actions/semantic-release@main + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} \ No newline at end of file + GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + + build-artifacts: + name: "Build Release Artifacts" + needs: release + if: ${{ needs.release.outputs.new_release_published == 'true' }} + steps: + - name: "Checkout Code" + uses: actions/checkout@v4 + with: + ref: main + + # Backend Build + - name: "Setup Java" + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '23' + cache: 'gradle' + + - name: "Build Backend" + working-directory: ./backend + run: ./gradlew bootJar --parallel --build-cache + + - name: "Upload Backend Artifact" + uses: actions/upload-artifact@v4 + with: + name: backend-${{ needs.release.outputs.new_release_version }} + path: backend/build/libs/*.jar + retention-days: 30 + + # Frontend Build + - name: "Install Bun" + uses: oven-sh/setup-bun@v2 + with: + bun-version: latest + + - name: "Cache Frontend Dependencies" + uses: actions/cache@v4 + with: + path: frontend/node_modules + key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }} + restore-keys: | + ${{ runner.os }}-bun- + + - name: "Install Frontend Dependencies" + working-directory: ./frontend + run: bun install --frozen-lockfile + + - name: "Build Frontend" + working-directory: ./frontend + run: bun run build --configuration production + + - name: "Archive Frontend Build" + run: tar -czf frontend-${{ needs.release.outputs.new_release_version }}.tar.gz -C frontend/dist . + + - name: "Upload Frontend Artifact" + uses: actions/upload-artifact@v4 + with: + name: frontend-${{ needs.release.outputs.new_release_version }} + path: frontend-${{ needs.release.outputs.new_release_version }}.tar.gz + retention-days: 30 + + - name: "Attach Artifacts to Release" + env: + GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} + VERSION: ${{ needs.release.outputs.new_release_version }} + run: | + RELEASE_ID=$(curl -s -H "Authorization: token $GITEA_TOKEN" \ + "https://git.kjan.de/api/v1/repos/${{ github.repository }}/releases/tags/v$VERSION" | jq '.id') + + # Upload backend JAR + JAR_FILE=$(find backend/build/libs -name "*.jar" -type f | head -n 1) + JAR_NAME=$(basename $JAR_FILE) + + curl -X POST \ + -H "Authorization: token $GITEA_TOKEN" \ + -H "Content-Type: application/octet-stream" \ + --data-binary @"$JAR_FILE" \ + "https://git.kjan.de/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$JAR_NAME" + + # Upload frontend archive + curl -X POST \ + -H "Authorization: token $GITEA_TOKEN" \ + -H "Content-Type: application/octet-stream" \ + --data-binary @"frontend-$VERSION.tar.gz" \ + "https://git.kjan.de/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=frontend-$VERSION.tar.gz" + + notify: + name: "Notification" + needs: [release, build-artifacts] + if: ${{ always() && needs.release.outputs.new_release_published == 'true' }} + steps: + - name: "Post Release Summary" + run: | + VERSION="${{ needs.release.outputs.new_release_version }}" + + echo "### Release v$VERSION Successfully Published! ๐ŸŽ‰" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "โœ… Semantic versioning completed" >> $GITHUB_STEP_SUMMARY + echo "โœ… Release notes generated" >> $GITHUB_STEP_SUMMARY + echo "โœ… Tags and GitHub Release created" >> $GITHUB_STEP_SUMMARY + echo "โœ… Build artifacts attached to release" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "๐Ÿ‘‰ [View Release](https://git.kjan.de/${{ github.repository }}/releases/tag/v$VERSION)" >> $GITHUB_STEP_SUMMARY + + if [[ ${{ always() && needs.build-artifacts.result != 'success' }} == 'true' ]]; then + echo "" >> $GITHUB_STEP_SUMMARY + echo "โš ๏ธ **Warning:** There was an issue with artifact building. Please check the logs." >> $GITHUB_STEP_SUMMARY + fi \ No newline at end of file diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml new file mode 100644 index 0000000..7af048f --- /dev/null +++ b/.gitea/workflows/security.yml @@ -0,0 +1,257 @@ +name: Security Scanning + +on: + schedule: + - cron: '0 0 * * 0' # Run weekly on Sunday at midnight + workflow_dispatch: # Allow manual triggering + +jobs: + dependency-check: + name: "Dependency Vulnerability Scan" + container: + image: "cimg/openjdk:23.0-node" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + + - name: "Setup Node.js" + uses: actions/setup-node@v4 + with: + node-version: 20 + + - name: "Install Bun" + uses: oven-sh/setup-bun@v2 + with: + bun-version: latest + + - name: "Run npm audit (Backend Dependencies)" + working-directory: ./backend + continue-on-error: true + run: | + npm init -y + npm audit --json > npm-audit-report.json + echo "### Backend npm Audit Results" >> $GITHUB_STEP_SUMMARY + echo "$(npm audit --omit dev | tail -n 5)" >> $GITHUB_STEP_SUMMARY + + - name: "Run npm audit (Frontend Dependencies)" + working-directory: ./frontend + continue-on-error: true + run: | + bun pm audit --json > bun-audit-report.json + echo "### Frontend bun Audit Results" >> $GITHUB_STEP_SUMMARY + echo "$(bun pm audit | tail -n 5)" >> $GITHUB_STEP_SUMMARY + + - name: "Run OWASP Dependency Check" + uses: dependency-check/Dependency-Check_Action@main + with: + project: "Casino" + path: "." + format: "HTML" + out: "reports" + args: > + --failOnCVSS 7 + --enableRetired + + - name: "Upload Dependency Check Report" + uses: actions/upload-artifact@v4 + with: + name: dependency-check-report + path: reports/ + retention-days: 30 + + - name: "Summarize Findings" + run: | + echo "### OWASP Dependency Check Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Full report has been uploaded as an artifact." >> $GITHUB_STEP_SUMMARY + + HIGH_VULNS=$(grep -c "High" reports/dependency-check-report.html || echo "0") + CRITICAL_VULNS=$(grep -c "Critical" reports/dependency-check-report.html || echo "0") + + echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY + echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY + echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY + + code-scanning: + name: "Static Code Analysis" + container: + image: "cimg/openjdk:23.0-node" + steps: + - name: "Checkout" + uses: actions/checkout@v4 + + - name: "Setup Java" + uses: actions/setup-java@v4 + with: + distribution: 'temurin' + java-version: '23' + + - name: "Cache Gradle dependencies" + uses: https://github.com/actions/cache@v4 + with: + path: | + ~/.gradle/caches + ~/.gradle/wrapper + backend/.gradle + key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }} + restore-keys: | + gradle-${{ runner.os }}- + + - name: "Setup Gradle" + working-directory: ./backend + run: chmod +x ./gradlew + + - name: "Install SpotBugs" + working-directory: ./backend + run: | + cat <> build.gradle.kts + + plugins { + id("com.github.spotbugs") version "6.0.11" + } + + spotbugs { + ignoreFailures.set(true) + showProgress.set(true) + reportsDir.set(file("\$buildDir/reports/spotbugs")) + effort.set(com.github.spotbugs.snom.Effort.MAX) + } + + tasks.spotbugsMain { + reports { + create("html") { + required.set(true) + outputLocation.set(file("\$buildDir/reports/spotbugs/main.html")) + } + } + } + EOT + + - name: "Run SpotBugs" + working-directory: ./backend + run: ./gradlew spotbugsMain + + - name: "Upload SpotBugs Report" + uses: actions/upload-artifact@v4 + with: + name: spotbugs-report + path: backend/build/reports/spotbugs/ + retention-days: 30 + + - name: "Install ESLint" + working-directory: ./frontend + run: npm install --no-save eslint eslint-plugin-security + + - name: "Run ESLint Security Plugin" + working-directory: ./frontend + run: | + cat < .eslintrc.security.js + module.exports = { + "plugins": ["security"], + "extends": ["plugin:security/recommended"] + } + EOT + + npx eslint -c .eslintrc.security.js 'src/**/*.ts' -f json > eslint-security-report.json || true + + - name: "Upload ESLint Security Report" + uses: actions/upload-artifact@v4 + with: + name: eslint-security-report + path: frontend/eslint-security-report.json + retention-days: 30 + + - name: "Summarize Security Findings" + run: | + echo "### Static Code Analysis Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Security reports have been uploaded as artifacts." >> $GITHUB_STEP_SUMMARY + + SPOTBUGS_ISSUES=$(grep -c "BugInstance" backend/build/reports/spotbugs/main.xml || echo "0") + echo "- SpotBugs identified $SPOTBUGS_ISSUES potential issues" >> $GITHUB_STEP_SUMMARY + + ESLINT_ISSUES=$(grep -c "severity" frontend/eslint-security-report.json || echo "0") + echo "- ESLint Security Plugin identified $ESLINT_ISSUES potential issues" >> $GITHUB_STEP_SUMMARY + + secret-scanning: + name: "Secret Scanning" + runs-on: ubuntu-latest + steps: + - name: "Checkout" + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: "Install Gitleaks" + run: | + curl -L https://github.com/zricethezav/gitleaks/releases/download/v8.18.1/gitleaks_8.18.1_linux_x64.tar.gz | tar xz + chmod +x gitleaks + sudo mv gitleaks /usr/local/bin/ + + - name: "Run Gitleaks" + run: | + gitleaks detect --source . --report-path gitleaks-report.json --redact --no-git || true + + - name: "Upload Gitleaks Report" + uses: actions/upload-artifact@v4 + with: + name: gitleaks-report + path: gitleaks-report.json + retention-days: 30 + + - name: "Summarize Secret Findings" + run: | + echo "### Secret Scanning Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Check if any secrets were found + if [ -s gitleaks-report.json ]; then + SECRETS_COUNT=$(jq length gitleaks-report.json) + echo "โš ๏ธ **$SECRETS_COUNT potential secrets found in the codebase**" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "Please review the detailed report in the artifacts." >> $GITHUB_STEP_SUMMARY + else + echo "โœ… No leaked secrets detected in the codebase" >> $GITHUB_STEP_SUMMARY + fi + + security-report: + name: "Security Report" + needs: [dependency-check, code-scanning, secret-scanning] + if: always() + steps: + - name: "Summarize Security Scan" + run: | + echo "# ๐Ÿ”’ Security Scan Complete" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "## Summary" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + + # Check each job status and create summary + DEP_CHECK="${{ needs.dependency-check.result }}" + CODE_SCAN="${{ needs.code-scanning.result }}" + SECRET_SCAN="${{ needs.secret-scanning.result }}" + + echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY + echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY + + if [ "$DEP_CHECK" == "success" ]; then + echo "| Dependency Check | โœ… Complete |" >> $GITHUB_STEP_SUMMARY + else + echo "| Dependency Check | โš ๏ธ Potential issues found |" >> $GITHUB_STEP_SUMMARY + fi + + if [ "$CODE_SCAN" == "success" ]; then + echo "| Static Code Analysis | โœ… Complete |" >> $GITHUB_STEP_SUMMARY + else + echo "| Static Code Analysis | โš ๏ธ Potential issues found |" >> $GITHUB_STEP_SUMMARY + fi + + if [ "$SECRET_SCAN" == "success" ]; then + echo "| Secret Scanning | โœ… Complete |" >> $GITHUB_STEP_SUMMARY + else + echo "| Secret Scanning | โš ๏ธ Potential issues found |" >> $GITHUB_STEP_SUMMARY + fi + + echo "" >> $GITHUB_STEP_SUMMARY + echo "All reports have been uploaded as artifacts. Please review them for detailed information." >> $GITHUB_STEP_SUMMARY \ No newline at end of file