SZUT/casino
5
1
Fork 0
Code Issues Pull requests 1 Releases 64 Wiki Activity Actions

feat(workflows): add performance benchmarking and security scans
Some checks failed
Optimized CI / Frontend Lint & Format (pull_request) Successful in 36s
Details
Optimized CI / Frontend Tests (pull_request) Failing after 26s
Details
Optimized CI / Frontend Build (pull_request) Has been skipped
Details
Optimized CI / Backend Checkstyle & Tests (pull_request) Failing after 1m10s
Details
Optimized CI / Backend Build & Package (pull_request) Has been skipped
Details
Optimized CI / PR Quality Analysis (pull_request) Has been skipped
Details
Optimized CI / Merge Readiness Check (pull_request) Has been skipped
Details

Browse source
This commit is contained in:
Jan K9f 2025-03-12 20:39:10 +01:00
parent dc5275d043
commit 6a9e379485
Signed by: jank
GPG key ID: 22BEAC760B3333D6
4 changed files with 979 additions and 68 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

241
.gitea/workflows/benchmark.yml Normal file
View file

@ -0,0 +1,241 @@
name: Performance Benchmarking
on:
schedule:
- cron: '0 0 * * 1' # Run weekly on Monday at midnight
workflow_dispatch: # Allow manual triggering
jobs:
backend-benchmark:
name: "Backend Performance Benchmark"
container:
image: "cimg/openjdk:23.0-node"
steps:
- name: "Checkout"
uses: actions/checkout@v4
- name: "Setup Gradle"
working-directory: ./backend
run: chmod +x ./gradlew
- name: "Cache Gradle dependencies"
uses: https://github.com/actions/cache@v4
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
backend/.gradle
key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }}
restore-keys: |
gradle-${{ runner.os }}-
- name: "Set up JMH"
working-directory: ./backend
run: |
cat <<EOT >> build.gradle.kts
plugins {
id("me.champeau.jmh") version "0.7.2"
}
jmh {
iterations.set(5)
fork.set(1)
warmupIterations.set(3)
benchmarkMode.set(listOf("thrpt"))
resultFormat.set("JSON")
resultsFile.set(file("\$buildDir/reports/jmh/results.json"))
}
EOT
- name: "Run JMH Benchmarks"
working-directory: ./backend
run: ./gradlew jmh
- name: "Upload JMH Results"
uses: actions/upload-artifact@v4
with:
name: jmh-benchmark-results
path: backend/build/reports/jmh/
retention-days: 90
- name: "Analyze Performance"
working-directory: ./backend
run: |
echo "### Backend Performance Benchmark Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Full results have been uploaded as an artifact. Summary below:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Parse JMH results and display top 5 slowest operations
echo "#### Top 5 Slowest Operations" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Benchmark | Mode | Score | Units |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- | --- | --- |" >> $GITHUB_STEP_SUMMARY
if [ -f build/reports/jmh/results.json ]; then
jq -r '.[] | "\(.benchmark) | \(.mode) | \(.primaryMetric.score) | \(.primaryMetric.scoreUnit)"' build/reports/jmh/results.json |
sort -t '|' -k3 -n |
head -5 >> $GITHUB_STEP_SUMMARY
else
echo "No benchmark results found" >> $GITHUB_STEP_SUMMARY
fi
frontend-benchmark:
name: "Frontend Performance Benchmark"
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: "Checkout"
uses: actions/checkout@v4
- name: "Install Bun"
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: "Cache Dependencies"
uses: actions/cache@v4
with:
path: frontend/node_modules
key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-
- name: "Install dependencies"
working-directory: ./frontend
run: bun install --frozen-lockfile
- name: "Set up Lighthouse CI"
working-directory: ./frontend
run: |
bun add -D @lhci/cli puppeteer
# Create Lighthouse CI config
cat <<EOT > lighthouserc.js
module.exports = {
ci: {
collect: {
startServerCommand: 'bun run build && bun run serve:dist',
url: ['http://localhost:8080/'],
numberOfRuns: 3,
},
upload: {
target: 'filesystem',
outputDir: './.lighthouse',
},
assert: {
preset: 'lighthouse:recommended',
assertions: {
'categories:performance': ['error', {minScore: 0.8}],
'categories:accessibility': ['error', {minScore: 0.9}],
'categories:best-practices': ['error', {minScore: 0.9}],
'categories:seo': ['error', {minScore: 0.9}],
}
},
},
};
EOT
# Add serve command for Lighthouse
jq '.scripts += {"serve:dist": "bunx serve -s dist"}' package.json > package.json.new
mv package.json.new package.json
- name: "Run Lighthouse CI"
working-directory: ./frontend
run: bunx lhci autorun || true
- name: "Upload Lighthouse Results"
uses: actions/upload-artifact@v4
with:
name: lighthouse-results
path: frontend/.lighthouse/
retention-days: 90
- name: "Analyze Frontend Performance"
working-directory: ./frontend
run: |
echo "### Frontend Performance Benchmark Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Full results have been uploaded as an artifact. Summary below:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Extract scores from the JSON report
if [ -d .lighthouse ]; then
REPORT=$(find .lighthouse -name "*.json" | grep -v "manifest" | head -1)
if [ -n "$REPORT" ]; then
PERF_SCORE=$(jq '.categories.performance.score * 100' $REPORT)
ACCESS_SCORE=$(jq '.categories.accessibility.score * 100' $REPORT)
BP_SCORE=$(jq '.categories["best-practices"].score * 100' $REPORT)
SEO_SCORE=$(jq '.categories.seo.score * 100' $REPORT)
echo "#### Lighthouse Scores" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Category | Score |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
echo "| Performance | $PERF_SCORE% |" >> $GITHUB_STEP_SUMMARY
echo "| Accessibility | $ACCESS_SCORE% |" >> $GITHUB_STEP_SUMMARY
echo "| Best Practices | $BP_SCORE% |" >> $GITHUB_STEP_SUMMARY
echo "| SEO | $SEO_SCORE% |" >> $GITHUB_STEP_SUMMARY
# Extract opportunities for improvement
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Top Improvement Opportunities" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
jq -r '.audits | to_entries[] | select(.value.score != null and .value.score < 1 and .value.details.type == "opportunity") | "\(.value.title) | \(.value.displayValue)"' $REPORT |
head -5 |
awk '{print "- " $0}' >> $GITHUB_STEP_SUMMARY
else
echo "No Lighthouse reports found" >> $GITHUB_STEP_SUMMARY
fi
else
echo "No Lighthouse results directory found" >> $GITHUB_STEP_SUMMARY
fi
performance-report:
name: "Performance Report"
needs: [backend-benchmark, frontend-benchmark]
if: always()
steps:
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Generate Historical Comparison"
run: |
echo "# 📊 Performance Benchmarking Report" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Get previous tag for comparison
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "None")
PREV_TAG=$(git describe --tags --abbrev=0 "$LATEST_TAG"^1 2>/dev/null || echo "None")
echo "### Benchmark Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Current benchmarks run against: $LATEST_TAG" >> $GITHUB_STEP_SUMMARY
echo "Previous benchmarks compared to: $PREV_TAG" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Performance reports have been uploaded as artifacts. Review them for detailed metrics." >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Check status of benchmark jobs
BACKEND_STATUS="${{ needs.backend-benchmark.result }}"
FRONTEND_STATUS="${{ needs.frontend-benchmark.result }}"
echo "| Component | Status |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
if [ "$BACKEND_STATUS" == "success" ]; then
echo "| Backend Benchmark | ✅ Complete |" >> $GITHUB_STEP_SUMMARY
else
echo "| Backend Benchmark | ⚠️ Issues occurred |" >> $GITHUB_STEP_SUMMARY
fi
if [ "$FRONTEND_STATUS" == "success" ]; then
echo "| Frontend Benchmark | ✅ Complete |" >> $GITHUB_STEP_SUMMARY
else
echo "| Frontend Benchmark | ⚠️ Issues occurred |" >> $GITHUB_STEP_SUMMARY
fi

313
.gitea/workflows/ci.yml
View file

@ -1,117 +1,304 @@
name: CI
name: Optimized CI
on:
pull_request:
push:
branches:
- main
- 'feature/**'
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
checkstyle:
name: "Checkstyle Main"
backend-lint:
name: "Backend Checkstyle & Tests"
container:
image: "cimg/openjdk:23.0-node"
steps:
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Cache Gradle dependencies"
uses: https://github.com/actions/cache@v4
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: gradle-${{ runner.os }}-common
backend/.gradle
key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }}
restore-keys: |
gradle-${{ runner.os }}-
- name: "Prepare Gradle"
- name: "Setup Gradle"
working-directory: ./backend
run: gradle clean
- name: "Check"
run: chmod +x ./gradlew
- name: "Run Checkstyle"
working-directory: ./backend
run: gradle checkstyleMain
run: ./gradlew checkstyleMain checkstyleTest --parallel --build-cache
- name: "Run Tests"
working-directory: ./backend
run: ./gradlew test --parallel --build-cache
- name: "Upload Test Results"
if: always()
uses: actions/upload-artifact@v4
with:
name: backend-test-results
path: backend/build/reports/tests/
retention-days: 7
- name: "Stop Gradle"
if: always()
working-directory: ./backend
run: gradle --stop
run: ./gradlew --stop
eslint:
name: eslint
backend-build:
name: "Backend Build & Package"
needs: backend-lint
container:
image: "cimg/openjdk:23.0-node"
steps:
- name: "Checkout"
uses: actions/checkout@v4
- name: "Cache Gradle dependencies"
uses: https://github.com/actions/cache@v4
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
backend/.gradle
key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }}
restore-keys: |
gradle-${{ runner.os }}-
- name: "Setup Gradle"
working-directory: ./backend
run: chmod +x ./gradlew
- name: "Build JAR"
working-directory: ./backend
run: ./gradlew bootJar --parallel --build-cache
- name: "Upload Artifacts"
uses: actions/upload-artifact@v4
with:
name: backend-jar
path: backend/build/libs/*.jar
retention-days: 5
- name: "Stop Gradle"
if: always()
working-directory: ./backend
run: ./gradlew --stop
frontend-lint:
name: "Frontend Lint & Format"
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: Checkout Code
- name: "Checkout Code"
uses: actions/checkout@v4
- name: Install bun
- name: "Install Bun"
uses: oven-sh/setup-bun@v2
- uses: actions/cache@v4
working-directory: ./frontend
with:
path: |
frontend/node_modules/
key: ${{ runner.os }}-bun-
bun-version: latest
- name: "Cache Dependencies"
uses: actions/cache@v4
with:
path: frontend/node_modules
key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-
- name: Install dependencies
run: |
cd frontend
bun install
- name: Run Eslint
run: |
cd frontend
bun run lint
- name: "Install dependencies"
working-directory: ./frontend
run: bun install --frozen-lockfile
- name: "Run ESLint"
working-directory: ./frontend
run: bun run lint
- name: "Run Prettier Check"
working-directory: ./frontend
run: bun run format:check
prettier:
name: prettier
frontend-test:
name: "Frontend Tests"
needs: frontend-lint
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: Checkout Code
- name: "Checkout Code"
uses: actions/checkout@v4
- name: Install bun
- name: "Install Bun"
uses: oven-sh/setup-bun@v2
- uses: actions/cache@v4
working-directory: ./frontend
with:
path: |
frontend/node_modules/
key: ${{ runner.os }}-bun-
bun-version: latest
- name: "Cache Dependencies"
uses: actions/cache@v4
with:
path: frontend/node_modules
key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-
- name: Install dependencies
run: |
cd frontend
bun install
- name: Run prettier
run: |
cd frontend
bun run format:check
- name: "Install dependencies"
working-directory: ./frontend
run: bun install --frozen-lockfile
- name: "Run Tests"
working-directory: ./frontend
run: bun run test --no-watch --browsers=ChromeHeadless
- name: "Upload Test Results"
if: always()
uses: actions/upload-artifact@v4
with:
name: frontend-test-results
path: frontend/coverage/
retention-days: 7
test-build:
name: test-build
frontend-build:
name: "Frontend Build"
needs: frontend-test
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: Checkout Code
- name: "Checkout Code"
uses: actions/checkout@v4
- name: Install bun
- name: "Install Bun"
uses: oven-sh/setup-bun@v2
- uses: actions/cache@v4
working-directory: ./frontend
with:
path: |
frontend/node_modules/
key: ${{ runner.os }}-bun-
bun-version: latest
- name: "Cache Dependencies"
uses: actions/cache@v4
with:
path: frontend/node_modules
key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-
- uses: actions/cache@v4
working-directory: ./frontend
- name: "Cache Build"
uses: actions/cache@v4
with:
path: |
frontend/dist/
key: ${{ runner.os }}-dist-
path: frontend/dist
key: ${{ runner.os }}-dist-${{ github.sha }}
restore-keys: |
${{ runner.os }}-dist-
- name: Install dependencies
- name: "Install dependencies"
working-directory: ./frontend
run: bun install --frozen-lockfile
- name: "Production Build"
working-directory: ./frontend
run: bun run build --configuration production
- name: "Upload Build Artifacts"
uses: actions/upload-artifact@v4
with:
name: frontend-build
path: frontend/dist/
retention-days: 5
pr-analysis:
name: "PR Quality Analysis"
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
needs: [backend-build, frontend-build]
steps:
- name: "Checkout Code"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: 20
- name: "Code Size Analysis"
run: |
cd frontend
bun install
- name: Test build
echo "### PR Size Analysis :mag:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Metric | Value |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
echo "| Files changed | $(git diff --name-only origin/${{ github.base_ref }} | wc -l) |" >> $GITHUB_STEP_SUMMARY
echo "| Lines added | $(git diff --stat origin/${{ github.base_ref }} | tail -n 1 | awk '{print $4}') |" >> $GITHUB_STEP_SUMMARY
echo "| Lines removed | $(git diff --stat origin/${{ github.base_ref }} | tail -n 1 | awk '{print $6}') |" >> $GITHUB_STEP_SUMMARY
- name: "PR Summary"
run: |
cd frontend
bun run build
echo "### PR Summary :clipboard:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "#### Modified Files by Type" >> $GITHUB_STEP_SUMMARY
echo "| File Type | Count |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
echo "| Java (.java) | $(git diff --name-only origin/${{ github.base_ref }} | grep "\.java$" | wc -l) |" >> $GITHUB_STEP_SUMMARY
echo "| TypeScript (.ts) | $(git diff --name-only origin/${{ github.base_ref }} | grep "\.ts$" | wc -l) |" >> $GITHUB_STEP_SUMMARY
echo "| HTML (.html) | $(git diff --name-only origin/${{ github.base_ref }} | grep "\.html$" | wc -l) |" >> $GITHUB_STEP_SUMMARY
echo "| CSS/SCSS (.css/.scss) | $(git diff --name-only origin/${{ github.base_ref }} | grep -E "\.(css|scss)$" | wc -l) |" >> $GITHUB_STEP_SUMMARY
echo "| Configuration files | $(git diff --name-only origin/${{ github.base_ref }} | grep -E "\.(json|yml|yaml|properties|xml|gradle|kts)$" | wc -l) |" >> $GITHUB_STEP_SUMMARY
- name: "Add Test Analysis"
run: |
echo "### Test Coverage Impact :test_tube:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Component | Status |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
JAVA_FILES=$(git diff --name-only origin/${{ github.base_ref }} | grep "\.java$" | wc -l)
JAVA_TEST_FILES=$(git diff --name-only origin/${{ github.base_ref }} | grep "Test\.java$" | wc -l)
TS_FILES=$(git diff --name-only origin/${{ github.base_ref }} | grep "\.ts$" | grep -v "\.spec\.ts$" | wc -l)
TS_TEST_FILES=$(git diff --name-only origin/${{ github.base_ref }} | grep "\.spec\.ts$" | wc -l)
if [ $JAVA_FILES -gt 0 ] && [ $JAVA_TEST_FILES -eq 0 ]; then
echo "| Backend | ⚠️ Java code changes without test updates |" >> $GITHUB_STEP_SUMMARY
elif [ $JAVA_FILES -gt 0 ] && [ $JAVA_TEST_FILES -gt 0 ]; then
echo "| Backend | ✅ Java code changes with test updates |" >> $GITHUB_STEP_SUMMARY
elif [ $JAVA_FILES -eq 0 ]; then
echo "| Backend | No Java code changes |" >> $GITHUB_STEP_SUMMARY
fi
if [ $TS_FILES -gt 0 ] && [ $TS_TEST_FILES -eq 0 ]; then
echo "| Frontend | ⚠️ TypeScript code changes without test updates |" >> $GITHUB_STEP_SUMMARY
elif [ $TS_FILES -gt 0 ] && [ $TS_TEST_FILES -gt 0 ]; then
echo "| Frontend | ✅ TypeScript code changes with test updates |" >> $GITHUB_STEP_SUMMARY
elif [ $TS_FILES -eq 0 ]; then
echo "| Frontend | No TypeScript code changes |" >> $GITHUB_STEP_SUMMARY
fi
merge-readiness:
name: "Merge Readiness Check"
needs: [backend-lint, backend-build, frontend-lint, frontend-test, frontend-build]
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: "Merge Status"
run: |
echo "### PR Readiness Status :rocket:" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
echo "| Backend Checkstyle | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
echo "| Backend Tests | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
echo "| Backend Build | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
echo "| Frontend Lint | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
echo "| Frontend Tests | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
echo "| Frontend Build | ✅ Passed |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ **This PR is ready to merge!**" >> $GITHUB_STEP_SUMMARY

236
.gitea/workflows/release.yml
View file

@ -1,4 +1,5 @@
name: Release
name: Release Workflow
on:
push:
branches:
@ -11,16 +12,241 @@ permissions:
contents: read
jobs:
verify:
name: "Verify Main Branch"
uses: ./.gitea/workflows/ci.yml
prepare-release:
name: "Prepare Release"
needs: verify
steps:
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'
- name: "Cache npm dependencies"
uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-npm-
- name: "Install dependencies"
run: npm ci
- name: "Generate Release Notes"
id: release-notes
run: |
LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
echo "### Changes since $LATEST_TAG" > release-notes.md
echo "" >> release-notes.md
# Add category headers
echo "#### 🚀 Features" >> release-notes.md
git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^feat" >> release-notes.md
echo "" >> release-notes.md
echo "" >> release-notes.md
echo "#### 🐛 Bug Fixes" >> release-notes.md
git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^fix" >> release-notes.md
echo "" >> release-notes.md
echo "" >> release-notes.md
echo "#### ♻️ Code Refactoring" >> release-notes.md
git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^refactor" >> release-notes.md
echo "" >> release-notes.md
echo "" >> release-notes.md
echo "#### 🧪 Tests" >> release-notes.md
git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^test" >> release-notes.md
echo "" >> release-notes.md
echo "" >> release-notes.md
echo "#### 📚 Documentation" >> release-notes.md
git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^docs" >> release-notes.md
echo "" >> release-notes.md
echo "" >> release-notes.md
echo "#### 🧹 Chores" >> release-notes.md
git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^chore" >> release-notes.md
echo "" >> release-notes.md
echo "" >> release-notes.md
echo "#### ⚙️ CI" >> release-notes.md
git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^ci" >> release-notes.md
echo "" >> release-notes.md
echo "" >> release-notes.md
echo "#### 🔧 Build System" >> release-notes.md
git log $LATEST_TAG..HEAD --pretty=format:"- %s (%h)" --grep="^build" >> release-notes.md
echo "" >> release-notes.md
echo "" >> release-notes.md
cat release-notes.md
# Save for next steps
echo "release_notes=$(cat release-notes.md | base64 -w 0)" >> $GITHUB_OUTPUT
- name: "Upload Release Notes"
uses: actions/upload-artifact@v4
with:
name: release-notes
path: release-notes.md
retention-days: 7
release:
name: Release
name: "Semantic Release"
needs: prepare-release
permissions:
contents: write
issues: write
pull-requests: write
id-token: write
outputs:
new_release_version: ${{ steps.semantic-release.outputs.new_release_version }}
new_release_published: ${{ steps.semantic-release.outputs.new_release_published }}
steps:
- name: Create Release
uses: https://git.kjan.de/actions/semantic-release@main
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: 20
cache: 'npm'
- name: "Install dependencies"
run: npm ci
- name: "Download Release Notes"
uses: actions/download-artifact@v4
with:
name: release-notes
path: ./
- name: "Create Release"
id: semantic-release
uses: https://git.kjan.de/actions/semantic-release@main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
build-artifacts:
name: "Build Release Artifacts"
needs: release
if: ${{ needs.release.outputs.new_release_published == 'true' }}
steps:
- name: "Checkout Code"
uses: actions/checkout@v4
with:
ref: main
# Backend Build
- name: "Setup Java"
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '23'
cache: 'gradle'
- name: "Build Backend"
working-directory: ./backend
run: ./gradlew bootJar --parallel --build-cache
- name: "Upload Backend Artifact"
uses: actions/upload-artifact@v4
with:
name: backend-${{ needs.release.outputs.new_release_version }}
path: backend/build/libs/*.jar
retention-days: 30
# Frontend Build
- name: "Install Bun"
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: "Cache Frontend Dependencies"
uses: actions/cache@v4
with:
path: frontend/node_modules
key: ${{ runner.os }}-bun-${{ hashFiles('frontend/bun.lock') }}
restore-keys: |
${{ runner.os }}-bun-
- name: "Install Frontend Dependencies"
working-directory: ./frontend
run: bun install --frozen-lockfile
- name: "Build Frontend"
working-directory: ./frontend
run: bun run build --configuration production
- name: "Archive Frontend Build"
run: tar -czf frontend-${{ needs.release.outputs.new_release_version }}.tar.gz -C frontend/dist .
- name: "Upload Frontend Artifact"
uses: actions/upload-artifact@v4
with:
name: frontend-${{ needs.release.outputs.new_release_version }}
path: frontend-${{ needs.release.outputs.new_release_version }}.tar.gz
retention-days: 30
- name: "Attach Artifacts to Release"
env:
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
VERSION: ${{ needs.release.outputs.new_release_version }}
run: |
RELEASE_ID=$(curl -s -H "Authorization: token $GITEA_TOKEN" \
"https://git.kjan.de/api/v1/repos/${{ github.repository }}/releases/tags/v$VERSION" | jq '.id')
# Upload backend JAR
JAR_FILE=$(find backend/build/libs -name "*.jar" -type f | head -n 1)
JAR_NAME=$(basename $JAR_FILE)
curl -X POST \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/octet-stream" \
--data-binary @"$JAR_FILE" \
"https://git.kjan.de/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=$JAR_NAME"
# Upload frontend archive
curl -X POST \
-H "Authorization: token $GITEA_TOKEN" \
-H "Content-Type: application/octet-stream" \
--data-binary @"frontend-$VERSION.tar.gz" \
"https://git.kjan.de/api/v1/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=frontend-$VERSION.tar.gz"
notify:
name: "Notification"
needs: [release, build-artifacts]
if: ${{ always() && needs.release.outputs.new_release_published == 'true' }}
steps:
- name: "Post Release Summary"
run: |
VERSION="${{ needs.release.outputs.new_release_version }}"
echo "### Release v$VERSION Successfully Published! 🎉" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ Semantic versioning completed" >> $GITHUB_STEP_SUMMARY
echo "✅ Release notes generated" >> $GITHUB_STEP_SUMMARY
echo "✅ Tags and GitHub Release created" >> $GITHUB_STEP_SUMMARY
echo "✅ Build artifacts attached to release" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "👉 [View Release](https://git.kjan.de/${{ github.repository }}/releases/tag/v$VERSION)" >> $GITHUB_STEP_SUMMARY
if [[ ${{ always() && needs.build-artifacts.result != 'success' }} == 'true' ]]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "⚠️ **Warning:** There was an issue with artifact building. Please check the logs." >> $GITHUB_STEP_SUMMARY
fi

257
.gitea/workflows/security.yml Normal file
View file

@ -0,0 +1,257 @@
name: Security Scanning
on:
schedule:
- cron: '0 0 * * 0' # Run weekly on Sunday at midnight
workflow_dispatch: # Allow manual triggering
jobs:
dependency-check:
name: "Dependency Vulnerability Scan"
container:
image: "cimg/openjdk:23.0-node"
steps:
- name: "Checkout"
uses: actions/checkout@v4
- name: "Setup Node.js"
uses: actions/setup-node@v4
with:
node-version: 20
- name: "Install Bun"
uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: "Run npm audit (Backend Dependencies)"
working-directory: ./backend
continue-on-error: true
run: |
npm init -y
npm audit --json > npm-audit-report.json
echo "### Backend npm Audit Results" >> $GITHUB_STEP_SUMMARY
echo "$(npm audit --omit dev | tail -n 5)" >> $GITHUB_STEP_SUMMARY
- name: "Run npm audit (Frontend Dependencies)"
working-directory: ./frontend
continue-on-error: true
run: |
bun pm audit --json > bun-audit-report.json
echo "### Frontend bun Audit Results" >> $GITHUB_STEP_SUMMARY
echo "$(bun pm audit | tail -n 5)" >> $GITHUB_STEP_SUMMARY
- name: "Run OWASP Dependency Check"
uses: dependency-check/Dependency-Check_Action@main
with:
project: "Casino"
path: "."
format: "HTML"
out: "reports"
args: >
--failOnCVSS 7
--enableRetired
- name: "Upload Dependency Check Report"
uses: actions/upload-artifact@v4
with:
name: dependency-check-report
path: reports/
retention-days: 30
- name: "Summarize Findings"
run: |
echo "### OWASP Dependency Check Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Full report has been uploaded as an artifact." >> $GITHUB_STEP_SUMMARY
HIGH_VULNS=$(grep -c "High" reports/dependency-check-report.html || echo "0")
CRITICAL_VULNS=$(grep -c "Critical" reports/dependency-check-report.html || echo "0")
echo "| Severity | Count |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
echo "| Critical | $CRITICAL_VULNS |" >> $GITHUB_STEP_SUMMARY
echo "| High | $HIGH_VULNS |" >> $GITHUB_STEP_SUMMARY
code-scanning:
name: "Static Code Analysis"
container:
image: "cimg/openjdk:23.0-node"
steps:
- name: "Checkout"
uses: actions/checkout@v4
- name: "Setup Java"
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '23'
- name: "Cache Gradle dependencies"
uses: https://github.com/actions/cache@v4
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
backend/.gradle
key: gradle-${{ runner.os }}-${{ hashFiles('backend/build.gradle.kts', 'backend/gradle/wrapper/gradle-wrapper.properties') }}
restore-keys: |
gradle-${{ runner.os }}-
- name: "Setup Gradle"
working-directory: ./backend
run: chmod +x ./gradlew
- name: "Install SpotBugs"
working-directory: ./backend
run: |
cat <<EOT >> build.gradle.kts
plugins {
id("com.github.spotbugs") version "6.0.11"
}
spotbugs {
ignoreFailures.set(true)
showProgress.set(true)
reportsDir.set(file("\$buildDir/reports/spotbugs"))
effort.set(com.github.spotbugs.snom.Effort.MAX)
}
tasks.spotbugsMain {
reports {
create("html") {
required.set(true)
outputLocation.set(file("\$buildDir/reports/spotbugs/main.html"))
}
}
}
EOT
- name: "Run SpotBugs"
working-directory: ./backend
run: ./gradlew spotbugsMain
- name: "Upload SpotBugs Report"
uses: actions/upload-artifact@v4
with:
name: spotbugs-report
path: backend/build/reports/spotbugs/
retention-days: 30
- name: "Install ESLint"
working-directory: ./frontend
run: npm install --no-save eslint eslint-plugin-security
- name: "Run ESLint Security Plugin"
working-directory: ./frontend
run: |
cat <<EOT > .eslintrc.security.js
module.exports = {
"plugins": ["security"],
"extends": ["plugin:security/recommended"]
}
EOT
npx eslint -c .eslintrc.security.js 'src/**/*.ts' -f json > eslint-security-report.json || true
- name: "Upload ESLint Security Report"
uses: actions/upload-artifact@v4
with:
name: eslint-security-report
path: frontend/eslint-security-report.json
retention-days: 30
- name: "Summarize Security Findings"
run: |
echo "### Static Code Analysis Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Security reports have been uploaded as artifacts." >> $GITHUB_STEP_SUMMARY
SPOTBUGS_ISSUES=$(grep -c "BugInstance" backend/build/reports/spotbugs/main.xml || echo "0")
echo "- SpotBugs identified $SPOTBUGS_ISSUES potential issues" >> $GITHUB_STEP_SUMMARY
ESLINT_ISSUES=$(grep -c "severity" frontend/eslint-security-report.json || echo "0")
echo "- ESLint Security Plugin identified $ESLINT_ISSUES potential issues" >> $GITHUB_STEP_SUMMARY
secret-scanning:
name: "Secret Scanning"
runs-on: ubuntu-latest
steps:
- name: "Checkout"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: "Install Gitleaks"
run: |
curl -L https://github.com/zricethezav/gitleaks/releases/download/v8.18.1/gitleaks_8.18.1_linux_x64.tar.gz | tar xz
chmod +x gitleaks
sudo mv gitleaks /usr/local/bin/
- name: "Run Gitleaks"
run: |
gitleaks detect --source . --report-path gitleaks-report.json --redact --no-git || true
- name: "Upload Gitleaks Report"
uses: actions/upload-artifact@v4
with:
name: gitleaks-report
path: gitleaks-report.json
retention-days: 30
- name: "Summarize Secret Findings"
run: |
echo "### Secret Scanning Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Check if any secrets were found
if [ -s gitleaks-report.json ]; then
SECRETS_COUNT=$(jq length gitleaks-report.json)
echo "⚠️ **$SECRETS_COUNT potential secrets found in the codebase**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Please review the detailed report in the artifacts." >> $GITHUB_STEP_SUMMARY
else
echo "✅ No leaked secrets detected in the codebase" >> $GITHUB_STEP_SUMMARY
fi
security-report:
name: "Security Report"
needs: [dependency-check, code-scanning, secret-scanning]
if: always()
steps:
- name: "Summarize Security Scan"
run: |
echo "# 🔒 Security Scan Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Check each job status and create summary
DEP_CHECK="${{ needs.dependency-check.result }}"
CODE_SCAN="${{ needs.code-scanning.result }}"
SECRET_SCAN="${{ needs.secret-scanning.result }}"
echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY
echo "| --- | --- |" >> $GITHUB_STEP_SUMMARY
if [ "$DEP_CHECK" == "success" ]; then
echo "| Dependency Check | ✅ Complete |" >> $GITHUB_STEP_SUMMARY
else
echo "| Dependency Check | ⚠️ Potential issues found |" >> $GITHUB_STEP_SUMMARY
fi
if [ "$CODE_SCAN" == "success" ]; then
echo "| Static Code Analysis | ✅ Complete |" >> $GITHUB_STEP_SUMMARY
else
echo "| Static Code Analysis | ⚠️ Potential issues found |" >> $GITHUB_STEP_SUMMARY
fi
if [ "$SECRET_SCAN" == "success" ]; then
echo "| Secret Scanning | ✅ Complete |" >> $GITHUB_STEP_SUMMARY
else
echo "| Secret Scanning | ⚠️ Potential issues found |" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "All reports have been uploaded as artifacts. Please review them for detailed information." >> $GITHUB_STEP_SUMMARY