adding github actions for CICD integrations. Ready to promote to deployment branches.

2025-06-24 07:16:03 +00:00 · 2025-01-22 16:21:42 -05:00 · 2025-01-22 16:21:42 -05:00 · b1e3c9bb2b
commit b1e3c9bb2b
parent b11796ddd6
2 changed files with 86 additions and 0 deletions
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@ -0,0 +1,40 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Bandit is a security linter designed to find common security issues in Python code.
+# This action will run Bandit on your codebase.
+# The results of the scan will be found under the Security tab of your repository.
+
+# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
+# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
+
+name: Bandit
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main", "dev_deploy", "prod_deploy"]
+  schedule:
+    - cron: '30 19 * * 4'
+
+jobs:
+  bandit:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Bandit Check
+        uses: jpetrucciani/bandit-check@1.7.4
+        with:
+          bandit_flags: "-lll"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          level: high
+          confidence: high
+          exit_zero: true
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -0,0 +1,46 @@
+name: Docker Image CI
+
+on:
+  push:
+    branches: [ "*_deploy", "main"]
+  pull_request:
+    branches: [ "*_deploy", "main" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      max-parallel: 4
+      matrix:
+        python-version: [ "3.13" ]
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+      - name: Extract branch name
+        shell: bash
+        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+        id: extract_branch
+      - name: Set SSH Agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Build the Docker image
+        uses: docker/build-push-action@v6
+        with:
+          ssh: |
+            default=${{ env.SSH_AUTH_SOCK }}
+          build-args: |
+            GIT_BRANCH=${{ steps.extract_branch.outputs.branch }}
+          push: true
+          tags: s3docker.francissecada.com/ranked_jobs:${{ steps.extract_branch.outputs.branch }}.${{ steps.date.outputs.date }}