From b1e3c9bb2bb34fe9120c3de05a544ac51c6ab1df Mon Sep 17 00:00:00 2001
From: Francis Secada <francis.secada@gmail.com>
Date: Wed, 22 Jan 2025 16:21:42 -0500
Subject: [PATCH] adding github actions for CICD integrations. Ready to promote
 to deployment branches.

---
 .github/workflows/bandit.yml       | 40 ++++++++++++++++++++++++++
 .github/workflows/docker-image.yml | 46 ++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)
 create mode 100644 .github/workflows/bandit.yml
 create mode 100644 .github/workflows/docker-image.yml

diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
new file mode 100644
index 0000000..733c9e1
--- /dev/null
+++ b/.github/workflows/bandit.yml
@@ -0,0 +1,40 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Bandit is a security linter designed to find common security issues in Python code.
+# This action will run Bandit on your codebase.
+# The results of the scan will be found under the Security tab of your repository.
+
+# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
+# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
+
+name: Bandit
+on:
+  push:
+    branches: [ "*" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "main", "dev_deploy", "prod_deploy"]
+  schedule:
+    - cron: '30 19 * * 4'
+
+jobs:
+  bandit:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Bandit Check
+        uses: jpetrucciani/bandit-check@1.7.4
+        with:
+          bandit_flags: "-lll"
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          level: high
+          confidence: high
+          exit_zero: true
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
new file mode 100644
index 0000000..61d2938
--- /dev/null
+++ b/.github/workflows/docker-image.yml
@@ -0,0 +1,46 @@
+name: Docker Image CI
+
+on:
+  push:
+    branches: [ "*_deploy", "main"]
+  pull_request:
+    branches: [ "*_deploy", "main" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      max-parallel: 4
+      matrix:
+        python-version: [ "3.13" ]
+    steps:
+      - name: Get current date
+        id: date
+        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
+      - name: Extract branch name
+        shell: bash
+        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
+        id: extract_branch
+      - name: Set SSH Agent
+        uses: webfactory/ssh-agent@v0.9.0
+        with:
+          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v3
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Build the Docker image
+        uses: docker/build-push-action@v6
+        with:
+          ssh: |
+            default=${{ env.SSH_AUTH_SOCK }}
+          build-args: |
+            GIT_BRANCH=${{ steps.extract_branch.outputs.branch }}
+          push: true
+          tags: s3docker.francissecada.com/ranked_jobs:${{ steps.extract_branch.outputs.branch }}.${{ steps.date.outputs.date }}