adding github actions for CICD integrations. Ready to promote to deployment branches.

2025-06-24 15:26:03 +00:00 · 2025-01-22 16:21:42 -05:00 · 2025-01-22 16:21:42 -05:00 · b1e3c9bb2b
commit b1e3c9bb2b
parent b11796ddd6
2 changed files with 86 additions and 0 deletions
--- a/.github/workflows/bandit.yml
+++ b/.github/workflows/bandit.yml
@ -0,0 +1,40 @@
 # This workflow uses actions that are not certified by GitHub.
 # They are provided by a third-party and are governed by
 # separate terms of service, privacy policy, and support
 # documentation.
 # Bandit is a security linter designed to find common security issues in Python code.
 # This action will run Bandit on your codebase.
 # The results of the scan will be found under the Security tab of your repository.
 # https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
 # https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
 name: Bandit
 on:
  push:
    branches: [ "*" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "main", "dev_deploy", "prod_deploy"]
  schedule:
    - cron: '30 19 * * 4'
 jobs:
  bandit:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Bandit Check
        uses: jpetrucciani/bandit-check@1.7.4
        with:
          bandit_flags: "-lll"
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          level: high
          confidence: high
          exit_zero: true
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -0,0 +1,46 @@
 name: Docker Image CI
 on:
  push:
    branches: [ "*_deploy", "main"]
  pull_request:
    branches: [ "*_deploy", "main" ]
 jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    strategy:
      max-parallel: 4
      matrix:
        python-version: [ "3.13" ]
    steps:
      - name: Get current date
        id: date
        run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
      - name: Extract branch name
        shell: bash
        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
        id: extract_branch
      - name: Set SSH Agent
        uses: webfactory/ssh-agent@v0.9.0
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - uses: actions/checkout@v3
      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v3
        with:
          python-version: ${{ matrix.python-version }}
      - name: Build the Docker image
        uses: docker/build-push-action@v6
        with:
          ssh: |
            default=${{ env.SSH_AUTH_SOCK }}
          build-args: |
            GIT_BRANCH=${{ steps.extract_branch.outputs.branch }}
          push: true
          tags: s3docker.francissecada.com/ranked_jobs:${{ steps.extract_branch.outputs.branch }}.${{ steps.date.outputs.date }}