auction-platform-microservices/.github/workflows/ci.yml at af2ecd4e6bc3c548b2d43c92d3636c71f6ba388a · blanho/auction-platform-microservices · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: CI Pipeline

on:
  push:
    branches: [main, develop, 'feature/**', 'release/**']
  pull_request:
    branches: [main, develop]

env:
  DOTNET_VERSION: '9.0.x'
  SOLUTION_PATH: 'auction.sln'

jobs:
  build:
    name: Build & Test
    runs-on: ubuntu-latest
    outputs:
      version: ${{ steps.version.outputs.version }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}

      - name: Generate semantic version
        id: version
        run: |
          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
            VERSION="1.0.${{ github.run_number }}"
          elif [[ "${{ github.ref }}" == refs/heads/release/* ]]; then
            VERSION="1.0.${{ github.run_number }}-rc"
          else
            VERSION="0.0.${{ github.run_number }}-dev"
          fi
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "Building version: $VERSION"

      - name: Cache NuGet
        uses: actions/cache@v4
        with:
          path: ~/.nuget/packages
          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj') }}
          restore-keys: ${{ runner.os }}-nuget-

      - name: Restore
        run: dotnet restore ${{ env.SOLUTION_PATH }}

      - name: Build
        run: dotnet build ${{ env.SOLUTION_PATH }} -c Release --no-restore -p:Version=${{ steps.version.outputs.version }}

      - name: Test
        run: |
          dotnet test ${{ env.SOLUTION_PATH }} \
            --no-build -c Release \
            --collect:"XPlat Code Coverage" \
            --results-directory ./coverage \
            --logger "trx;LogFileName=test-results.trx" \
            -- DataCollectionRunSettings.DataCollectors.DataCollector.Configuration.Format=opencover

      - name: Upload test results
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: test-results
          path: |
            coverage/**/coverage.opencover.xml
            coverage/**/*.trx

      - name: Upload build artifacts
        uses: actions/upload-artifact@v7
        with:
          name: build-artifacts
          path: |
            src/**/bin/Release/**/publish/
          retention-days: 5

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    needs: build
    steps:
      - uses: actions/checkout@v4

      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.DOTNET_VERSION }}

      - name: Restore
        run: dotnet restore ${{ env.SOLUTION_PATH }}

      - name: Run security scan
        run: |
          dotnet list ${{ env.SOLUTION_PATH }} package --vulnerable --include-transitive 2>&1 | tee security-report.txt
          if grep -q "has the following vulnerable packages" security-report.txt; then
            echo "::warning::Vulnerable packages detected"
          fi

      - name: Upload security report
        uses: actions/upload-artifact@v7
        with:
          name: security-report
          path: security-report.txt

  container-scan:
    name: Container Security Scan
    runs-on: ubuntu-latest
    needs: build
    if: github.ref == 'refs/heads/main' || github.event_name == 'pull_request'
    strategy:
      fail-fast: false
      matrix:
        service:
          - name: identity-api
            dockerfile: src/Services/Identity/Identity.Api/Dockerfile
          - name: auction-api
            dockerfile: src/Services/Auction/Auction.Api/Dockerfile
          - name: bidding-api
            dockerfile: src/Services/Bidding/Bidding.Api/Dockerfile
          - name: payment-api
            dockerfile: src/Services/Payment/Payment.Api/Dockerfile
          - name: notification-api
            dockerfile: src/Services/Notification/Notification.Api/Dockerfile
          - name: analytics-api
            dockerfile: src/Services/Analytics/Analytics.Api/Dockerfile
          - name: search-api
            dockerfile: src/Services/Search/Search.Api/Dockerfile
          - name: storage-api
            dockerfile: src/Services/Storage/Storage.Api/Dockerfile
          - name: job-api
            dockerfile: src/Services/Job/Job.Api/Dockerfile
          - name: gateway-api
            dockerfile: src/Gateway/Gateway.Api/Dockerfile
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build image for scanning
        run: |
          docker build -t scan-${{ matrix.service.name }}:${{ github.sha }} \
            -f ${{ matrix.service.dockerfile }} .

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'scan-${{ matrix.service.name }}:${{ github.sha }}'
          format: 'sarif'
          output: 'trivy-results-${{ matrix.service.name }}.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'
          ignore-unfixed: true

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results-${{ matrix.service.name }}.sarif'