Merge pull request #46 from Its4Nik/ci/cd-rework

Feat: Setup CI/CD pipelines

Author: Its4Nik

.github/workflows/cd.yml

@@ -0,0 +1,64 @@
+name: Continuous Delivery
+
+on:
+  release:
+    types: [published, prereleased]
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  publish:
+    name: Publish Container Image
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Determine tags
+        id: tags
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/its4nik/dockstatapi
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.tags.outputs.tags }}
+
+  sbom:
+    name: Generate SBOM
+    runs-on: ubuntu-latest
+    needs: publish
+    steps:
+      - name: Generate SBOM
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ghcr.io/its4nik/dockstatapi:${{ github.event.release.tag_name }}
+          format: spdx-json
+          output: sbom.json
+
+      - name: Upload SBOM
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: sbom.json

.github/workflows/ci.yml

@@ -0,0 +1,77 @@
+name: Continuous Integration
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+  checks: write
+  security-events: write
+
+jobs:
+  lint-test:
+    name: Lint and Test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install dependencies
+        run: bun install
+
+      - name: Run linter
+        run: bun run biome ci
+
+      - name: Run unit tests
+        run: bun test --reporter=junit --reporter-outfile=./unit-test.xml
+
+      - name: Publish Test Report
+        uses: mikepenz/action-junit-report@v5
+        with:
+          report_paths: 'unit-test.xml'
+
+  build-scan:
+    name: Build and Security Scan
+    runs-on: ubuntu-latest
+    needs: lint-test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: docker/Dockerfile
+          tags: dockstatapi:ci-${{ github.sha }}
+          load: true
+
+      - name: Start and test container
+        run: |
+          docker run --name test-container -d dockstatapi:ci-${{ github.sha }}
+          sleep 10
+          docker ps | grep test-container
+          docker logs test-container
+          docker stop test-container
+
+      - name: Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: 'dockstatapi:ci-${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Upload security results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'