name: CI/CD Awesome Pipeline on: push: branches: [main] tags: - 'v*.*.*' pull_request: branches: [main] env: REGISTRY_URL: ${{ vars.REGISTRY_URL || 'gitea.iswearihadsomethingforthis.net' }} REGISTRY_USER: ${{ vars.REGISTRY_USER || 'francwa' }} jobs: test: name: Test runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Build and run tests env: DEEPSEEK_API_KEY: ${{ secrets.DEEPSEEK_API_KEY }} TMDB_API_KEY: ${{ secrets.TMDB_API_KEY }} run: make _ci-run-tests build-and-push: name: Build & Push to Registry runs-on: ubuntu-latest needs: test steps: - name: Checkout code uses: actions/checkout@v4 - name: Load config from Makefile id: config run: make -s _ci-dump-config >> $GITHUB_OUTPUT - name: 🏷️ Docker Metadata (Tags & Labels) id: meta uses: docker/metadata-action@v5 with: images: gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }} tags: | # Case 1 - Git Tag (v1.2.3) type=semver,pattern={{ version }} # Case 2 - Push on main type=raw,value=latest,enable={{ is_default_branch }} # Both case - Commit sha type=sha - name: Login to Gitea Registry uses: docker/login-action@v3 with: registry: gitea.iswearihadsomethingforthis.net username: ${{ gitea.actor }} password: ${{ secrets.G1T34_TOKEN }} - name: Build and push id: docker_build uses: docker/build-push-action@v5 with: context: . file: ./brain/Dockerfile push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} build-args: | PYTHON_VERSION=${{ steps.config.outputs.python_version }} PYTHON_VERSION_SHORT=${{ steps.config.outputs.python_version_short }} RUNNER=${{ steps.config.outputs.runner }} - name: 🛡️ Run Trivy Vulnerability Scanner uses: aquasecurity/trivy-action@master with: image-ref: ${{ steps.meta.outputs.tags }} format: 'table' exit-code: '1' ignore-unfixed: true severity: 'CRITAL, HIGH'