.github/workflows/ci-cd.yaml

name: CI/CD

on:
  merge_group:
  pull_request:
    branches:
      - main
    paths-ignore:
      - backend/data/nest.json.gz
  push:
    branches:
      - main
    paths-ignore:
      - backend/data/nest.json.gz
  release:
    types:
      - published
  workflow_dispatch:

permissions:
  contents: read

concurrency:
  cancel-in-progress: true
  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.head_ref || github.ref_name }}

env:
  FORCE_COLOR: 1

jobs:
  pre-commit:
    name: Run pre-commit
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Install Poetry
        run: pipx install poetry

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          cache: poetry
          cache-dependency-path: backend/poetry.lock
          python-version: '3.13'

      - name: Run pre-commit
        uses: pre-commit/action@v3.0.1

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
          cache-dependency-path: frontend/package-lock.json

      - name: Install frontend dependencies
        working-directory: frontend
        run: npm install

      - name: Run npm format
        working-directory: frontend
        run: npm run format

      - name: Run npm lint check
        working-directory: frontend
        run: npm run lint:check

      - name: Check for uncommitted changes
        run: |
          git diff --exit-code || (echo 'Unstaged changes detected. \
          Run `make check` and use `git add` to address it.' && exit 1)

  code-ql:
    name: CodeQL
    needs:
      - pre-commit
    permissions:
      security-events: write
    runs-on: ubuntu-latest
    strategy:
      matrix:
        language:
          - javascript-typescript
          - python
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}

      - name: Set up Node
        if: matrix.language == 'javascript-typescript'
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
          cache-dependency-path: frontend/package-lock.json

      - name: Install dependencies for frontend
        if: matrix.language == 'javascript-typescript'
        working-directory: frontend
        run: npm install

      - name: Perform CodeQL analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: '/language:${{ matrix.language }}'

  run-backend-tests:
    name: Run backend tests
    needs:
      - pre-commit
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Install Poetry
        run: pipx install poetry

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          cache: poetry
          cache-dependency-path: backend/poetry.lock
          python-version: '3.13'

      - name: Run backend tests
        run: |
          make test-backend

  run-frontend-tests:
    name: Run frontend tests
    needs:
      - pre-commit
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Set up Node
        uses: actions/setup-node@v4
        with:
          node-version: 22
          cache: npm
          cache-dependency-path: frontend/package-lock.json

      - name: Install frontend dependencies
        working-directory: frontend
        run: npm install

      - name: Run frontend tests
        run: |
          make test-frontend

  build-docker-staging-images:
    name: Build Docker Staging Images
    environment: staging
    if: |
      github.repository == 'OWASP/Nest' &&
      github.ref == 'refs/heads/main'
    needs:
      - code-ql
      - run-backend-tests
      - run-frontend-tests
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build backend image
        uses: docker/build-push-action@v6
        with:
          cache-from: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-backend:cache
          cache-to: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-backend:cache,mode=max
          context: backend
          file: backend/Dockerfile.staging
          platforms: linux/amd64
          push: true
          tags: ${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-backend:staging

      - name: Prepare frontend environment
        run: |
          echo "VITE_ALGOLIA_APP_ID=${{ secrets.VITE_ALGOLIA_APP_ID }}" > frontend/.env.staging
          echo "VITE_ALGOLIA_SEARCH_API_KEY=${{ secrets.VITE_ALGOLIA_SEARCH_API_KEY }}" >> frontend/.env.staging
          echo "VITE_API_URL=${{ secrets.VITE_API_URL }}" >> frontend/.env.staging
          echo "VITE_ENVIRONMENT=${{ secrets.VITE_ENVIRONMENT }}" >> frontend/.env.staging
          echo "VITE_SENTRY_DSN=${{ secrets.SENTRY_DSN }}" >> frontend/.env.staging

      - name: Build frontend image
        uses: docker/build-push-action@v6
        with:
          cache-from: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-frontend:cache
          cache-to: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-frontend:cache,mode=max
          context: frontend
          file: frontend/Dockerfile.staging
          platforms: linux/amd64
          push: true
          tags: ${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-frontend:staging

  deploy-nest-staging:
    name: Deploy Nest Staging
    env:
      ANSIBLE_HOST_KEY_CHECKING: False
      STAGING_HOST_IP_ADDRESS: '${{ secrets.STAGING_HOST_IP_ADDRESS }}'
      STAGING_SSH_PRIVATE_KEY_PATH: '${{ vars.STAGING_SSH_PRIVATE_KEY_PATH }}'
    environment: staging
    if: |
      github.repository == 'OWASP/Nest' &&
      github.ref == 'refs/heads/main'
    needs:
      - build-docker-staging-images
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Prepare SSH key
        run: |
          mkdir -m 700 ~/.ssh
          echo "${{ secrets.STAGING_SSH_PRIVATE_KEY }}" > ${{ env.STAGING_SSH_PRIVATE_KEY_PATH }}
          chmod 400 ${{ env.STAGING_SSH_PRIVATE_KEY_PATH }}

      - name: Prepare secrets
        run: |
          # Backend
          echo "DJANGO_ALGOLIA_APPLICATION_ID=${{ secrets.DJANGO_ALGOLIA_APPLICATION_ID }}" > .env.backend
          echo "DJANGO_ALGOLIA_APPLICATION_REGION=${{ secrets.DJANGO_ALGOLIA_APPLICATION_REGION }}" >> .env.backend
          echo "DJANGO_ALGOLIA_WRITE_API_KEY=${{ secrets.DJANGO_ALGOLIA_WRITE_API_KEY }}" >> .env.backend
          echo "DJANGO_ALLOWED_HOSTS=${{ secrets.DJANGO_ALLOWED_HOSTS }}" >> .env.backend
          echo "DJANGO_AWS_ACCESS_KEY_ID=${{ secrets.DJANGO_AWS_ACCESS_KEY_ID }}" >> .env.backend
          echo "DJANGO_AWS_SECRET_ACCESS_KEY=${{ secrets.DJANGO_AWS_SECRET_ACCESS_KEY }}" >> .env.backend
          echo "DJANGO_CONFIGURATION=${{ secrets.DJANGO_CONFIGURATION }}" >> .env.backend
          echo "DJANGO_DB_HOST=${{ secrets.DJANGO_DB_HOST }}" >> .env.backend
          echo "DJANGO_DB_NAME=${{ secrets.DJANGO_DB_NAME }}" >> .env.backend
          echo "DJANGO_DB_PASSWORD=${{ secrets.DJANGO_DB_PASSWORD }}" >> .env.backend
          echo "DJANGO_DB_PORT=${{ secrets.DJANGO_DB_PORT }}" >> .env.backend
          echo "DJANGO_DB_USER=${{ secrets.DJANGO_DB_USER }}" >> .env.backend
          echo "DJANGO_OPEN_AI_SECRET_KEY=${{ secrets.DJANGO_OPEN_AI_SECRET_KEY }}" >> .env.backend
          echo "DJANGO_SECRET_KEY=${{ secrets.DJANGO_SECRET_KEY }}" >> .env.backend
          echo "DJANGO_SENTRY_DSN=${{ secrets.DJANGO_SENTRY_DSN }}" >> .env.backend
          echo "DJANGO_SETTINGS_MODULE=${{ secrets.DJANGO_SETTINGS_MODULE }}" >> .env.backend
          echo "DJANGO_SLACK_BOT_TOKEN=${{ secrets.DJANGO_SLACK_BOT_TOKEN }}" >> .env.backend
          echo "DJANGO_SLACK_SIGNING_SECRET=${{ secrets.DJANGO_SLACK_SIGNING_SECRET }}" >> .env.backend
          echo "GITHUB_TOKEN=${{ secrets.DJANGO_GITHUB_TOKEN }}" >> .env.backend

          # Database
          echo "POSTGRES_DB=${{ secrets.DJANGO_DB_NAME }}" > .env.db
          echo "POSTGRES_PASSWORD=${{ secrets.DJANGO_DB_PASSWORD }}" >> .env.db
          echo "POSTGRES_USER=${{ secrets.DJANGO_DB_USER }}" >> .env.db

      - name: Run Nest deploy
        working-directory: .github/ansible
        run: ansible-playbook -i inventory.yaml staging/deploy.yaml -e "github_workspace=$GITHUB_WORKSPACE"

  build-docker-production-images:
    name: Build Docker Production Images
    environment: production
    if: |
      github.event_name == 'release' &&
      github.event.action == 'published'
    needs:
      - code-ql
      - run-backend-tests
      - run-frontend-tests
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build backend image
        uses: docker/build-push-action@v6
        with:
          cache-from: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-backend:cache
          cache-to: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-backend:cache,mode=max
          context: backend
          file: backend/Dockerfile.production
          platforms: linux/amd64
          push: true
          tags: ${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-backend:production

      - name: Prepare frontend environment
        run: |
          echo "VITE_ALGOLIA_APP_ID=${{ secrets.ALGOLIA_APP_ID }}" > frontend/.env.production
          echo "VITE_ALGOLIA_SEARCH_API_KEY=${{ secrets.ALGOLIA_SEARCH_API_KEY }}" >> frontend/.env.production
          echo "VITE_API_URL=https://nest.owasp.org/api/v1" >> frontend/.env.production
          echo "VITE_ENVIRONMENT=production" >> frontend/.env.production
          echo "VITE_SENTRY_DSN=${{ secrets.SENTRY_DSN }}" >> frontend/.env.production

      - name: Build frontend image
        uses: docker/build-push-action@v6
        with:
          cache-from: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-frontend:cache
          cache-to: type=registry,ref=${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-frontend:cache,mode=max
          context: frontend
          file: frontend/Dockerfile.production
          platforms: linux/amd64
          push: true
          tags: ${{ secrets.DOCKERHUB_USERNAME }}/owasp-nest-frontend:production

  deploy-nest-production:
    name: Deploy Nest Production
    env:
      ANSIBLE_HOST_KEY_CHECKING: False
      PRODUCTION_HOST_IP_ADDRESS: '${{ secrets.PRODUCTION_HOST_IP_ADDRESS }}'
      PRODUCTION_SSH_PRIVATE_KEY_PATH: '~/.ssh/nest_production_private_key'
    environment: production
    if: |
      github.event_name == 'release' &&
      github.event.action == 'published'
    needs:
      - build-docker-production-images
    runs-on: ubuntu-latest
    steps:
      - name: Check out repository
        uses: actions/checkout@v4

      - name: Prepare SSH key
        run: |
          mkdir -m 700 ~/.ssh
          echo "${{ secrets.PRODUCTION_SSH_PRIVATE_KEY }}" > ${{ env.PRODUCTION_SSH_PRIVATE_KEY_PATH }}
          chmod 400 ${{ env.PRODUCTION_SSH_PRIVATE_KEY_PATH }}

      - name: Run Nest deploy
        working-directory: .github/ansible
        run: ansible-playbook -i inventory.yaml production/deploy.yaml -e "github_workspace=$GITHUB_WORKSPACE"