name: Pull Request Checks on: pull_request: branches: - main - develop paths-ignore: - '**.md' - '.gitignore' - 'LICENSE' jobs: docker-build-test: runs-on: ubuntu-latest name: Test Docker Build steps: - name: Checkout repository uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build Docker image (test only) uses: docker/build-push-action@v5 with: context: . file: ./Dockerfile platforms: linux/amd64 push: false tags: salvagedb-bot:pr-${{ github.event.number }} cache-from: type=gha cache-to: type=gha,mode=max outputs: type=docker,dest=/tmp/image.tar - name: Test image run: | docker load -i /tmp/image.tar echo "✅ Docker image built successfully" docker images salvagedb-bot:pr-${{ github.event.number }} - name: Validate Dockerfile run: | echo "🔍 Checking Dockerfile best practices..." if command -v hadolint >/dev/null 2>&1; then hadolint Dockerfile || echo "⚠️ Hadolint not available, skipping Dockerfile linting" else echo "ℹ️ Basic Dockerfile validation..." if grep -q "FROM python:" Dockerfile; then echo "✅ Base image specified" fi if grep -q "WORKDIR" Dockerfile; then echo "✅ Working directory set" fi if grep -q "USER" Dockerfile; then echo "✅ Non-root user configured" fi fi - name: Check requirements.txt run: | echo "📦 Checking Python dependencies..." if [ -f requirements.txt ]; then echo "✅ requirements.txt found" echo "Dependencies count: $(wc -l < requirements.txt)" echo "🔍 Checking for potential security issues..." if grep -i "django\|flask\|fastapi" requirements.txt; then echo "ℹ️ Web framework detected" fi else echo "❌ requirements.txt not found" exit 1 fi - name: Security check run: | echo "🔒 Basic security checks..." # Проверяем отсутствие секретов в коде echo "Checking for potential secrets..." if grep -r -i "password\|secret\|key\|token" --include="*.py" --include="*.sh" . | grep -v ".git" | grep -v "requirements.txt"; then echo "⚠️ Potential secrets found in code - please review" else echo "✅ No obvious secrets found" fi # Проверяем Dockerfile на базовые практики безопасности if grep -q "USER.*root" Dockerfile; then echo "⚠️ Running as root user detected" else echo "✅ Non-root user configuration" fi - name: PR Summary run: | echo "## 🚀 Pull Request Build Summary" >> $GITHUB_STEP_SUMMARY echo "- **PR Number:** #${{ github.event.number }}" >> $GITHUB_STEP_SUMMARY echo "- **Target Branch:** ${{ github.base_ref }}" >> $GITHUB_STEP_SUMMARY echo "- **Source Branch:** ${{ github.head_ref }}" >> $GITHUB_STEP_SUMMARY echo "- **Docker Build:** ✅ Successful" >> $GITHUB_STEP_SUMMARY echo "- **Image Tag:** \`salvagedb-bot:pr-${{ github.event.number }}\`" >> $GITHUB_STEP_SUMMARY echo "- **Commit:** ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### 📋 Checks Performed:" >> $GITHUB_STEP_SUMMARY echo "- ✅ Docker image builds without errors" >> $GITHUB_STEP_SUMMARY echo "- ✅ Dockerfile validation" >> $GITHUB_STEP_SUMMARY echo "- ✅ Dependencies check" >> $GITHUB_STEP_SUMMARY echo "- ✅ Basic security scan" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "**Note:** This is a test build only. No images were pushed to registry." >> $GITHUB_STEP_SUMMARY