111 lines
4.2 KiB
YAML
111 lines
4.2 KiB
YAML
name: Pull Request Checks
|
||
|
||
on:
|
||
pull_request:
|
||
branches:
|
||
- main
|
||
- develop
|
||
paths-ignore:
|
||
- '**.md'
|
||
- '.gitignore'
|
||
- 'LICENSE'
|
||
|
||
jobs:
|
||
docker-build-test:
|
||
runs-on: ubuntu-latest
|
||
name: Test Docker Build
|
||
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v4
|
||
|
||
- name: Set up Docker Buildx
|
||
uses: docker/setup-buildx-action@v3
|
||
|
||
- name: Build Docker image (test only)
|
||
uses: docker/build-push-action@v5
|
||
with:
|
||
context: .
|
||
file: ./Dockerfile
|
||
platforms: linux/amd64
|
||
push: false
|
||
tags: salvagedb-bot:pr-${{ github.event.number }}
|
||
cache-from: type=gha
|
||
cache-to: type=gha,mode=max
|
||
outputs: type=docker,dest=/tmp/image.tar
|
||
|
||
- name: Test image
|
||
run: |
|
||
docker load -i /tmp/image.tar
|
||
echo "✅ Docker image built successfully"
|
||
docker images salvagedb-bot:pr-${{ github.event.number }}
|
||
|
||
- name: Validate Dockerfile
|
||
run: |
|
||
echo "🔍 Checking Dockerfile best practices..."
|
||
if command -v hadolint >/dev/null 2>&1; then
|
||
hadolint Dockerfile || echo "⚠️ Hadolint not available, skipping Dockerfile linting"
|
||
else
|
||
echo "ℹ️ Basic Dockerfile validation..."
|
||
if grep -q "FROM python:" Dockerfile; then
|
||
echo "✅ Base image specified"
|
||
fi
|
||
if grep -q "WORKDIR" Dockerfile; then
|
||
echo "✅ Working directory set"
|
||
fi
|
||
if grep -q "USER" Dockerfile; then
|
||
echo "✅ Non-root user configured"
|
||
fi
|
||
fi
|
||
|
||
- name: Check requirements.txt
|
||
run: |
|
||
echo "📦 Checking Python dependencies..."
|
||
if [ -f requirements.txt ]; then
|
||
echo "✅ requirements.txt found"
|
||
echo "Dependencies count: $(wc -l < requirements.txt)"
|
||
echo "🔍 Checking for potential security issues..."
|
||
if grep -i "django\|flask\|fastapi" requirements.txt; then
|
||
echo "ℹ️ Web framework detected"
|
||
fi
|
||
else
|
||
echo "❌ requirements.txt not found"
|
||
exit 1
|
||
fi
|
||
|
||
- name: Security check
|
||
run: |
|
||
echo "🔒 Basic security checks..."
|
||
|
||
# Проверяем отсутствие секретов в коде
|
||
echo "Checking for potential secrets..."
|
||
if grep -r -i "password\|secret\|key\|token" --include="*.py" --include="*.sh" . | grep -v ".git" | grep -v "requirements.txt"; then
|
||
echo "⚠️ Potential secrets found in code - please review"
|
||
else
|
||
echo "✅ No obvious secrets found"
|
||
fi
|
||
|
||
# Проверяем Dockerfile на базовые практики безопасности
|
||
if grep -q "USER.*root" Dockerfile; then
|
||
echo "⚠️ Running as root user detected"
|
||
else
|
||
echo "✅ Non-root user configuration"
|
||
fi
|
||
|
||
- name: PR Summary
|
||
run: |
|
||
echo "## 🚀 Pull Request Build Summary" >> $GITHUB_STEP_SUMMARY
|
||
echo "- **PR Number:** #${{ github.event.number }}" >> $GITHUB_STEP_SUMMARY
|
||
echo "- **Target Branch:** ${{ github.base_ref }}" >> $GITHUB_STEP_SUMMARY
|
||
echo "- **Source Branch:** ${{ github.head_ref }}" >> $GITHUB_STEP_SUMMARY
|
||
echo "- **Docker Build:** ✅ Successful" >> $GITHUB_STEP_SUMMARY
|
||
echo "- **Image Tag:** \`salvagedb-bot:pr-${{ github.event.number }}\`" >> $GITHUB_STEP_SUMMARY
|
||
echo "- **Commit:** ${{ github.sha }}" >> $GITHUB_STEP_SUMMARY
|
||
echo "" >> $GITHUB_STEP_SUMMARY
|
||
echo "### 📋 Checks Performed:" >> $GITHUB_STEP_SUMMARY
|
||
echo "- ✅ Docker image builds without errors" >> $GITHUB_STEP_SUMMARY
|
||
echo "- ✅ Dockerfile validation" >> $GITHUB_STEP_SUMMARY
|
||
echo "- ✅ Dependencies check" >> $GITHUB_STEP_SUMMARY
|
||
echo "- ✅ Basic security scan" >> $GITHUB_STEP_SUMMARY
|
||
echo "" >> $GITHUB_STEP_SUMMARY
|
||
echo "**Note:** This is a test build only. No images were pushed to registry." >> $GITHUB_STEP_SUMMARY |