git/metabuilder
1
0
Fork 0
mirror of https://github.com/johndoe6345789/metabuilder.git synced 2026-04-25 22:34:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
feaaa87d0ecc8ebcd53533eb0fea7958493ca7ca
metabuilder/.github/workflows/workflowui-deploy.yml
johndoe6345789 ac6f35d128 feat(docker): complete production-grade Docker deployment setup with CI/CD 
- Add comprehensive GitHub Actions workflow for WorkflowUI builds and deployments
  * Quality checks: TypeScript type-check, lint, build, tests
  * Security scanning: npm audit and Trivy vulnerability scanning
  * Docker build: Multi-architecture (amd64, arm64) with SBOM generation
  * Test deployment: Validates docker-compose and health checks
  * PR notifications with build status

- Create Docker deployment guide (DOCKER.md) covering:
  * Quick start and configuration
  * Building and pushing to registries
  * Persistent data and backup strategies
  * Performance tuning and monitoring
  * Production security checklist
  * Nginx reverse proxy configuration
  * Troubleshooting procedures

- Add production docker-compose override (docker-compose.prod.yml):
  * Resource limits (2GB memory, 2 CPU)
  * Security hardening (capabilities, read-only filesystems, non-root user)
  * Secrets management for NEXTAUTH_SECRET
  * Enhanced health checks with proper timeouts
  * JSON logging with rotation

- Add environment configuration template (.env.example):
  * All configurable variables documented
  * NextAuth, Flask, database, SMTP, security settings
  * Development and feature flag options
  * Example values for common configurations

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-01-23 07:57:04 +00:00

267 lines
7.3 KiB
YAML
Raw Blame History

name: WorkflowUI Build & Deploy
on:
push:
branches:
- main
- develop
paths:
- 'workflowui/**'
- 'fakemui/**'
- '.github/workflows/workflowui-deploy.yml'
tags:
- 'workflowui-v*.*.*'
pull_request:
branches:
- main
- develop
paths:
- 'workflowui/**'
- 'fakemui/**'
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}/workflowui
NODE_VERSION: '18'
PYTHON_VERSION: '3.9'
permissions:
contents: read
packages: write
checks: write
jobs:
quality-checks:
name: Quality Checks
runs-on: ubuntu-latest
defaults:
run:
working-directory: workflowui
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
cache-dependency-path: 'workflowui/package-lock.json'
- name: Install dependencies
run: npm ci
- name: Type check
run: npm run type-check
- name: Lint code
run: npm run lint --if-present
- name: Build application
run: npm run build
- name: Run tests
run: npm run test --if-present
security-scan:
name: Security Scan
runs-on: ubuntu-latest
defaults:
run:
working-directory: workflowui
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Run npm audit
run: npm audit --audit-level=moderate
- name: Check for vulnerable dependencies
run: npm run audit --if-present
docker-build:
name: Build Docker Image
runs-on: ubuntu-latest
needs: [quality-checks, security-scan]
if: github.event_name != 'pull_request' || github.event.pull_request.draft == false
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
if: github.event_name != 'pull_request'
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}},prefix=workflowui-v
type=semver,pattern={{major}}.{{minor}},prefix=workflowui-v
type=sha,prefix={{branch}}-
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push Docker image
id: build
uses: docker/build-push-action@v5
with:
context: workflowui
file: workflowui/Dockerfile
platforms: linux/amd64,linux/arm64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
BUILD_DATE=${{ github.event.head_commit.timestamp }}
VCS_REF=${{ github.sha }}
VERSION=${{ steps.meta.outputs.version }}
- name: Generate SBOM
if: github.event_name != 'pull_request'
uses: anchore/sbom-action@v0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: cyclonedx-json
output-file: sbom-${{ github.sha }}.json
- name: Upload SBOM artifact
if: github.event_name != 'pull_request'
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom-*.json
vulnerability-scan:
name: Container Vulnerability Scan
runs-on: ubuntu-latest
needs: docker-build
if: github.event_name != 'pull_request'
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
category: 'container-workflowui'
test-deployment:
name: Test Docker Deployment
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
defaults:
run:
working-directory: workflowui
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image (test only)
uses: docker/build-push-action@v5
with:
context: workflowui
file: workflowui/Dockerfile
load: true
tags: workflowui:test
cache-from: type=gha
- name: Start containers
run: |
docker-compose -f docker-compose.yml up -d
env:
DOCKER_BUILDKIT: 1
- name: Wait for services to be healthy
run: |
for i in {1..30}; do
if curl -f http://localhost:3000/api/health && curl -f http://localhost:5000/api/health; then
echo "Services are healthy"
exit 0
fi
echo "Waiting for services... ($i/30)"
sleep 2
done
echo "Services did not become healthy"
exit 1
- name: Check frontend response
run: |
curl -f http://localhost:3000/ || exit 1
- name: Check backend health
run: |
curl -f http://localhost:5000/api/health || exit 1
- name: Collect logs
if: failure()
run: |
docker-compose -f docker-compose.yml logs > container-logs.txt
cat container-logs.txt
- name: Upload logs
if: failure()
uses: actions/upload-artifact@v4
with:
name: container-logs
path: workflowui/container-logs.txt
- name: Stop containers
if: always()
run: docker-compose -f docker-compose.yml down
notify:
name: Notify Deployment Status
runs-on: ubuntu-latest
needs: [quality-checks, security-scan]
if: always()
steps:
- name: Comment on PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const qualityStatus = '${{ needs.quality-checks.result }}';
const securityStatus = '${{ needs.security-scan.result }}';
let comment = '## WorkflowUI Build Status\n\n';
comment += `- **Quality Checks**: ${qualityStatus === 'success' ? '✅ Passed' : '❌ Failed'}\n`;
comment += `- **Security Scan**: ${securityStatus === 'success' ? '✅ Passed' : '⚠️ Check logs'}\n`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
Reference in New Issue View Git Blame Copy Permalink