Migrate Jenkins pipeline to GitHub Actions CI/CD workflows

[devin-ai-integration]

Summary

Migrates the existing Jenkins CI/CD pipeline (Jenkinsfile + GitOps/Jenkinsfile) to GitHub Actions, producing two workflow files:

CI Pipeline (.github/workflows/ci.yml)

Replaces the root Jenkinsfile. Runs on push/PR to main/DevOps and via manual dispatch.

Jenkins Stage	GitHub Actions Equivalent
Workspace cleanup	Fresh runner (automatic)
Git: Code Checkout	actions/checkout@v4
Trivy: Filesystem scan	aquasecurity/trivy-action@0.35.0 (fs mode)
OWASP: Dependency check	dependency-check/Dependency-Check_Action@main + artifact upload
SonarQube: Code Analysis	SonarSource/sonarqube-scan-action@v4 (conditional on SONAR_ENABLED variable)
SonarQube: Quality Gates	SonarSource/sonarqube-quality-gate-action@v1
Docker: Build & Push	docker/build-push-action@v6 + docker/login-action@v3 (gracefully degrades to local-only build when credentials are missing)
Post-success: trigger CD	actions/github-script@v7 dispatches cd.yml

Security scans (Trivy, OWASP, SonarQube) run in parallel; Docker build/push gates on all three. A Trivy image scan was also added post-build as a bonus.

CD Pipeline (.github/workflows/cd.yml)

Replaces GitOps/Jenkinsfile. Triggered by CI or manual dispatch with a docker_tag input.

• Updates the K8s deployment manifest (kubernetes/bankapp-deployment.yaml) via sed
• Commits and pushes the change (using GH_PAT for write access)
• Posts a job summary notification (replaces Jenkins email notification)

Required GitHub Secrets & Variables

Before running, configure these in Settings → Secrets and variables → Actions:

Type	Name	Description
Secret	SONAR_TOKEN	SonarQube authentication token
Secret	SONAR_HOST_URL	SonarQube server URL
Secret	DOCKERHUB_TOKEN	Docker Hub access token
Secret	GH_PAT	GitHub PAT with repo write (for CD manifest push)
Variable	DOCKERHUB_USER	Docker Hub username (e.g. madhupdevops)
Variable	SONAR_ENABLED	Set to true to enable SonarQube analysis

CI Status Explanation

• Trivy & OWASP: Pass
• Snyk (security/license): Pass
• SonarQube: Skipped (requires SONAR_ENABLED=true variable + SONAR_TOKEN/SONAR_HOST_URL secrets)
• Docker Build & Push: Fails due to a pre-existing issue in Dockerfile — the base image openjdk:17-alpine has been removed from Docker Hub. This affects any CI system, not just GH Actions. Fix: replace with eclipse-temurin:17-jre-alpine in the Dockerfile.
• Trigger CD: Skipped (depends on Docker job)

Review & Testing Checklist for Human

• Fix the Dockerfile base image: replace FROM openjdk:17-alpine as deployer with FROM eclipse-temurin:17-jre-alpine as deployer
• Configure the required secrets/variables listed above in the repo's GitHub Actions settings
• Run the CI workflow manually (workflow_dispatch) and confirm all jobs pass
• Run the CD workflow manually with a valid Docker tag and confirm the K8s manifest is updated
• Verify ArgoCD picks up the manifest change after CD pushes

Notes

• The Jenkins shared library functions (vars/*.groovy) are left in place to avoid breaking any other Jenkins consumers.
• --failOnCVSS 11 on OWASP effectively makes the check non-blocking (matching the original Jenkins behavior). Lower this threshold to enforce stricter checks.
• The Docker tag defaults to the short commit SHA when not provided via workflow_dispatch.
• Docker login/push gracefully degrades: if DOCKERHUB_USER/DOCKERHUB_TOKEN are not set, the image is built locally only (no push), and a warning annotation is emitted.

Link to Devin session: https://app.devin.ai/sessions/ff2b17cb9f5f484293ff8a52756b6fc0
Requested by: @joao-cognition

---

Devin Review

Status	Commit
⚪ Not started	—

💡 Connect your GitHub account to enable automatic code reviews.

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring