From 79e448b76d4b3157b9971b213548748544d8005c Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 20:41:15 +0000 Subject: [PATCH 1/4] ci: migrate Jenkins pipeline to GitHub Actions workflow Co-Authored-By: vanessa.salas --- .github/workflows/ci.yml | 123 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..7877030e --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,123 @@ +name: CI Pipeline + +on: + push: + branches: [main, DevOps] + pull_request: + branches: [main, DevOps] + workflow_dispatch: + inputs: + DOCKER_TAG: + description: "Docker image tag for the build" + required: true + default: "latest" + +env: + IMAGE_NAME: bankapp + +jobs: + security-scans: + name: Security Scans + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Trivy Filesystem Scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: "." + format: "table" + exit-code: "0" + severity: "CRITICAL,HIGH" + + - name: OWASP Dependency Check + uses: dependency-check/Dependency-Check_Action@main + with: + project: "bankapp" + path: "." + format: "XML" + out: "reports" + + - name: Upload Dependency Check Report + uses: actions/upload-artifact@v4 + if: always() + with: + name: dependency-check-report + path: reports/ + + code-quality: + name: SonarQube Analysis + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: "17" + distribution: "temurin" + cache: "maven" + + - name: Build with Maven + run: mvn clean verify -DskipTests=true + + - name: SonarQube Analysis + uses: SonarSource/sonarqube-scan-action@v5 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + with: + args: > + -Dsonar.projectKey=bankapp + -Dsonar.projectName=bankapp + -Dsonar.java.binaries=target/classes + + - name: SonarQube Quality Gate + uses: SonarSource/sonarqube-quality-gate-action@v1 + timeout-minutes: 1 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + docker: + name: Docker Build & Push + runs-on: ubuntu-latest + needs: [security-scans, code-quality] + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set Docker tag + id: tag + run: | + if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then + echo "docker_tag=${{ github.event.inputs.DOCKER_TAG }}" >> "$GITHUB_OUTPUT" + else + echo "docker_tag=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT" + fi + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to DockerHub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Build and Push Docker Image + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: | + ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.docker_tag }} + cache-from: type=gha + cache-to: type=gha,mode=max From 68fb9da594d3146fcef49e0c180685a23052a372 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 20:42:47 +0000 Subject: [PATCH 2/4] fix: use valid trivy-action version 0.35.0 Co-Authored-By: vanessa.salas --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7877030e..38b3b321 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: uses: actions/checkout@v4 - name: Trivy Filesystem Scan - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.35.0 with: scan-type: "fs" scan-ref: "." From 468709f6b68c4ade61356ba08d657c6f1715c935 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 20:44:28 +0000 Subject: [PATCH 3/4] fix: make SonarQube non-blocking, matching Jenkins abortPipeline:false Co-Authored-By: vanessa.salas --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 38b3b321..979cd672 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,6 +51,7 @@ jobs: code-quality: name: SonarQube Analysis runs-on: ubuntu-latest + continue-on-error: true steps: - name: Checkout code @@ -88,7 +89,8 @@ jobs: docker: name: Docker Build & Push runs-on: ubuntu-latest - needs: [security-scans, code-quality] + needs: [security-scans] + if: always() && needs.security-scans.result == 'success' steps: - name: Checkout code From c7ed766d72a4df7c1a351fbc6155d43ac2ccea2c Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 20:46:33 +0000 Subject: [PATCH 4/4] fix: make Docker login/push conditional on secrets being configured Co-Authored-By: vanessa.salas --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 979cd672..b31a8251 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -109,6 +109,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Login to DockerHub + if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} uses: docker/login-action@v3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} @@ -118,8 +119,8 @@ jobs: uses: docker/build-push-action@v6 with: context: . - push: true + push: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} tags: | - ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.docker_tag }} + ${{ secrets.DOCKERHUB_USERNAME || 'local' }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.docker_tag }} cache-from: type=gha cache-to: type=gha,mode=max