Merge pull request #36 from LabGraphTeam/dev/workflows

Dev/workflows

.github/workflows/docker-image.yml

@@ -3,39 +3,69 @@ name: Docker Image CI/CD
 on:
   push:
     branches: [ 'master' ]
-  # pull_request:
-  #   branches: ['master']
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
   build:
     runs-on: [ self-hosted, linux, x64, backend ]
+    timeout-minutes: 15
 
     steps:
       - uses: actions/checkout@v4
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
+
+      - name: Ensure buildx cache
+        run: mkdir -p /tmp/.buildx-cache
+
       - name: Cache Docker layers
         uses: actions/cache@v3
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-buildx-
+            
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          trivy-config: trivy.yaml
+          cache-dir: '/tmp/trivy-cache'
+
       - name: Log in to Docker Hub
-        run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+
       - name: Build and push Docker image
+        id: docker_build
         run: |
-          docker compose -f docker-compose.build.yml build
-          docker compose -f docker-compose.build.yml push
+          for i in 1 2 3; do
+            if docker compose -f docker-compose.build.yml build && \
+               docker compose -f docker-compose.build.yml push; then
+              exit 0
+            fi
+            echo "Retry $i/3..."
+            sleep 10
+          done
+          exit 1
 
   deploy:
     runs-on: [ self-hosted, linux, x64, backend ]
     needs: build
     environment: Production
+    timeout-minutes: 10
 
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+
       - name: Deploy
         env:
           DB_DATABASE: ${{ secrets.DB_DATABASE }}
@@ -54,36 +84,59 @@ jobs:
           SPRING_MAIL_PASSWORD: ${{ secrets.SPRING_MAIL_PASSWORD }}
           EMAIL_TO_SEND_LIST: ${{ secrets.EMAIL_TO_SEND_LIST }}
         run: |
-          docker compose pull
-          docker compose up -d
-
-  notify:
-    runs-on: [ self-hosted, linux, x64, backend ]
-    needs: deploy
-
-    steps:
-      - name: Notify deployment
-        run: echo "Deployment completed successfully"
+          for i in 1 2 3; do
+            if docker compose pull && docker compose up -d; then
+              exit 0
+            fi
+            echo "Retry $i/3..."
+            sleep 10
+          done
+          exit 1
 
   health-check:
     runs-on: [ self-hosted, linux, x64, backend ]
     needs: deploy
+    timeout-minutes: 5
 
     steps:
-      - name: Wait for server to be ready and healthy test
+      - name: Health check with timeout and retry
         run: |
-          sleep 30
-          until curl -sSf http://localhost:${{ secrets.SERVER_LOCAL_PORT }}/actuator/health; do
-            echo "Waiting for server..."
-            sleep 5
+          max_attempts=12
+          attempt=1
+          while [ $attempt -le $max_attempts ]; do
+            if curl -sSf http://localhost:${{ secrets.SERVER_LOCAL_PORT }}/actuator/health; then
+              echo "Service is healthy!"
+              exit 0
+            fi
+            echo "Attempt $attempt/$max_attempts - Service not healthy yet..."
+            sleep 15
+            attempt=$((attempt + 1))
           done
+          echo "Health check failed after $max_attempts attempts"
+          exit 1
 
   cleanup:
     runs-on: [ self-hosted, linux, x64, backend ]
     needs: health-check
+    if: always()
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Cleanup Docker resources
+        run: |
+          chmod +x ./.github/scripts/cleanup_docker.sh
+          ./.github/scripts/cleanup_docker.sh
+
+  notify:
+    runs-on: [ self-hosted, linux, x64, backend ]
+    needs: [deploy, health-check, cleanup]
+    if: always()
 
     steps:
-      - name: Set execute permission for cleanup script
-        run: chmod +x ./.github/scripts/cleanup_docker.sh
-      - name: Running scripts
-        run: ./.github/scripts/cleanup_docker.sh
+      - name: Notify deployment status
+        run: |
+          if [ "${{ job.status }}" = "success" ]; then
+            echo "✅ Deployment completed successfully"
+          else
+            echo "❌ Deployment failed"
+          fi

pom.xml

@@ -20,6 +20,7 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-mail</artifactId>
+            <version>3.4.2</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -33,6 +34,7 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
+            <version>3.4.2</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.springframework.boot</groupId>
@@ -43,6 +45,7 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-hateoas</artifactId>
+            <version>3.4.2</version>
         </dependency>
         <dependency>
             <groupId>org.mariadb.jdbc</groupId>
@@ -58,10 +61,12 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
+            <version>3.4.2</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-validation</artifactId>
+            <version>3.4.2</version>
         </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
@@ -72,10 +77,12 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
+            <version>3.4.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>com.google.code.gson</groupId>
+            <version>2.11.0</version>
             <artifactId>gson</artifactId>
         </dependency>
         <dependency>
@@ -113,24 +120,28 @@
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>
+            <version>6.4.2</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-context-support</artifactId>
+            <version>6.2.2</version>
         </dependency>
     </dependencies>
     <build>
         <plugins>
             <plugin>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
+                <version>3.4.2</version>
                 <configuration>
                 </configuration>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.13.0</version>
                 <configuration>
                     <source>21</source>
                     <target>21</target>
@@ -155,7 +166,7 @@
             <dependency>
                 <groupId>org.checkerframework</groupId>
                 <artifactId>checker-qual</artifactId>
-                <version>3.37.0</version>
+                <version>3.48.4</version>
             </dependency>
 
 

trivy.yaml

@@ -0,0 +1,19 @@
+format: json
+list-all-pkgs: true
+exit-code: 0
+severity:
+  - CRITICAL
+  - HIGH
+
+vulnerability:
+  ignore-unfixed: true
+
+scanners:
+  - vuln
+
+debug: true
+timeout: 5m
+
+java:
+  path: pom.xml
+  external-packages: true