ci

.github/DEPLOYMENT.md

@@ -0,0 +1,96 @@
+# GitHub Actions Deployment Setup
+
+## Required Secrets
+
+Configure the following secrets in your GitHub repository settings:
+
+### Production Deployment Secrets
+
+1. **HOST** - Your server IP address or domain
+   ```
+   123.456.789.123
+   ```
+
+2. **USERNAME** - SSH username (usually `root` or `ubuntu`)
+   ```
+   root
+   ```
+
+3. **SSH_KEY** - Private SSH key for server access
+   ```
+   -----BEGIN OPENSSH PRIVATE KEY-----
+   your_private_key_content_here
+   -----END OPENSSH PRIVATE KEY-----
+   ```
+
+4. **PORT** - SSH port (optional, defaults to 22)
+   ```
+   22
+   ```
+
+## Server Prerequisites
+
+Your production server should have:
+
+1. **Docker & Docker Compose installed**
+   ```bash
+   curl -fsSL https://get.docker.com -o get-docker.sh
+   sh get-docker.sh
+   sudo usermod -aG docker $USER
+   ```
+
+2. **Project directory prepared**
+   ```bash
+   sudo mkdir -p /opt/quixotic
+   sudo chown $USER:$USER /opt/quixotic
+   cd /opt/quixotic
+   git clone https://github.com/yourusername/quixotic.git .
+   ```
+
+3. **Environment file configured**
+   ```bash
+   cp .env.docker.example .env.docker
+   nano .env.docker
+   # Set your domain and email
+   ```
+
+## Workflow Features
+
+### CI Pipeline (`ci.yml`)
+- ✅ **Test & Lint** - Runs on all PRs and pushes
+- ✅ **Multi-platform build** - AMD64 and ARM64 support
+- ✅ **Docker image caching** - Faster builds
+- ✅ **Auto-deployment** - Deploys main branch to production
+- ✅ **Zero-downtime deployment** - Rolling updates
+
+### Security Pipeline (`security.yml`)
+- ✅ **Dependency scanning** - npm audit for vulnerabilities  
+- ✅ **Code analysis** - GitHub CodeQL for security issues
+- ✅ **Docker scanning** - Trivy for container vulnerabilities
+- ✅ **Weekly scans** - Automated security checks
+
+## Usage
+
+1. **Development workflow:**
+   - Create feature branch: `git checkout -b feature/new-feature`
+   - Push changes: CI runs tests automatically
+   - Create PR: Full CI pipeline runs
+
+2. **Production deployment:**
+   - Merge to main: Automatic build and deploy
+   - Monitor deployment: Check GitHub Actions tab
+
+3. **Manual deployment:**
+   ```bash
+   # On server
+   cd /opt/quixotic
+   git pull origin main
+   docker-compose --env-file .env.docker up -d --build
+   ```
+
+## Monitoring
+
+- **GitHub Actions** - Build and deployment status
+- **Traefik Dashboard** - `http://yourserver:8080`
+- **Application Health** - `https://yourdomain.com/health`
+- **Docker Logs** - `docker-compose logs -f quixotic-app`

.github/workflows/ci.yml

@@ -0,0 +1,125 @@
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main ]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  test:
+    name: Test & Lint
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18'
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Run linter
+      run: npm run lint
+
+    - name: Build project
+      run: npm run build
+
+    - name: Run validation
+      run: npm run validate
+
+  build:
+    name: Build Docker Image
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.event_name == 'push'
+    
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata
+      id: meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=ref,event=branch
+          type=ref,event=pr
+          type=sha,prefix={{branch}}-
+          type=raw,value=latest,enable={{is_default_branch}}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+
+  deploy:
+    name: Deploy to Production
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.ref == 'refs/heads/main'
+    environment: production
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Deploy to server
+      uses: appleboy/ssh-action@v1.0.0
+      with:
+        host: ${{ secrets.HOST }}
+        username: ${{ secrets.USERNAME }}
+        key: ${{ secrets.SSH_KEY }}
+        port: ${{ secrets.PORT }}
+        script: |
+          cd /opt/quixotic
+          git pull origin main
+          
+          # Login to GitHub Container Registry
+          echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+          
+          # Pull latest image
+          docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
+          
+          # Update docker-compose to use new image
+          sed -i 's|build:|#build:|g' docker-compose.yml
+          sed -i 's|context: .|#context: .|g' docker-compose.yml  
+          sed -i 's|dockerfile: Dockerfile|#dockerfile: Dockerfile|g' docker-compose.yml
+          sed -i '/quixotic-app:/a \ \ \ \ image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest' docker-compose.yml
+          
+          # Deploy with zero downtime
+          docker-compose --env-file .env.docker pull
+          docker-compose --env-file .env.docker up -d
+          
+          # Cleanup old images
+          docker image prune -f

.github/workflows/security.yml

@@ -0,0 +1,67 @@
+name: Security Scan
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 6 * * 1' # Weekly on Monday at 6 AM
+
+jobs:
+  security:
+    name: Security Vulnerability Scan
+    runs-on: ubuntu-latest
+    
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '18'
+        cache: 'npm'
+
+    - name: Install dependencies
+      run: npm ci
+
+    - name: Run npm audit
+      run: npm audit --audit-level=high
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: javascript
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+
+  docker-security:
+    name: Docker Security Scan
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build Docker image for scanning
+      run: docker build -t quixotic:scan .
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: 'quixotic:scan'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results
+      uses: github/codeql-action/upload-sarif@v3
+      if: always()
+      with:
+        sarif_file: 'trivy-results.sarif'