ci practice

.editorconfig

@@ -3,7 +3,7 @@ root = true
 # Unix-style newlines with a newline ending every file
 [*]
 end_of_line = lf
-insert_final_newline = true
+#insert_final_newline = true
 
 # Matches multiple files with brace expansion notation
 # Set default charset

.github/workflows/ci-pipeline.yml

@@ -0,0 +1,179 @@
+name: u34 ci-pipeline
+run-name: u34 ci-pipeline run on ${{ github.event_name }} event
+on:
+  schedule:
+    - cron: '0 0 * * 1,4' # on Monday (1) and Thursday (4)
+  pull_request:
+#    types: [opened, reopened]
+#    branches:
+#        - 'main'
+#    paths:
+#      - 'app/**'
+#      - 'Dockerfile'
+#      - 'requirements.txt'
+
+env:
+  IMAGE_TAG: metodil/my-hello-app
+
+jobs:
+
+  editorconfig:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: editorconfig-checker/action-editorconfig-checker@main
+      - run: editorconfig-checker
+
+  markdown-link-check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@master
+    - uses: gaurav-nelson/github-action-markdown-link-check@v1
+
+  lint-black:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: psf/black@stable
+        with:
+          options: "--check --verbose"
+#          src: "."
+
+  lint-unit-tests:
+    runs-on: ubuntu-latest
+    needs: [ editorconfig, markdown-link-check, lint-black ]
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11.8'
+          cache: 'pip'
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install pytest pytest-cov flake8 pylint
+      - name: Run flake8 linting
+        run: flake8 app/
+      - name: Analysing the code with pylint
+        run: |
+          pylint --rcfile=.pylintrc $(git ls-files '*.py')
+      - name: Test with pytest
+        run: |
+          cd app
+          python -m unittest app_test.py
+
+  gitleaks-security:
+    runs-on: ubuntu-latest
+    needs: lint-unit-tests
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  trivy-security:
+    runs-on: ubuntu-latest
+    needs: lint-unit-tests
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+#  it is link in my github account
+#  snyk-security:
+#    runs-on: ubuntu-latest
+#    needs: lint-unit-tests
+#    steps:
+#      - uses: actions/checkout@v4 #actions/checkout@master
+#      - name: Run Snyk to check for vulnerabilities
+#        uses: snyk/actions/node@master
+#        continue-on-error: true # To make sure that SARIF upload gets called
+#        env:
+#          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+#        with:
+#          args: --sarif-file-output=snyk.sarif
+#      - name: Upload result to GitHub Code Scanning
+#        uses: github/codeql-action/upload-sarif@v2
+#        with:
+#          sarif_file: snyk.sarif
+  sonarcloud-security:
+    runs-on: ubuntu-latest
+    needs: lint-unit-tests
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        # Disabling shallow clone is recommended for improving relevancy of reporting
+        fetch-depth: 0
+    - name: SonarCloud Scan
+      uses: sonarsource/sonarcloud-github-action@v3.1.0 # Ex: v2.1.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan
+      env:
+        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  build-test:
+    name: Build image and test
+#    description: Build Dockerfile, test container with trivy if ok push to registry
+    runs-on: ubuntu-latest
+    if: ${{ !cancelled() && !failure() }}
+    needs: [ gitleaks-security,  trivy-security, sonarcloud-security ]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t ${{ env.IMAGE_TAG }}:${{ github.sha }} .
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: '${{ env.IMAGE_TAG }}:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results-container.sarif'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results-container.sarif'
+#        if: always()
+#        with:
+#          sarif_file: 'trivy-results-container.sarif'
+
+  deploy:
+    name: Get credentials and push to Dockerhub
+#    description: Get credentials from Hashi vault and push docker image to Dockerhub
+    runs-on: ubuntu-latest
+    if: ${{ !cancelled() && !failure() }}
+    needs: [ build-test ]
+    steps:
+      - name: Import Secrets from Hashi vault
+        id: import-secrets
+        uses: hashicorp/vault-action@v3
+        with:
+          url: https://vault.elcomp68.com:8200
+          token: ${{ secrets.HV_U34_TOKEN }}
+          caCertificate: ${{ secrets.VAULT_CA_CERT }}
+          secrets: |
+                kv/data/u34-ci dockerhub_username | DOCKERHUB_USERNAME ;
+                kv/data/u34-ci dockerhub_token | DOCKERHUB_TOKEN ;
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ env.DOCKERHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          push: true
+          tags: '${{ env.IMAGE_TAG }}:${{ github.sha }}'
+        if: success()  # Only push if get login is ok

.gitleaks.toml

@@ -0,0 +1,14 @@
+# Title for the gitleaks configuration file.
+title = "Gitleaks title"
+
+# You can include an allowlist table for a single rule to reduce false positives or ignore commits
+# with known/rotated secrets
+[rules.allowlist]
+# note: (rule) regexTarget defaults to check the _Secret_ in the finding.
+# if regexTarget is not specified then _Secret_ will be used.
+# Acceptable values for regexTarget are "match" and "line"
+regexTarget = "match"
+regexes = [
+  '''sonar.organization''',
+  '''sonar.projectKey''',
+]

.pre-commit-config.yaml

@@ -0,0 +1,18 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v2.3.0
+    hooks:
+    -   id: check-yaml
+    -   id: end-of-file-fixer
+    -   id: trailing-whitespace
+    -   id: check-added-large-files
+    -   id: check-json
+    -   id: check-merge-conflict
+#-   repo: https://github.com/psf/black
+#    rev: 22.10.0
+#    hooks:
+#    -   id: black
+-   repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.0  # Specify the desired version of Gitleaks
+    hooks:
+      - id: gitleaks

.pylintrc

@@ -0,0 +1,8 @@
+[MASTER]
+disable=
+    C0114, # missing-module-docstring
+    C0115, # missing-class-docstring
+    C0116, # missing-function-docstring
+
+[MESSAGES CONTROL]
+disable=missing-docstring,empty-docstring

CONTRIBUTING.md

@@ -0,0 +1,23 @@
+## How to contribute Devops-programe
+
+#### **Did you find a bug?**
+
+* **Open up a GitHub issue if the bug is a security vulnerability**
+
+#### **Did you write a patch that fixes a bug?**
+
+* Open a new GitHub pull request with the patch.
+
+* Ensure the PR description clearly describes the problem and solution. Include the relevant issue number if applicable.
+
+#### **Do you intend to add a new feature or change an existing one?**
+
+* Suggest your change in the [my email](mailto:metodil@hotmail.com).
+
+#### **Do you have questions about the source code?**
+
+* Ask any question about how to use on [my email](mailto:metodil@hotmail.com).
+
+Thanks!
+
+Metodi Lichkov