dpconde · dpconde · Sep 28, 2025 · Sep 28, 2025 · Sep 28, 2025 · Sep 28, 2025
diff --git a/.github/_README.md b/.github/_README.md
@@ -0,0 +1,101 @@
+# GitHub Actions Workflows
+
+This directory contains GitHub Actions workflows for CI/CD, code quality, and security scanning.
+
+## Workflows Overview
+
+### 🚀 CI Pipeline (`ci.yml`)
+- **Triggers**: Push/PR to `main` and `develop` branches
+- **Jobs**:
+  - **Test**: Runs unit tests with JUnit 5
+  - **Build**: Compiles the application and creates artifacts
+  - **Validate Dockerfile**: Checks Docker configuration if present
+
+### 🔒 Security (`security.yml`)
+- **Triggers**: Push/PR to main branches + weekly scheduled scan
+- **Jobs**:
+  - **Dependency Check**: OWASP dependency vulnerability scanning
+  - **CodeQL Analysis**: Static code analysis for security issues
+  - **Secrets Scan**: TruffleHog scan for leaked credentials
+
+### 📊 Code Quality (`code-quality.yml`)
+- **Triggers**: Push/PR to `main` and `develop` branches
+- **Jobs**:
+  - **KtLint**: Kotlin code style checking
+  - **Detekt**: Static analysis for Kotlin code quality
+  - **Coverage**: Test coverage reporting with Jacoco
+  - **Build Validation**: Gradle wrapper and build script validation
+
+### 🚂 Railway Deploy (`railway-deploy.yml`)
+- **Triggers**: Push to `main` + CI workflow completion
+- **Purpose**: Pre-deployment validation before Railway auto-deploy
+- **Features**:
+  - Build validation
+  - Configuration checks
+  - Deployment status updates
+
+## Railway Integration
+
+Since Railway automatically deploys on push to `main`, this setup provides:
+
+1. **Pre-deployment validation** - Ensures code quality before Railway deploys
+2. **Security scanning** - Catches vulnerabilities before production
+3. **Test coverage** - Maintains code quality standards
+4. **Build verification** - Confirms the application builds successfully
+
+## Configuration Files
+
+### Code Quality Tools
+- `config/detekt/detekt.yml` - Detekt static analysis rules
+- `config/dependency-check-suppressions.xml` - OWASP dependency check suppressions
+
+### Gradle Plugins Added
+- `org.jlleitschuh.gradle.ktlint` - Kotlin linting
+- `io.gitlab.arturbosch.detekt` - Static analysis
+- `jacoco` - Test coverage
+- `org.owasp.dependencycheck` - Vulnerability scanning
+
+## Running Locally
+
+```bash
+# Run all checks
+./gradlew check
+
+# Individual tools
+./gradlew ktlintCheck      # Kotlin linting
+./gradlew detekt           # Static analysis
+./gradlew test             # Tests with coverage
+./gradlew dependencyCheckAnalyze  # Vulnerability scan
+
+# Auto-fix formatting issues
+./gradlew ktlintFormat
+```
+
+## Status Badges
+
+Add these to your main README.md:
+
+```markdown
+![CI](https://github.com/YOUR_USERNAME/sofia-tracker-server/workflows/CI/badge.svg)
+![Security](https://github.com/YOUR_USERNAME/sofia-tracker-server/workflows/Security/badge.svg)
+![Code Quality](https://github.com/YOUR_USERNAME/sofia-tracker-server/workflows/Code%20Quality/badge.svg)
+```
+
+## Secrets Configuration
+
+For enhanced functionality, configure these GitHub repository secrets:
+
+- `CODECOV_TOKEN` - For enhanced coverage reporting (optional)
+- Add any Railway-specific tokens if needed for deployment notifications
+
+## Customization
+
+### Adjusting Quality Gates
+- Modify `failBuildOnCVSS` in `build.gradle` to change vulnerability thresholds
+- Update Detekt rules in `config/detekt/detekt.yml`
+- Adjust test coverage requirements in workflow files
+
+### Adding New Workflows
+- Place new `.yml` files in `.github/workflows/`
+- Follow the existing naming convention
+- Ensure proper trigger conditions to avoid unnecessary runs
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,104 @@
+name: CI
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+
+    - name: Cache Gradle packages
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-
+
+    - name: Grant execute permission for gradlew
+      run: chmod +x gradlew
+
+    - name: Run tests
+      run: ./gradlew test
+
+    - name: Generate test report
+      uses: dorny/test-reporter@v1
+      if: success() || failure()
+      with:
+        name: Test Results
+        path: build/test-results/test/*.xml
+        reporter: java-junit
+
+    - name: Upload test results
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: test-results
+        path: build/test-results/
+
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+
+    - name: Cache Gradle packages
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-
+
+    - name: Grant execute permission for gradlew
+      run: chmod +x gradlew
+
+    - name: Build application
+      run: ./gradlew build -x test
+
+    - name: Upload build artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: build-artifacts
+        path: build/libs/
+
+  validate-dockerfile:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Check if Dockerfile exists
+      run: |
+        if [ -f Dockerfile ]; then
+          echo "Dockerfile found"
+          docker build -t sofia-tracker-test .
+        else
+          echo "No Dockerfile found, skipping Docker validation"
+        fi
diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml
@@ -0,0 +1,153 @@
+name: Code Quality
+
+on:
+  push:
+    branches: [ main, develop ]
+  pull_request:
+    branches: [ main, develop ]
+
+jobs:
+  ktlint:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+
+    - name: Cache Gradle packages
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-
+
+    - name: Grant execute permission for gradlew
+      run: chmod +x gradlew
+
+    - name: Run Kotlin linter
+      run: ./gradlew ktlintCheck || true
+
+    - name: Upload ktlint results
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: ktlint-results
+        path: build/reports/ktlint/
+
+  detekt:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+
+    - name: Cache Gradle packages
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-
+
+    - name: Grant execute permission for gradlew
+      run: chmod +x gradlew
+
+    - name: Run Detekt
+      run: ./gradlew detekt || true
+
+    - name: Upload Detekt results
+      uses: actions/upload-artifact@v4
+      if: always()
+      with:
+        name: detekt-results
+        path: build/reports/detekt/
+
+  coverage:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+
+    - name: Cache Gradle packages
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-
+
+    - name: Grant execute permission for gradlew
+      run: chmod +x gradlew
+
+    - name: Run tests with coverage
+      run: ./gradlew test jacocoTestReport
+
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@v3
+      with:
+        file: build/reports/jacoco/test/jacocoTestReport.xml
+        fail_ci_if_error: false
+
+    - name: Upload coverage artifacts
+      uses: actions/upload-artifact@v4
+      with:
+        name: coverage-reports
+        path: build/reports/jacoco/
+
+  build-validation:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Set up JDK 17
+      uses: actions/setup-java@v4
+      with:
+        java-version: '17'
+        distribution: 'temurin'
+
+    - name: Cache Gradle packages
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.gradle/caches
+          ~/.gradle/wrapper
+        key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }}
+        restore-keys: |
+          ${{ runner.os }}-gradle-
+
+    - name: Grant execute permission for gradlew
+      run: chmod +x gradlew
+
+    - name: Validate Gradle wrapper
+      uses: gradle/wrapper-validation-action@v2
+
+    - name: Check build scripts
+      run: ./gradlew build -x test --dry-run