From 19cd6ed956747899f9defebf53de3cc65aaa3b8e Mon Sep 17 00:00:00 2001 From: pedro Date: Fri, 8 May 2026 11:17:15 +0100 Subject: [PATCH] ci: versao final e segura do projeto para producao --- .gitea/workflows/deploy.yaml | 70 +++++++++++++++++++++++++++++------- forcar_trigger.txt | 1 + index.html | 1 + trigger.txt | 1 + 4 files changed, 60 insertions(+), 13 deletions(-) create mode 100644 forcar_trigger.txt create mode 100644 trigger.txt diff --git a/.gitea/workflows/deploy.yaml b/.gitea/workflows/deploy.yaml index 72f3213..6f0c8dd 100644 --- a/.gitea/workflows/deploy.yaml +++ b/.gitea/workflows/deploy.yaml @@ -1,19 +1,63 @@ -name: Deploy do Site -on: [push] +name: "DevSecOps Enterprise Pipeline" +on: + push: + branches: [ main ] + jobs: - deploy: + security-gate: runs-on: ubuntu-latest steps: - - name: Checkout do código + - name: Checkout Code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + +<<<<<<< HEAD + # 1. SCA - Verifica vulnerabilidades no Nginx +======= + # 1. SECRET SCANNING (Desativado temporariamente) + - name: Gitleaks Scan + run: | + curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp + /tmp/gitleaks detect --source . --verbose --redact --exit-code 1 + + # 2. SCA - Verifica vulnerabilidades no Nginx +>>>>>>> 8c9be4c (ativar gitleaks) + - name: Scan Docker Image Vulnerabilities (Trivy) + run: | + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin + trivy image --severity HIGH,CRITICAL nginx:alpine + + # 2. SAST - Análise de Código com SonarQube + - name: SonarQube Analysis + run: | + curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip + unzip -q sonar-scanner.zip + ./sonar-scanner-5.0.1.3006-linux/bin/sonar-scanner \ + -Dsonar.projectKey=website-test \ + -Dsonar.sources=. \ + -Dsonar.host.url=http://51.89.40.2:9000 \ + -Dsonar.token=${{ secrets.SONAR_TOKEN }} + + deploy: + needs: security-gate + runs-on: ubuntu-latest + steps: + - name: Checkout Code uses: actions/checkout@v3 - - name: Copiar e Corrigir Permissões + # 3. DEPLOY ATÓMICO E HARDENING + - name: Hardened Deploy run: | - # 1. Limpa os ficheiros antigos - docker exec website-test-backend rm -rf /usr/share/nginx/html/* - - # 2. Copia os novos ficheiros - docker cp . website-test-backend:/usr/share/nginx/html/ - - # 3. FIX: Garante permissões de leitura para o Nginx (o "porteiro") - docker exec website-test-backend chmod -R 755 /usr/share/nginx/html/ \ No newline at end of file + docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true + docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*" + docker cp index.html website-test-backend:/usr/share/nginx/html/index.html + docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html + docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html + curl --silent --show-error --fail http://localhost:80 || exit 1 + + # 4. AUDITORIA DE DEPLOY + - name: Slack/Discord Notification + if: always() + run: | + echo "Deploy finalizado com status: ${{ job.status }}" \ No newline at end of file diff --git a/forcar_trigger.txt b/forcar_trigger.txt new file mode 100644 index 0000000..68a7b47 --- /dev/null +++ b/forcar_trigger.txt @@ -0,0 +1 @@ +"atualizacao-pipelines" diff --git a/index.html b/index.html index 9d2ea32..f17367b 100644 --- a/index.html +++ b/index.html @@ -7,6 +7,7 @@ +