Modificar .gitea/workflows/deploy.yaml

deploy updated

.gitea/workflows/deploy.yaml

@@ -13,22 +13,22 @@ jobs:
           fetch-depth: 0
 
       # ==========================================
-      # ETAPA 1: TESTES ESTÁTICOS DE SEGURANÇA
+      # STAGE 1: STATIC SECURITY TESTING (SAST, SCA)
       # ==========================================
 
-      # 1.1. SECRET SCANNING (Protege contra novas fugas de chaves)
+      # 1.1. Secret Scanning: Detect hardcoded secrets and credentials
       - name: Gitleaks Scan
         run: |
           curl -sL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz | tar -xz -C /tmp
           /tmp/gitleaks protect --source . --verbose --redact --staged --exit-code 1
 
-      # 1.2. SCA - Verifica vulnerabilidades conhecidas no Nginx
+      # 1.2. Software Composition Analysis (SCA): Check for infrastructure vulnerabilities
       - name: Scan Docker Image Vulnerabilities (Trivy)
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
           trivy image --severity HIGH,CRITICAL nginx:alpine
 
-      # 1.3. SAST - Análise de Código Fonte
+      # 1.3. Static Application Security Testing (SAST): Source code quality and security
       - name: SonarQube Analysis
         run: |
           curl -sL https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip -o sonar-scanner.zip
@@ -41,40 +41,41 @@ jobs:
             -Dsonar.qualitygate.wait=true
 
       # ==========================================
-      # ETAPA 2: SANDBOX (AMBIENTE DE TESTE DINÂMICO)
+      # STAGE 2: DYNAMIC TEST ENVIRONMENT
       # ==========================================
 
-      - name: Criar Sandbox Temporária
+      - name: Provision Ephemeral Sandbox
         run: |
-          # Remover qualquer resíduo de sandbox anterior
+          # Remove any residual sandbox containers
           docker rm -f website-test-sandbox || true
           
-          # Criamos a Sandbox. Como o ZAP vai aceder pela rede interna do Docker, 
-          # já não precisamos de expor portas para o exterior (muito mais seguro)!
+          # Deploy sandbox. Using Docker internal network prevents external exposure.
           docker run -d --name website-test-sandbox nginx:alpine
           
-          # Copiar o index.html atual para a Sandbox
+          # Copy the current codebase to the sandbox container
           docker cp index.html website-test-sandbox:/usr/share/nginx/html/index.html
           
-          # Aguardar 5 segundos para o servidor Nginx iniciar
+          # Allow Nginx service to initialize
           sleep 5
 
       # ==========================================
-      # ETAPA 3: DAST - TESTE DINÂMICO (OWASP ZAP)
+      # STAGE 3: DYNAMIC APPLICATION SECURITY TESTING
       # ==========================================
 
       - name: OWASP ZAP Baseline Scan
         run: |
+          # Initialize test report directory
           mkdir -p qatests
           
-          # LIMPEZA PREVENTIVA
+          # PREVENTIVE CLEANUP: Ensure no leftover containers or volumes exist
           docker rm -f zap-scanner || true
           docker volume rm zap-reports || true
           
-          # Criamos um volume Docker gerido pelo motor do Docker para evitar conflitos de pastas
+          # Create a managed Docker volume to prevent host/runner path conflicts
           docker volume create zap-reports
           
-          # Corremos o ZAP montando esse volume oficial
+          # Execute ZAP scan mounting the managed volume. 
+          # The '-I' flag ensures the pipeline doesn't fail on warnings.
           docker run --user root --name zap-scanner \
             --link website-test-sandbox:website-test-sandbox \
             -v zap-reports:/zap/wrk/:rw \
@@ -83,60 +84,60 @@ jobs:
             -r report.html \
             -I || true
           
-          # O Docker CP consegue extrair o ficheiro diretamente do container para a pasta local do runner!
+          # Extract the HTML report from the ZAP container to the runner workspace
           docker cp zap-scanner:/zap/wrk/report.html qatests/report.html
           
-          # Limpamos o container e o volume para não ocupar espaço no servidor
+          # Teardown ZAP container and volume to free up resources
           docker rm -f zap-scanner || true
           docker volume rm zap-reports || true
 
-      # Garante que a Sandbox é desmantelada mesmo que o passo do ZAP falhe
-      - name: Destruir Sandbox
+      # Ensure sandbox is destroyed even if previous DAST steps fail
+      - name: Teardown Ephemeral Sandbox
         if: always()
         run: |
           docker rm -f website-test-sandbox || true
 
       # ==========================================
-      # ETAPA 4: DEPLOY EM PRODUÇÃO (SÓ SE TUDO PASSAR)
+      # STAGE 4: PRODUCTION DEPLOYMENT
       # ==========================================
 
-      - name: Hardened Deploy (Produção - Porta 3000)
+      - name: Hardened Production Deployment
         run: |
-          # Backup do ficheiro anterior em Produção
+          # Create a backup of the current production state
           docker exec website-test-backend tar -czf /tmp/index_backup.tar.gz -C /usr/share/nginx/html index.html || true
           
-          # Limpar a pasta de produção e copiar o novo código aprovado
+          # Clear the production directory and deploy the approved artifact
           docker exec website-test-backend sh -c "rm -rf /usr/share/nginx/html/*"
           docker cp index.html website-test-backend:/usr/share/nginx/html/index.html
           
-          # Aplicar Hardening de permissões
+          # Apply strict file system permissions (Hardening)
           docker exec website-test-backend chown root:root /usr/share/nginx/html/index.html
           docker exec website-test-backend chmod 444 /usr/share/nginx/html/index.html
           
-          # Testar se o site responde localmente em produção
+          # Healthcheck: Verify local response from the production container
           docker exec website-test-backend curl --silent --show-error --fail http://localhost:80 || exit 1
 
-    # ==========================================
-      # ETAPA 5: ARTEFACTOS E EXPOSIÇÃO DO RELATÓRIO
+      # ==========================================
+      # STAGE 5: ARTIFACT MANAGEMENT & REPORTING
       # ==========================================
       
-      - name: Publicar Relatorio no Site (Bypass Gitea Bug)
+      - name: Publish ZAP Report to Production Web Server
         if: always()
         run: |
-          # Copia o relatório do ZAP diretamente para a pasta pública do teu Nginx em produção!
-          # Ficará acessível em: http://51.89.40.2:3000/zap-report.html
+          # Host the report directly on the Nginx container to bypass Gitea's artifact download bug
+          # Accessible at: http://51.89.40.2:8080/zap-report.html
           docker cp qatests/report.html website-test-backend:/usr/share/nginx/html/zap-report.html || true
           docker exec website-test-backend chmod 444 /usr/share/nginx/html/zap-report.html || true
 
-      - name: Guardar Relatorio ZAP (Raw HTML)
+      - name: Archive ZAP Report (Raw HTML)
         if: always()
         uses: actions/upload-artifact@v3
         with:
           name: owasp-zap-report
-          # Voltamos a enviar apenas o HTML. Como não é um tar.gz, o Gitea já não deve encravar o download!
+          # Upload the raw HTML file to Gitea Artifacts
           path: qatests/report.html
 
-      - name: Slack/Discord Notification
+      - name: Pipeline Status Notification
         if: always()
         run: |
-          echo "Pipeline finalizada com status: ${{ job.status }}"
+          echo "Pipeline finished with status: ${{ job.status }}"