kind: pipeline type: docker name: pyguardian-ci platform: os: linux arch: amd64 # Build triggers trigger: branch: - main - develop event: - push - pull_request - tag # Global environment variables environment: PYTHON_VERSION: "3.11" POETRY_VERSION: "1.7.0" steps: # Code quality and testing pipeline - name: lint-and-test image: python:3.11-slim environment: PYTHONPATH: /drone/src commands: # Install system dependencies - apt-get update && apt-get install -y git curl # Install Python dependencies - pip install --upgrade pip - pip install -r requirements.txt - pip install pytest pytest-asyncio pytest-cov flake8 black mypy # Code formatting check - black --check src/ tests/ # Lint code - flake8 src/ --max-line-length=88 --extend-ignore=E203,W503 # Type checking - mypy src/ --ignore-missing-imports # Run unit tests with coverage - pytest tests/unit/ -v --cov=src --cov-report=xml --cov-report=term # Security check for dependencies - pip install safety - safety check # Integration tests - name: integration-tests image: python:3.11-slim environment: PYTHONPATH: /drone/src TEST_DATABASE_URL: sqlite:///tmp/test.db commands: - apt-get update && apt-get install -y iptables curl - pip install -r requirements.txt - pip install pytest pytest-asyncio - pytest tests/integration/ -v depends_on: - lint-and-test # Build Docker images - name: build-docker-images image: docker:24-dind environment: DOCKER_BUILDKIT: 1 volumes: - name: docker-sock path: /var/run/docker.sock commands: # Build controller image - docker build -f deployment/docker/Dockerfile --target controller -t pyguardian:controller-${DRONE_COMMIT_SHA:0:8} . # Build agent image - docker build -f deployment/docker/Dockerfile --target agent -t pyguardian:agent-${DRONE_COMMIT_SHA:0:8} . # Build standalone image - docker build -f deployment/docker/Dockerfile --target standalone -t pyguardian:standalone-${DRONE_COMMIT_SHA:0:8} . # Test images can start - timeout 30 docker run --rm pyguardian:standalone-${DRONE_COMMIT_SHA:0:8} python --version depends_on: - integration-tests # Security scanning - name: security-scan image: aquasec/trivy:latest commands: # Scan for vulnerabilities in built images - trivy image --no-progress --severity HIGH,CRITICAL pyguardian:controller-${DRONE_COMMIT_SHA:0:8} - trivy image --no-progress --severity HIGH,CRITICAL pyguardian:agent-${DRONE_COMMIT_SHA:0:8} depends_on: - build-docker-images failure: ignore # Don't fail build on security issues, but report them # End-to-end tests - name: e2e-tests image: docker/compose:latest environment: COMPOSE_FILE: deployment/docker/docker-compose.yml TELEGRAM_BOT_TOKEN: test_token CLUSTER_SECRET: test_secret volumes: - name: docker-sock path: /var/run/docker.sock commands: # Start services - docker-compose -f deployment/docker/docker-compose.yml up -d # Wait for services to be ready - sleep 30 # Run E2E tests - python tests/e2e/test_cluster_communication.py # Cleanup - docker-compose -f deployment/docker/docker-compose.yml down -v depends_on: - build-docker-images failure: ignore # E2E tests are flaky in CI # Documentation build - name: build-docs image: python:3.11-slim commands: - pip install mkdocs mkdocs-material - mkdocs build --strict depends_on: - lint-and-test # Package creation - name: create-packages image: python:3.11-slim commands: # Create installation package - tar -czf pyguardian-${DRONE_TAG:-${DRONE_COMMIT_SHA:0:8}}.tar.gz \ src/ config/ main.py requirements.txt deployment/scripts/ # Create checksums - sha256sum pyguardian-${DRONE_TAG:-${DRONE_COMMIT_SHA:0:8}}.tar.gz > checksums.txt depends_on: - build-docker-images - build-docs # Release workflow (only on tags) - name: docker-registry-push image: docker:24-dind environment: REGISTRY: from_secret: docker_registry REGISTRY_USERNAME: from_secret: docker_username REGISTRY_PASSWORD: from_secret: docker_password volumes: - name: docker-sock path: /var/run/docker.sock commands: # Login to registry - docker login -u $REGISTRY_USERNAME -p $REGISTRY_PASSWORD $REGISTRY # Tag and push images - docker tag pyguardian:controller-${DRONE_COMMIT_SHA:0:8} $REGISTRY/pyguardian:controller-${DRONE_TAG} - docker tag pyguardian:agent-${DRONE_COMMIT_SHA:0:8} $REGISTRY/pyguardian:agent-${DRONE_TAG} - docker tag pyguardian:standalone-${DRONE_COMMIT_SHA:0:8} $REGISTRY/pyguardian:standalone-${DRONE_TAG} - docker push $REGISTRY/pyguardian:controller-${DRONE_TAG} - docker push $REGISTRY/pyguardian:agent-${DRONE_TAG} - docker push $REGISTRY/pyguardian:standalone-${DRONE_TAG} # Also tag as latest if this is a release - | if [ "$DRONE_TAG" != "" ]; then docker tag pyguardian:controller-${DRONE_COMMIT_SHA:0:8} $REGISTRY/pyguardian:controller-latest docker tag pyguardian:agent-${DRONE_COMMIT_SHA:0:8} $REGISTRY/pyguardian:agent-latest docker tag pyguardian:standalone-${DRONE_COMMIT_SHA:0:8} $REGISTRY/pyguardian:standalone-latest docker push $REGISTRY/pyguardian:controller-latest docker push $REGISTRY/pyguardian:agent-latest docker push $REGISTRY/pyguardian:standalone-latest fi depends_on: - create-packages when: event: - tag # GitHub Release - name: github-release image: plugins/github-release settings: api_key: from_secret: github_token files: - pyguardian-*.tar.gz - checksums.txt title: "PyGuardian ${DRONE_TAG}" note: | ## PyGuardian Release ${DRONE_TAG} ### Features - Advanced agent authentication with JWT tokens - Centralized cluster management - Secure API endpoints for agent communication - Docker containerization support ### Installation ```bash # Download and extract wget https://github.com/SmartSolTech/PyGuardian/releases/download/${DRONE_TAG}/pyguardian-${DRONE_TAG}.tar.gz tar -xzf pyguardian-${DRONE_TAG}.tar.gz # Install sudo ./deployment/scripts/install.sh ``` ### Docker ```bash # Pull images docker pull ${REGISTRY}/pyguardian:controller-${DRONE_TAG} docker pull ${REGISTRY}/pyguardian:agent-${DRONE_TAG} # Run with docker-compose curl -O https://raw.githubusercontent.com/SmartSolTech/PyGuardian/${DRONE_TAG}/deployment/docker/docker-compose.yml docker-compose up -d ``` depends_on: - docker-registry-push when: event: - tag # Deployment notification - name: notify-deployment image: plugins/webhook settings: urls: from_secret: deployment_webhook content_type: application/json template: | { "text": "🚀 PyGuardian ${DRONE_TAG:-${DRONE_COMMIT_SHA:0:8}} deployed successfully!", "attachments": [{ "color": "good", "fields": [{ "title": "Version", "value": "${DRONE_TAG:-${DRONE_COMMIT_SHA:0:8}}", "short": true }, { "title": "Commit", "value": "${DRONE_COMMIT_MESSAGE}", "short": false }] }] } depends_on: - github-release when: status: - success event: - tag # Volumes for Docker in Docker volumes: - name: docker-sock host: path: /var/run/docker.sock --- # Separate pipeline for nightly builds kind: pipeline type: docker name: nightly-security-scan trigger: cron: - nightly-security steps: - name: dependency-security-scan image: python:3.11-slim commands: - pip install safety bandit semgrep # Check for known vulnerable dependencies - safety check --json --output safety-report.json || true # Static security analysis - bandit -r src/ -f json -o bandit-report.json || true # Semgrep security rules - semgrep --config=auto src/ --json --output semgrep-report.json || true # Upload results to security dashboard - python deployment/scripts/upload-security-reports.py - name: container-security-scan image: aquasec/trivy:latest commands: # Build fresh images - docker build -t pyguardian:security-scan . # Comprehensive vulnerability scan - trivy image --format json --output trivy-report.json pyguardian:security-scan # Upload to security dashboard - python deployment/scripts/upload-trivy-report.py --- # Documentation deployment pipeline kind: pipeline type: docker name: docs-deployment trigger: branch: - main path: include: - "documentation/**" - "*.md" steps: - name: build-and-deploy-docs image: python:3.11-slim environment: GITHUB_TOKEN: from_secret: github_token commands: - pip install mkdocs mkdocs-material mkdocs-git-revision-date-localized-plugin - mkdocs gh-deploy --force