This document describes the continuous integration and continuous deployment (CI/CD) pipelines for FluxAI.
- Overview
- GitHub Actions Workflows
- Security Scanning
- Docker Image Publishing
- Badge Status
- Secrets Configuration
- Local Testing
FluxAI uses GitHub Actions for automated CI/CD pipelines with two main workflows:
- Security Scan - Vulnerability scanning with Trivy, Safety, and Bandit
- Docker Publish - Build and publish Docker images to GitHub Container Registry
| Workflow | Triggers |
|---|---|
| Security Scan | Push to main/develop, PRs, Daily at 2 AM UTC, Manual |
| Docker Publish | Push to main, Tags (v*..), PRs, Manual |
Purpose: Comprehensive security scanning of code, dependencies, and configurations.
- Scanner: Trivy
- Scan Type: Filesystem (
fs) - Target: Entire repository
- Severity: CRITICAL, HIGH, MEDIUM
- Output: SARIF format uploaded to GitHub Security tab
What it checks:
- Python dependencies in
requirements.txt - Configuration files (YAML, JSON, etc.)
- Infrastructure as Code (Docker, docker-compose)
- Known vulnerabilities in third-party packages
- Scanner: Trivy
- Scan Type: Configuration (
config) - Target: All config files
- Output: Table format in workflow logs
What it checks:
- Dockerfile best practices
- docker-compose.yml security issues
- Misconfigurations in YAML/JSON files
- Secrets exposure risks
- Tools: Safety + Bandit
- Target: Python code and dependencies
Safety:
- Checks
requirements.txtfor known vulnerabilities - Uses Python Package Index vulnerability database
- Reports CVEs and security advisories
Bandit:
- Static code analysis for Python security issues
- Detects common security flaws:
- Hardcoded credentials
- SQL injection vulnerabilities
- Use of insecure functions
- Weak cryptography
- Generates JSON report artifact
View security findings in:
- GitHub Security Tab:
https://github.com/AgentaFlow/fluxai/security - Workflow Artifacts: Bandit JSON reports
- Workflow Logs: Table format scan results
schedule:
- cron: '0 2 * * *' # Daily at 2 AM UTCThis ensures regular vulnerability scanning even when code isn't being changed.
Purpose: Build multi-architecture Docker images and publish to GitHub Container Registry.
Image: ghcr.io/agentaflow/fluxai:latest
Process:
- Checkout code
- Set up Docker Buildx (multi-arch support)
- Login to GitHub Container Registry
- Extract metadata (tags, labels)
- Build and push image
- Scan image with Trivy
- Upload scan results to Security tab
Platforms Built:
linux/amd64(x86_64)linux/arm64(ARM64/Apple Silicon)
Tags Generated:
main- Latest from main branchv1.2.3- Semantic version tagsv1.2- Minor versionv1- Major versionlatest- Latest releasemain-abc1234- Branch with commit SHA
Image: ghcr.io/agentaflow/fluxai-dashboard:latest
Process: Same as API image but uses Dockerfile.dashboard
Purpose: Aggregate build results and report status
Outputs:
- ✅ Success if both images built
- ❌ Failure if any image failed
Images are tagged automatically based on:
| Event | Tag Example | Description |
|---|---|---|
| Push to main | main, latest |
Latest development build |
| Tag v1.2.3 | 1.2.3, 1.2, 1 |
Semantic versioning |
| Pull Request | pr-123 |
PR number |
| Commit | main-abc1234 |
Branch + SHA |
After building, images are scanned with Trivy for:
- OS package vulnerabilities
- Language-specific dependencies (Python, etc.)
- CRITICAL and HIGH severity issues
Results are uploaded to GitHub Security tab with category tags:
docker-api- API image scan resultsdocker-dashboard- Dashboard image scan results
Uses GitHub Actions cache for faster builds:
cache-from: type=gha
cache-to: type=gha,mode=maxBenefits:
- Faster builds (layer caching)
- Reduced build times for unchanged layers
- Lower bandwidth usage
The README displays the following status badges:
[](https://github.com/AgentaFlow/fluxai/actions/workflows/docker-publish.yml)
[](https://github.com/AgentaFlow/fluxai/actions/workflows/security-scan.yml)
[](https://www.python.org/downloads/)
[](https://fastapi.tiangolo.com)
[](https://github.com/AgentaFlow/fluxai/pkgs/container/fluxai)| Badge | Status | Link |
|---|---|---|
| Build and Publish | Shows if Docker builds are passing | Workflow runs |
| Security Scan | Shows if security scans are passing | Security findings |
| Python | Python version requirement | Python downloads |
| FastAPI | Framework used | FastAPI docs |
| Docker | Docker images available | GitHub Packages |
No additional secrets needed! The workflows use:
GITHUB_TOKEN (automatically provided)
- Permissions:
contents: read,packages: write,security-events: write - Used for: GHCR login, uploading SARIF results
For production deployments, you may want:
AWS_ACCESS_KEY_ID - AWS credentials for Bedrock access AWS_SECRET_ACCESS_KEY - AWS secret key SLACK_WEBHOOK - Notifications on build failures DOCKER_HUB_TOKEN - If publishing to Docker Hub
Add secrets at: https://github.com/AgentaFlow/fluxai/settings/secrets/actions
# Install Trivy
brew install trivy # macOS
# or
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
# Run filesystem scan
trivy fs . --severity CRITICAL,HIGH,MEDIUM --ignore-unfixed
# Generate SARIF report
trivy fs . --format sarif --output trivy-results.sariftrivy config . --severity CRITICAL,HIGH,MEDIUMpip install safety
safety check --jsonpip install bandit
bandit -r app/ -f screen
bandit -r app/ -f json -o bandit-report.json# Build for current platform
docker build -t fluxai-api:local -f Dockerfile .
# Build multi-arch (requires buildx)
docker buildx create --use
docker buildx build --platform linux/amd64,linux/arm64 -t fluxai-api:local -f Dockerfile .
# Scan built image
trivy image fluxai-api:local --severity CRITICAL,HIGHdocker build -t fluxai-dashboard:local -f Dockerfile.dashboard .
trivy image fluxai-dashboard:local --severity CRITICAL,HIGH# Build all images locally
docker-compose build
# Run security scan on all images
docker images --format "{{.Repository}}:{{.Tag}}" | grep fluxai | xargs -I {} trivy image {}
# Start stack
docker-compose up -d
# Verify health
docker-compose psBoth workflows can be triggered manually:
- Go to Actions tab
- Select workflow (Security Scan or Docker Publish)
- Click Run workflow
- Select branch
- Click Run workflow button
Both workflows run automatically on PRs to:
- Verify security
- Test Docker builds
- Prevent merging vulnerable code
Note: Images are built but not pushed on PRs.
To publish a new version:
-
Tag a release:
git tag -a v1.2.3 -m "Release version 1.2.3" git push origin v1.2.3 -
Workflow automatically:
- Builds images
- Tags with
1.2.3,1.2,1,latest - Pushes to GitHub Container Registry
- Scans for vulnerabilities
-
Pull published images:
docker pull ghcr.io/agentaflow/fluxai:1.2.3 docker pull ghcr.io/agentaflow/fluxai-dashboard:1.2.3
# Login (if repository is private)
echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
# Pull API image
docker pull ghcr.io/agentaflow/fluxai:latest
# Pull Dashboard image
docker pull ghcr.io/agentaflow/fluxai-dashboard:latest
# Pull specific version
docker pull ghcr.io/agentaflow/fluxai:1.2.3services:
api:
image: ghcr.io/agentaflow/fluxai:latest
# ... rest of config
dashboard:
image: ghcr.io/agentaflow/fluxai-dashboard:latest
# ... rest of configapiVersion: apps/v1
kind: Deployment
metadata:
name: fluxai-api
spec:
template:
spec:
containers:
- name: api
image: ghcr.io/agentaflow/fluxai:1.2.3
imagePullPolicy: IfNotPresentCheck workflow status:
- Actions tab: All workflow runs
- README badges: Quick status overview
- Security tab: Vulnerability findings
- Keep dependencies updated: Regularly update
requirements.txt - Review security findings: Check Security tab weekly
- Test before merging: Ensure workflows pass on PRs
- Use semantic versioning: Tag releases properly (v1.2.3)
- Monitor image sizes: Keep Docker images lean
Workflow fails with permission error:
- Check repository settings → Actions → General → Workflow permissions
- Enable "Read and write permissions"
Security scan finds vulnerabilities:
- Review findings in Security tab
- Update vulnerable dependencies
- Add exceptions for false positives (create
.trivyignore)
Docker build fails:
- Check Dockerfile syntax
- Verify all COPY paths exist
- Test build locally first
Image push fails:
- Verify GITHUB_TOKEN has packages:write permission
- Check if repository allows package publishing
- GitHub Actions Documentation
- Trivy Documentation
- Docker Build Push Action
- GitHub Container Registry
- SARIF Format
Need Help?
- Check workflow logs in Actions tab
- Review Security tab for vulnerability details
- Test workflows locally before pushing
- Consult DOCKER_DEPLOYMENT.md for Docker-specific issues