Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions .github/workflows/docker-compose-integration.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: Docker Compose Integration

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

No explicit permissions set for at the workflow level (...read more)

Default permissions for the GITHUB_TOKEN are expected to be restricted (contents:read, metadata:read, and packages:read).

Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.

You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.

View in Datadog  Leave us feedback  Documentation


on:
pull_request:
branches: [ main ]

permissions:
contents: read

jobs:
docker-compose-integration:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

View in Datadog  Leave us feedback  Documentation


- name: Start services
run: docker compose up -d

- name: Wait for services to be healthy
run: |
echo "Waiting for all services to be healthy..."
# Wait for services with health checks to be healthy (4 services) and all services to be up
timeout 300 bash -c 'until [ $(docker compose ps --format "{{.Health}}" | grep -c "healthy") -ge 4 ] && [ $(docker compose ps --format "{{.Status}}" | grep -c "Up") -ge 5 ]; do sleep 5; done'
docker compose ps

- name: Test dashboard endpoints
run: |
curl -f http://localhost:8081/dashboard/ || exit 1
curl -f http://localhost:8082 || exit 1

- name: Test API endpoints
run: |
# Test sticker award API with sample user data
curl -f -X GET "http://localhost:8080/api/award/v1/users/user-001/stickers" || exit 1
# TODO!
# curl -f -X GET "http://localhost:8080/api/users/v1/health" || exit 1

- name: Show service logs on failure
if: failure()
run: |
echo "=== Docker Compose Services Status ==="
docker compose ps
echo "=== Traefik Logs ==="
docker compose logs traefik
echo "=== Sticker Award Logs ==="
docker compose logs sticker-award
echo "=== User Management Logs ==="
docker compose logs user-management
echo "=== Database Logs ==="
docker compose logs sticker-award-db
docker compose logs user-management-db

- name: Cleanup
if: always()
run: docker compose down -v
4 changes: 4 additions & 0 deletions .github/workflows/user-management-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,12 @@ name: User Management Tests
on:
push:
branches: ["main"]
paths:
- "user-management/**"
pull_request:
branches: ["main"]
paths:
- "user-management/**"
workflow_dispatch:

jobs:
Expand Down