Real-Time-AI-ML-Based-Phishing-Detection-and-Prevention-System/.github/workflows/backend-ci.yml at master · HarshdeepAthawale/Real-Time-AI-ML-Based-Phishing-Detection-and-Prevention-System · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
name: Backend CI/CD Pipeline

on:
  push:
    branches: [main, develop]
    paths:
      - 'backend/**'
      - '.github/workflows/backend-ci.yml'
  pull_request:
    branches: [main, develop]
    paths:
      - 'backend/**'
      - '.github/workflows/backend-ci.yml'

env:
  AWS_REGION: ap-south-1
  ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.ap-south-1.amazonaws.com

jobs:
  lint-and-test:
    name: Lint & Test
    runs-on: ubuntu-latest

    strategy:
      matrix:
        include:
          - service: api-gateway
            path: backend/api-gateway
          - service: detection-api
            path: backend/core-services/detection-api
          - service: threat-intel
            path: backend/core-services/threat-intel
          - service: extension-api
            path: backend/core-services/extension-api
          - service: sandbox-service
            path: backend/core-services/sandbox-service
          - service: learning-pipeline
            path: backend/core-services/learning-pipeline

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'
          cache-dependency-path: ${{ matrix.path }}/package-lock.json

      - name: Install dependencies
        working-directory: ${{ matrix.path }}
        run: npm ci

      - name: Run linter
        working-directory: ${{ matrix.path }}
        run: npm run lint || true

      - name: Run tests
        working-directory: ${{ matrix.path }}
        run: npm test || npm run test:unit || echo "No tests"

  build-docker-images:
    name: Build Docker Images
    runs-on: ubuntu-latest
    needs: lint-and-test

    strategy:
      matrix:
        service:
          - api-gateway
          - detection-api
          - threat-intel
          - extension-api
          - sandbox-service
          - learning-pipeline
          - nlp-service
          - url-service
          - visual-service

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Build, tag, and push image to Amazon ECR
        id: build-image
        env:
          ECR_REPOSITORY: phishing-detection-${{ matrix.service }}
          IMAGE_TAG: ${{ github.sha }}
        run: |
          if [[ "${{ matrix.service }}" == "nlp-service" || "${{ matrix.service }}" == "url-service" || "${{ matrix.service }}" == "visual-service" ]]; then
            docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest -f backend/ml-services/${{ matrix.service }}/Dockerfile backend/ml-services/${{ matrix.service }}/
          elif [[ "${{ matrix.service }}" == "detection-api" || "${{ matrix.service }}" == "threat-intel" || "${{ matrix.service }}" == "extension-api" || "${{ matrix.service }}" == "sandbox-service" || "${{ matrix.service }}" == "learning-pipeline" ]]; then
            docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest -f backend/core-services/${{ matrix.service }}/Dockerfile backend/
          elif [[ "${{ matrix.service }}" == "api-gateway" ]]; then
            docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest -f backend/api-gateway/Dockerfile backend/
          else
            docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest backend/${{ matrix.service }}/
          fi
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
          echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT

  security-scan:
    name: Security Scan
    runs-on: ubuntu-latest
    needs: build-docker-images

    strategy:
      matrix:
        service:
          - api-gateway
          - detection-api
          - threat-intel
          - extension-api
          - sandbox-service
          - learning-pipeline
          - nlp-service
          - url-service
          - visual-service

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        uses: aws-actions/amazon-ecr-login@v2

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ env.ECR_REGISTRY }}/phishing-detection-${{ matrix.service }}:${{ github.sha }}
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

  terraform-plan:
    name: Terraform Plan
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.5.0

      - name: Terraform Init
        working-directory: backend/infrastructure/terraform
        run: terraform init

      - name: Terraform Format Check
        working-directory: backend/infrastructure/terraform
        run: terraform fmt -check

      - name: Terraform Validate
        working-directory: backend/infrastructure/terraform
        run: terraform validate

      - name: Terraform Plan
        working-directory: backend/infrastructure/terraform
        env:
          TF_VAR_db_password: ${{ secrets.TF_VAR_DB_PASSWORD }}
        run: |
          terraform plan \
            -var-file=environments/dev.tfvars \
            -out=tfplan

  deploy-dev:
    name: Deploy to Development
    runs-on: ubuntu-latest
    needs: [build-docker-images, security-scan]
    if: github.ref == 'refs/heads/develop' && github.event_name == 'push'
    environment: development

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.5.0

      - name: Terraform Apply
        working-directory: backend/infrastructure/terraform
        env:
          TF_VAR_db_password: ${{ secrets.TF_VAR_DB_PASSWORD }}
        run: |
          terraform init
          terraform apply -auto-approve -var-file=environments/dev.tfvars

      - name: Update ECS Service
        run: |
          CLUSTER="phishing-detection-cluster-dev"
          for svc in api-gateway detection-api threat-intel extension-api sandbox-service; do
            aws ecs update-service --cluster $CLUSTER --service phishing-detection-$svc-dev --force-new-deployment --region ${{ env.AWS_REGION }} 2>/dev/null || true
          done

  smoke-test:
    name: Smoke Test
    runs-on: ubuntu-latest
    needs: lint-and-test
    if: github.event_name == 'push' || github.event_name == 'pull_request'

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Start infrastructure and core services
        working-directory: backend
        env:
          POSTGRES_PASSWORD: postgres_dev
        run: |
          docker compose up -d postgres mongodb redis nlp-service url-service visual-service api-gateway detection-api
          echo "Waiting for services (120s)..."
          sleep 120

      - name: Run smoke test
        env:
          TEST_API_KEY: ${{ secrets.TEST_API_KEY }}
        run: |
          chmod +x scripts/smoke-test.sh
          ./scripts/smoke-test.sh http://localhost:3000 "$TEST_API_KEY" || \
          ./scripts/smoke-test.sh http://localhost:3001 "$TEST_API_KEY" || \
          echo "Smoke test skipped (services may need ML services); run locally: docker compose up && ./scripts/smoke-test.sh"

  integration-tests:
    name: Integration Tests
    runs-on: ubuntu-latest
    needs: smoke-test
    if: github.event_name == 'push' || github.event_name == 'pull_request'

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Start services (reuse smoke-test stack)
        working-directory: backend
        env:
          POSTGRES_PASSWORD: postgres_dev
        run: |
          docker compose up -d postgres mongodb redis nlp-service url-service visual-service threat-intel api-gateway detection-api
          echo "Waiting for services (90s)..."
          sleep 90

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'npm'
          cache-dependency-path: backend/core-services/detection-api/package-lock.json

      - name: Install and run integration tests
        working-directory: backend/core-services/detection-api
        env:
          DETECTION_API_URL: http://localhost:3001
          THREAT_INTEL_URL: http://localhost:3002
          NLP_SERVICE_URL: http://localhost:8000
          URL_SERVICE_URL: http://localhost:8001
          VISUAL_SERVICE_URL: http://localhost:8002
          # Use TEST_API_KEY secret if set; otherwise seeded key from 003_seed_api_key.sql
          TEST_API_KEY: ${{ secrets.TEST_API_KEY }}
        run: |
          npm ci
          npm run test:integration -- --passWithNoTests

  deploy-prod:
    name: Deploy to Production
    runs-on: ubuntu-latest
    needs: [build-docker-images, security-scan]
    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
    environment: production

    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.5.0

      - name: Terraform Apply
        working-directory: backend/infrastructure/terraform
        env:
          TF_VAR_db_password: ${{ secrets.TF_VAR_DB_PASSWORD_PROD }}
        run: |
          terraform init
          terraform apply -auto-approve -var-file=environments/prod.tfvars

      - name: Update ECS Service
        run: |
          CLUSTER="phishing-detection-cluster-prod"
          for svc in api-gateway detection-api threat-intel extension-api sandbox-service; do
            aws ecs update-service --cluster $CLUSTER --service phishing-detection-$svc-prod --force-new-deployment --region ${{ env.AWS_REGION }} 2>/dev/null || true
          done