Skip to content
CI/CD Pipeline

Fix Vercel CLI authentication - add --token flag to all commands #104

Sign in to view logs

Fix Vercel CLI authentication - add --token flag to all commands

Fix Vercel CLI authentication - add --token flag to all commands #104

Workflow file for this run

.github/workflows/ci-cd.yml at 37d56e9
name: CI/CD Pipeline
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
# Deployment solo cuando el usuario lo solicite manualmente
workflow_dispatch:
inputs:
deploy_to_aws:
description: '¿Desplegar a AWS?'
required: true
default: 'false'
type: choice
options:
- 'true'
- 'false'
environment:
description: 'Entorno de deployment'
required: true
default: 'staging'
type: choice
options:
- 'staging'
- 'production'
# Permisos necesarios para AWS OIDC
permissions:
id-token: write # Para AWS OIDC authentication
contents: read # Para hacer checkout del código
env:
AWS_REGION: eu-west-1
ECR_REPOSITORY: neurobank-fastapi
AWS_ACCOUNT_ID: 120242956739
AWS_ROLE_ARN: arn:aws:iam::120242956739:role/GitHubActionsOIDCRole
jobs:
test:
runs-on: ubuntu-latest
# ✅ Variables de entorno para tests
env:
API_KEY: "NeuroBankDemo2025-SecureKey-ForTestingOnly"
ENVIRONMENT: "testing"
CI: "true"
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Run tests with coverage
run: |
python -m pytest --cov=app --cov-report=xml --cov-report=html
- name: Upload coverage to Codecov
uses: codecov/codecov-action@v4
if: always()
with:
files: ./coverage.xml
security:
runs-on: ubuntu-latest
# ✅ Variables de entorno para security checks
env:
API_KEY: "NeuroBankDemo2025-SecureKey-ForTestingOnly"
ENVIRONMENT: "testing"
CI: "true"
steps:
- uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Install security tools
run: pip install bandit safety pytest-cov
- name: Run Bandit (exclude tests from assert checking)
run: |
bandit -r app/ -f json -o bandit-report.json --skip B101 || true
echo "Bandit scan completed - check bandit-report.json for details"
- name: Run Safety scan
run: |
pip freeze > current-requirements.txt
safety scan --json --output safety-report.json --continue-on-error || true
echo "Safety scan completed - check safety-report.json for details"
- name: Upload security reports as artifacts
uses: actions/upload-artifact@v4
if: always()
with:
name: security-reports
path: |
bandit-report.json
safety-report.json
deployment-check:
needs: [test, security]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main'
steps:
- name: Check deployment readiness
run: |
echo "🔍 Checking deployment readiness..."
if [ -z "${{ secrets.AWS_ACCOUNT_ID }}" ]; then
echo ""
echo "⚠️ AWS OIDC NOT CONFIGURED"
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
echo "To enable automatic deployment, please configure:"
echo ""
echo "1. Go to: https://github.com/${{ github.repository }}/settings/secrets/actions"
echo "2. Add this Repository Secret:"
echo " • AWS_ACCOUNT_ID (your 12-digit AWS account number)"
echo " • API_KEY (for your application - optional)"
echo ""
echo "3. Ensure AWS OIDC role exists:"
echo " • Role name: GitHubActionsOIDCRole"
echo " • Trust policy allows: ${{ github.repository }}"
echo ""
echo "4. Also create an ECR repository named: ${{ env.ECR_REPOSITORY }}"
echo ""
echo "✅ Tests and Security scans completed successfully!"
echo "🚀 Deployment will run automatically once OIDC is configured"
echo ""
else
echo "✅ AWS OIDC is configured - deployment will proceed"
echo "🚀 Ready for production deployment to AWS Lambda!"
echo "📍 Region: ${{ env.AWS_REGION }}"
echo "📦 ECR Repository: ${{ env.ECR_REPOSITORY }}"
echo "🔐 AWS Role: ${{ env.AWS_ROLE_ARN }}"
echo "🏗️ Using secure OIDC authentication (no long-term keys) ✨"
fi
build-and-deploy:
needs: [test, security]
runs-on: ubuntu-latest
# Solo deployar cuando el usuario lo active manualmente con workflow_dispatch
if: |
(github.event_name == 'workflow_dispatch' &&
github.event.inputs.deploy_to_aws == 'true' &&
github.ref == 'refs/heads/main')
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Verify OIDC prerequisites
run: |
echo "🚀 Starting OIDC-secured deployment process..."
echo "📍 AWS Region: ${{ env.AWS_REGION }}"
echo "📦 ECR Repository: ${{ env.ECR_REPOSITORY }}"
develop
echo "🔑 Checking AWS Credentials..."
# Verify secrets are available (without exposing them)
if [ -z "${{ secrets.AWS_ACCESS_KEY_ID }}" ]; then
echo "❌ AWS_ACCESS_KEY_ID is missing"
exit 1
else
echo "✅ AWS_ACCESS_KEY_ID is available"
fi
if [ -z "${{ secrets.AWS_SECRET_ACCESS_KEY }}" ]; then
echo "❌ AWS_SECRET_ACCESS_KEY is missing"
exit 1
else
echo "✅ AWS_SECRET_ACCESS_KEY is available"
echo "� AWS Role ARN: ${{ env.AWS_ROLE_ARN }}"
echo "🏗️ Using secure OIDC authentication ✨"
# Verify AWS Account ID is available
if [ -z "${{ secrets.AWS_ACCOUNT_ID }}" ]; then
echo "❌ AWS_ACCOUNT_ID secret is missing"
echo "💡 Add it in: https://github.com/${{ github.repository }}/settings/secrets/actions"
exit 1
else
echo "✅ AWS_ACCOUNT_ID is configured"
main
fi
if [ -z "${{ secrets.API_KEY }}" ]; then
echo "⚠️ API_KEY is missing - using default"
else
develop
echo "✅ API_KEY is available"
echo "✅ API_KEY is configured"
main
fi
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Configure AWS credentials via OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ env.AWS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}
role-session-name: GitHubActions-${{ github.run_id }}
- name: Debug AWS identity
run: |
echo "🧪 Testing AWS OIDC connection..."
aws sts get-caller-identity
echo "✅ AWS OIDC connection successful!"
- name: Test AWS connection
run: |
echo "🧪 Testing AWS connection..."
aws sts get-caller-identity
echo "✅ AWS connection successful!"
- name: Setup SAM CLI
uses: aws-actions/setup-sam@v2
with:
use-installer: true
- name: Create ECR repository if not exists
run: |
echo "📦 Ensuring ECR repository exists..."
aws ecr describe-repositories --repository-names ${{ env.ECR_REPOSITORY }} --region ${{ env.AWS_REGION }} || \
aws ecr create-repository --repository-name ${{ env.ECR_REPOSITORY }} --region ${{ env.AWS_REGION }}
echo "✅ ECR repository ready"
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build, tag, and push image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ github.sha }}
run: |
echo "🔨 Building Docker image..."
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
echo "📤 Pushing to ECR..."
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
docker tag $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:latest
docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest
echo "✅ Docker image pushed successfully!"
- name: Deploy to AWS Lambda
run: |
echo "🚀 Starting SAM deployment..."
sam build --region ${{ env.AWS_REGION }}
sam deploy --no-confirm-changeset --no-fail-on-empty-changeset \
--stack-name neurobank-api \
--capabilities CAPABILITY_IAM \
--region ${{ env.AWS_REGION }} \
--parameter-overrides ApiKey=${{ secrets.API_KEY || 'default-api-key' }}
echo "🎉 Deployment completed successfully!"
develop
echo "📋 Stack: neurobank-api"
echo "📍 Region: ${{ env.AWS_REGION }}"
echo "🔗 Check AWS Lambda console for endpoint URL"
main