Spaces:
Sleeping
Sleeping
| name: Security Check and Deploy | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| workflow_dispatch: | |
| jobs: | |
| security-check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.10' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| # Only install lightweight deps for security scanning | |
| # ML packages (torch, transformers) are skipped - not needed for static analysis | |
| pip install fastapi uvicorn pydantic python-dotenv aiofiles | |
| # Run Snyk security scan | |
| - name: Run Snyk Security Scan | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| # Install Snyk CLI | |
| curl -Lo snyk https://static.snyk.io/cli/latest/snyk-linux | |
| chmod +x snyk | |
| # Authenticate with Snyk | |
| ./snyk auth $SNYK_TOKEN | |
| echo "===== Python Dependency Security Scan =====" | |
| # Test for vulnerabilities (non-blocking initially) | |
| ./snyk test --severity-threshold=high --file=requirements.txt || true | |
| # Generate SARIF report for GitHub Security tab | |
| ./snyk test --severity-threshold=low --file=requirements.txt --sarif-file-output=snyk.sarif || true | |
| echo "===== Security Scan Complete =====" | |
| continue-on-error: true | |
| # Upload results to GitHub Security tab | |
| - name: Upload Snyk results to GitHub Code Scanning | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v3 | |
| continue-on-error: true | |
| with: | |
| sarif_file: snyk.sarif | |
| category: snyk-python | |
| # Monitor project with Snyk (updates dashboard) | |
| - name: Monitor with Snyk | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| ./snyk monitor --file=requirements.txt --project-name=visualisable-ai-backend || true | |
| continue-on-error: true | |
| # Run Python security checks with bandit | |
| - name: Run Bandit Security Linter | |
| run: | | |
| pip install bandit | |
| echo "===== Python Code Security Analysis =====" | |
| bandit -r backend/ -f json -o bandit-report.json || true | |
| bandit -r backend/ || true | |
| echo "===== Code Analysis Complete =====" | |
| continue-on-error: true | |
| # Run safety check for known security vulnerabilities | |
| - name: Run Safety Check | |
| run: | | |
| pip install safety | |
| echo "===== Safety Vulnerability Check =====" | |
| safety check --json > safety-report.json || true | |
| safety check || true | |
| echo "===== Safety Check Complete =====" | |
| continue-on-error: true | |
| - name: Security Summary | |
| if: always() | |
| run: | | |
| echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Checks Performed:" >> $GITHUB_STEP_SUMMARY | |
| echo "- β Snyk dependency vulnerability scan" >> $GITHUB_STEP_SUMMARY | |
| echo "- β Bandit Python security linter" >> $GITHUB_STEP_SUMMARY | |
| echo "- β Safety known vulnerability check" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Known Issues to Address:" >> $GITHUB_STEP_SUMMARY | |
| echo "- transformers==4.35.0 has known vulnerabilities" >> $GITHUB_STEP_SUMMARY | |
| echo "- Consider upgrading to transformers>=4.36.0" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Check the logs above for detailed findings." >> $GITHUB_STEP_SUMMARY | |
| deploy-to-huggingface: | |
| runs-on: ubuntu-latest | |
| needs: security-check | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| lfs: true | |
| - name: Push to CPU HuggingFace Space | |
| env: | |
| HF_TOKEN: ${{ secrets.HF_TOKEN }} | |
| run: | | |
| # Configure git | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| # Add CPU HuggingFace Space remote with authentication | |
| git remote add hf-cpu https://visualisable-ai:[email protected]/spaces/visualisable-ai/api | |
| # Push to CPU Space | |
| echo "Deploying to CPU HuggingFace Space..." | |
| git push hf-cpu main:main --force | |
| echo "β Deployed to CPU HuggingFace Space successfully!" >> $GITHUB_STEP_SUMMARY | |
| echo "π CPU Space: https://huggingface.co/spaces/visualisable-ai/api" >> $GITHUB_STEP_SUMMARY | |
| - name: Push to GPU HuggingFace Space | |
| env: | |
| HF_TOKEN: ${{ secrets.HF_TOKEN }} | |
| run: | | |
| # Add GPU HuggingFace Space remote with authentication | |
| git remote add hf-gpu https://visualisable-ai:[email protected]/spaces/visualisable-ai/api-gpu | |
| # Push to GPU Space | |
| echo "Deploying to GPU HuggingFace Space..." | |
| git push hf-gpu main:main --force | |
| echo "β Deployed to GPU HuggingFace Space successfully!" >> $GITHUB_STEP_SUMMARY | |
| echo "π GPU Space: https://huggingface.co/spaces/visualisable-ai/api-gpu" >> $GITHUB_STEP_SUMMARY | |