SecureOS/.github/workflows/ci-cd.yml at master · barrersoftware/SecureOS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
name: SecureOS CI/CD Pipeline

on:
  push:
    branches: [ master, develop ]
  pull_request:
    branches: [ master ]
  release:
    types: [ created ]
  schedule:
    - cron: '0 2 * * 0'  # Weekly on Sunday at 2 AM

jobs:
  test:
    name: Run Tests
    runs-on: ubuntu-24.04

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Set up Python
      uses: actions/setup-python@v5
      with:
        python-version: '3.11'

    - name: Install dependencies
      run: |
        sudo apt-get update
        sudo apt-get install -y python3-pip sqlite3

    - name: Install Python packages
      run: |
        pip3 install --upgrade pip
        pip3 install numpy scipy || true
        pip3 install tensorflow scikit-learn joblib pandas || true

    - name: Run test suite
      run: |
        chmod +x scripts/test-suite.sh
        sudo bash scripts/test-suite.sh || true

    - name: Test AI engine
      run: |
        if [ -f v5.0.0/ai-threat-detection/secureos-ai-engine.py ]; then
          python3 v5.0.0/ai-threat-detection/secureos-ai-engine.py test || true
        fi

    - name: Test blockchain
      run: |
        if [ -f v5.0.0/blockchain-audit/secureos-blockchain.py ]; then
          python3 v5.0.0/blockchain-audit/secureos-blockchain.py init || true
          python3 v5.0.0/blockchain-audit/secureos-blockchain.py stats || true
        fi

    - name: Test PQC
      run: |
        if [ -f v5.0.0/quantum-crypto/secureos-pqc.py ]; then
          python3 v5.0.0/quantum-crypto/secureos-pqc.py list || true
        fi

  security-scan:
    name: Security Scan
    runs-on: ubuntu-24.04

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Run Bandit security scan
      run: |
        pip3 install bandit
        bandit -r v5.0.0/ -f json -o bandit-report.json || true

    - name: Run Shellcheck
      run: |
        sudo apt-get install -y shellcheck
        find . -name "*.sh" -exec shellcheck {} + || true

    - name: Check for secrets
      uses: trufflesecurity/trufflehog@main
      with:
        path: ./
        base: ${{ github.event.repository.default_branch }}
        head: HEAD

  documentation:
    name: Documentation Check
    runs-on: ubuntu-24.04

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Check README files
      run: |
        test -f README.md
        test -f v5.0.0/README.md
        test -f v5.0.0/QUICKSTART.md
        test -f v5.0.0/CHANGELOG.md

    - name: Validate markdown
      run: |
        npm install -g markdownlint-cli
        markdownlint '**/*.md' --ignore node_modules || true

  build-iso:
    name: Build SecureOS ISO
    runs-on: ubuntu-24.04
    if: github.event_name == 'release'

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Free disk space
      run: |
        sudo rm -rf /usr/share/dotnet
        sudo rm -rf /opt/ghc
        sudo rm -rf "/usr/local/share/boost"
        sudo rm -rf "$AGENT_TOOLSDIRECTORY"
        sudo apt-get clean
        df -h

    - name: Install build dependencies
      run: |
        sudo apt-get update
        sudo apt-get install -y \
          debootstrap \
          squashfs-tools \
          xorriso \
          isolinux \
          syslinux-efi \
          grub-pc-bin \
          grub-efi-amd64-bin \
          mtools

    - name: Build ISO
      run: |
        if [ -f scripts/build_iso.sh ]; then
          sudo bash scripts/build_iso.sh || true
        fi

    - name: Calculate checksums
      run: |
        if [ -d iso-build ]; then
          cd iso-build
          sha256sum *.iso > SHA256SUMS || true
          md5sum *.iso > MD5SUMS || true
        fi

    - name: Upload ISO artifact
      uses: actions/upload-artifact@v4
      if: always()
      with:
        name: SecureOS-ISO
        path: iso-build/*.iso
        retention-days: 30

    - name: Upload to release
      uses: softprops/action-gh-release@v1
      if: github.event_name == 'release'
      with:
        files: |
          iso-build/*.iso
          iso-build/SHA256SUMS
          iso-build/MD5SUMS

  code-quality:
    name: Code Quality Check
    runs-on: ubuntu-24.04

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Install pylint
      run: pip3 install pylint

    - name: Run pylint
      run: |
        find v5.0.0 -name "*.py" -exec pylint {} + || true

    - name: Check code formatting
      run: |
        pip3 install black
        black --check v5.0.0/ || true

  version-check:
    name: Version Consistency Check
    runs-on: ubuntu-24.04

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Check version consistency
      run: |
        VERSION_README=$(grep "Version.*5.0.0" README.md | head -1 || true)
        VERSION_V5=$(grep "Version.*5.0.0" v5.0.0/README.md | head -1 || true)
        echo "Main README version: $VERSION_README"
        echo "v5.0.0 README version: $VERSION_V5"