updates and build out

Author: kpres12

.github/workflows/ci.yml

@@ -2,29 +2,34 @@ name: CI
 
 on:
   push:
-    branches: [ main, master ]
+    branches: [main, master]
   pull_request:
-    branches: [ main, master ]
+    branches: [main, master]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_PREFIX: ghcr.io/${{ github.repository_owner }}/wildfire
 
 jobs:
+  # ── Node.js workspace ─────────────────────────────────────────────
   node:
     name: Node.js (TypeScript)
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '18'
-          cache: 'pnpm'
-
       - name: Setup pnpm
         uses: pnpm/action-setup@v2
         with:
           version: 8
 
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "18"
+          cache: pnpm
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
@@ -36,14 +41,18 @@ jobs:
 
       - name: Build
         run: pnpm build
-  
+
+      - name: Test
+        run: pnpm test
+
+  # ── Python services ───────────────────────────────────────────────
   python:
     name: Python (FastAPI)
     runs-on: ubuntu-latest
     defaults:
       run:
         working-directory: apps/apigw
-    
+
     services:
       postgres:
         image: postgis/postgis:15-3.3
@@ -58,7 +67,7 @@ jobs:
           --health-interval 10s
           --health-timeout 5s
           --health-retries 5
-      
+
       redis:
         image: redis:7-alpine
         ports:
@@ -68,32 +77,30 @@ jobs:
           --health-interval 10s
           --health-timeout 5s
           --health-retries 5
-    
+
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      
+
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.11'
-          cache: 'pip'
+          python-version: "3.11"
+          cache: pip
           cache-dependency-path: apps/apigw/requirements.txt
-      
+
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
           pip install pytest pytest-asyncio pytest-cov mypy ruff
-      
+
       - name: Lint with ruff
         run: ruff check app/ --output-format=github
-        continue-on-error: true
-      
+
       - name: Type check with mypy
         run: mypy app/ --ignore-missing-imports --no-strict-optional
-        continue-on-error: true
-      
+
       - name: Run tests
         env:
           DATABASE_URL: postgresql://wildfire:wildfire123@localhost:5432/wildfire_ops_test
@@ -103,11 +110,70 @@ jobs:
           SECRET_KEY: test-secret-key
         run: |
           pytest tests/ -v --cov=app --cov-report=term-missing --cov-report=xml
-      
+
       - name: Upload coverage
         uses: codecov/codecov-action@v3
         if: always()
         with:
           files: ./apps/apigw/coverage.xml
           flags: python
           name: python-coverage
+
+  # ── Docker build verification ─────────────────────────────────────
+  docker:
+    name: Docker Build
+    runs-on: ubuntu-latest
+    needs: [node, python]
+    strategy:
+      fail-fast: false
+      matrix:
+        service:
+          - { name: apigw, context: ./apps/apigw, dockerfile: ./apps/apigw/Dockerfile }
+          - { name: console, context: ./apps/console, dockerfile: ./apps/console/Dockerfile }
+          - { name: triangulate, context: ".", dockerfile: ./apps/triangulate/Dockerfile }
+          - { name: predict, context: ".", dockerfile: ./apps/predict/Dockerfile }
+          - { name: ingest, context: ".", dockerfile: ./apps/ingest/Dockerfile }
+          - { name: mission-dispatcher, context: ".", dockerfile: ./apps/mission-dispatcher/Dockerfile }
+          - { name: edge-agent, context: ./apps/edge-agent, dockerfile: ./apps/edge-agent/Dockerfile }
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build image (no push)
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.service.context }}
+          file: ${{ matrix.service.dockerfile }}
+          push: false
+          tags: ${{ env.IMAGE_PREFIX }}-${{ matrix.service.name }}:ci-${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # ── Security scanning ────────────────────────────────────────────
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    needs: [node, python]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner (filesystem)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          scan-ref: "."
+          severity: CRITICAL,HIGH
+          exit-code: "1"
+          ignore-unfixed: true
+
+      - name: Run Trivy config scan (IaC)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: config
+          scan-ref: infra/
+          severity: CRITICAL,HIGH
+          exit-code: "0"

.github/workflows/deploy.yml

@@ -0,0 +1,166 @@
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Target environment"
+        required: true
+        type: choice
+        options:
+          - staging
+          - production
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_PREFIX: ghcr.io/${{ github.repository_owner }}/wildfire
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  # ── Build & push images ──────────────────────────────────────────
+  build:
+    name: Build & Push
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+      matrix:
+        service:
+          - { name: apigw, context: ./apps/apigw, dockerfile: ./apps/apigw/Dockerfile }
+          - { name: console, context: ./apps/console, dockerfile: ./apps/console/Dockerfile }
+          - { name: triangulate, context: ".", dockerfile: ./apps/triangulate/Dockerfile }
+          - { name: predict, context: ".", dockerfile: ./apps/predict/Dockerfile }
+          - { name: ingest, context: ".", dockerfile: ./apps/ingest/Dockerfile }
+          - { name: mission-dispatcher, context: ".", dockerfile: ./apps/mission-dispatcher/Dockerfile }
+          - { name: edge-agent, context: ./apps/edge-agent, dockerfile: ./apps/edge-agent/Dockerfile }
+    outputs:
+      image_tag: ${{ steps.meta.outputs.tags }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_PREFIX }}-${{ matrix.service.name }}
+          tags: |
+            type=sha
+            type=ref,event=branch
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.service.context }}
+          file: ${{ matrix.service.dockerfile }}
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # ── Deploy to staging (auto on main push) ────────────────────────
+  staging:
+    name: Deploy to Staging
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' || github.event.inputs.environment == 'staging'
+    environment:
+      name: staging
+      url: https://staging.wildfire-ops.com
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure kubectl
+        uses: azure/setup-kubectl@v3
+
+      - name: Set kubeconfig
+        run: echo "${{ secrets.KUBE_CONFIG_STAGING }}" | base64 -d > $HOME/.kube/config
+
+      - name: Update image tags
+        run: |
+          TAG="sha-${GITHUB_SHA::7}"
+          for svc in apigw console triangulate predict ingest mission-dispatcher edge-agent; do
+            kubectl set image deployment/${svc} \
+              ${svc}=${{ env.IMAGE_PREFIX }}-${svc}:${TAG} \
+              -n wildfire-ops --record || true
+          done
+
+      - name: Wait for rollout
+        run: |
+          for svc in apigw console triangulate predict ingest; do
+            kubectl rollout status deployment/${svc} -n wildfire-ops --timeout=300s
+          done
+
+      - name: Run smoke tests
+        run: |
+          API_URL="${{ secrets.STAGING_API_URL }}"
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" "${API_URL}/health")
+          if [ "$STATUS" != "200" ]; then
+            echo "Smoke test failed: API returned $STATUS"
+            exit 1
+          fi
+          echo "Staging smoke test passed"
+
+  # ── Deploy to production (manual approval required) ──────────────
+  production:
+    name: Deploy to Production
+    needs: staging
+    runs-on: ubuntu-latest
+    if: github.event.inputs.environment == 'production' || github.ref == 'refs/heads/main'
+    environment:
+      name: production
+      url: https://console.wildfire-ops.com
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Configure kubectl
+        uses: azure/setup-kubectl@v3
+
+      - name: Set kubeconfig
+        run: echo "${{ secrets.KUBE_CONFIG_PRODUCTION }}" | base64 -d > $HOME/.kube/config
+
+      - name: Update image tags (canary — 1 replica first)
+        run: |
+          TAG="sha-${GITHUB_SHA::7}"
+          for svc in apigw console triangulate predict ingest mission-dispatcher edge-agent; do
+            kubectl set image deployment/${svc} \
+              ${svc}=${{ env.IMAGE_PREFIX }}-${svc}:${TAG} \
+              -n wildfire-ops --record || true
+          done
+
+      - name: Wait for rollout
+        run: |
+          for svc in apigw console triangulate predict ingest; do
+            kubectl rollout status deployment/${svc} -n wildfire-ops --timeout=600s
+          done
+
+      - name: Production smoke test
+        run: |
+          API_URL="${{ secrets.PRODUCTION_API_URL }}"
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" "${API_URL}/health")
+          if [ "$STATUS" != "200" ]; then
+            echo "Production smoke test FAILED — rolling back"
+            for svc in apigw console triangulate predict ingest mission-dispatcher edge-agent; do
+              kubectl rollout undo deployment/${svc} -n wildfire-ops || true
+            done
+            exit 1
+          fi
+          echo "Production deploy successful"