Overwatch MCP

name: Docker Build and Push on: push: branches: - main - develop tags: - 'v*.*.*' paths-ignore: - '*.md' - 'Docs/**' - 'compose/**' - '.gitignore' - '.gitattributes' - 'LICENSE' pull_request: branches: - main paths-ignore: - '*.md' - 'Docs/**' - 'compose/**' - '.gitignore' - '.gitattributes' - 'LICENSE' workflow_dispatch: env: REGISTRY: ghcr.io # Must be lowercase for Docker IMAGE_NAME: malindarathnayake/overwatch-mcp jobs: test: name: Run Tests runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: '3.11' - name: Cache dependencies uses: actions/cache@v4 with: path: ~/.cache/pip key: ${{ runner.os }}-pip-${{ hashFiles('**/pyproject.toml') }} restore-keys: | ${{ runner.os }}-pip- - name: Install dependencies run: | python -m pip install --upgrade pip pip install -e ".[dev]" - name: Run tests run: | pytest tests/ -v --cov=overwatch_mcp --cov-report=xml --cov-report=html - name: Upload coverage reports uses: actions/upload-artifact@v4 with: name: coverage-report path: htmlcov/ - name: Upload test results uses: actions/upload-artifact@v4 if: always() with: name: test-results path: | htmlcov/ coverage.xml build: name: Build Docker Image runs-on: ubuntu-latest needs: test permissions: contents: read packages: write id-token: write attestations: write steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to GitHub Container Registry if: github.event_name != 'pull_request' uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch type=ref,event=pr type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=raw,value=latest,enable={{is_default_branch}} - name: Build and push Docker image id: build uses: docker/build-push-action@v5 with: context: . platforms: linux/amd64,linux/arm64 push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha cache-to: type=gha,mode=max - name: Generate artifact attestation if: github.event_name != 'pull_request' uses: actions/attest-build-provenance@v1 with: subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true create-release-artifact: name: Create Release Artifacts runs-on: ubuntu-latest needs: build if: startsWith(github.ref, 'refs/tags/v') steps: - name: Checkout code uses: actions/checkout@v4 - name: Create release archive run: | mkdir -p release tar -czf release/overwatch-mcp-${{ github.ref_name }}.tar.gz \ --exclude='.git' \ --exclude='release' \ --exclude='__pycache__' \ --exclude='*.pyc' \ --exclude='.pytest_cache' \ --exclude='htmlcov' \ --exclude='.coverage' \ . - name: Generate checksums run: | cd release sha256sum overwatch-mcp-${{ github.ref_name }}.tar.gz > checksums.txt - name: Upload release artifacts uses: actions/upload-artifact@v4 with: name: release-${{ github.ref_name }} path: release/ - name: Create GitHub Release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/v') with: files: | release/overwatch-mcp-${{ github.ref_name }}.tar.gz release/checksums.txt body: | ## Overwatch MCP Server ${{ github.ref_name }} ### Docker Images ```bash docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }} docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest ``` ### Installation See [README.md](README.md) for installation instructions. ### Changes See commit history for detailed changes. env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} security-scan: name: Security Scan runs-on: ubuntu-latest needs: build if: github.event_name != 'pull_request' permissions: contents: read security-events: write steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.28.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }} format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy results to GitHub Security uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' - name: Run Trivy (table output) uses: aquasecurity/trivy-action@0.28.0 with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }} format: 'table' notify: name: Notify on Completion runs-on: ubuntu-latest needs: [test, build] if: always() steps: - name: Check job status run: | if [ "${{ needs.test.result }}" == "success" ] && \ [ "${{ needs.build.result }}" == "success" ]; then echo "✅ Pipeline completed successfully!" echo "IMAGE_URL=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" >> $GITHUB_ENV else echo "❌ Pipeline failed!" exit 1 fi - name: Summary run: | echo "## Build Summary" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "- **Tests**: ${{ needs.test.result }}" >> $GITHUB_STEP_SUMMARY echo "- **Build**: ${{ needs.build.result }}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY if [ "${{ needs.build.result }}" == "success" ]; then echo "### Docker Image" >> $GITHUB_STEP_SUMMARY echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY echo "docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" >> $GITHUB_STEP_SUMMARY echo "\`\`\`" >> $GITHUB_STEP_SUMMARY fi