feat: external monitoring mode + CI/CD pipeline#2
feat: external monitoring mode + CI/CD pipeline#2ViktorPalchynskyi wants to merge 11 commits intomasterfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
.github/workflows/ci.yml
Outdated
| - name: Login to Docker Hub | ||
| if: github.event_name == 'push' | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Docker metadata | ||
| if: github.event_name == 'push' | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ${{ env.IMAGE_NAME }} | ||
| tags: | | ||
| type=raw,value=latest,enable={{is_default_branch}} | ||
| type=sha,prefix=sha- | ||
| type=semver,pattern={{version}} | ||
| type=semver,pattern={{major}}.{{minor}} | ||
|
|
||
| - name: Build and push | ||
| if: github.event_name == 'push' | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: true | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha,mode=max |
There was a problem hiding this comment.
This job will push new image on every PR. This image is open source, so anyone can create PR and push image. Let's split it on 2 separate jobs:
- verify.yaml - that will perform testing and verification on PR and push to master
- publish.yaml - that will publish image on push to master and release
There was a problem hiding this comment.
Can you add proper instructions how to start this using only image from docker hub. Specifically it should have:
- List of all enviroment variables that should be provided
- List of all volumes with configs with examples that should be provided
- Explanation how to ingrate with grafana
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
LeoVS09
left a comment
LeoVS09
left a comment
There was a problem hiding this comment.
Great work, I added secrets to github actions. You can merge after fixing issues
| env: | ||
| IMAGE_NAME: viktorpalchynskyi/nginx-security |
There was a problem hiding this comment.
I set it through enviroment, so you need to remove
| publish: | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
Add there enviroment, in order to get limited secrets
| publish: | |
| runs-on: ubuntu-latest | |
| publish: | |
| environment: Production | |
| runs-on: ubuntu-latest |
2 participants
Summary
Test plan
Note
Medium Risk
Moderate risk due to new CI/CD publishing workflow and changes to monitoring compose profiles/env expansion that could affect deployments, but core proxy/WAF runtime logic is untouched.
Overview
Adds an external monitoring mode so Promtail can ship logs to a user-provided
LOKI_URL(optionallyLOKI_TENANT_ID) whiledocker-compose.monitoring.ymlno longer requires running localloki/grafanacontainers (now gated behind astandaloneprofile). TheMakefile,.env.example, andREADME.mdare updated to supportstart-monitoring-externaland separate health checks for standalone vs external setups.Introduces a pre-built Grafana dashboard export (
monitoring/dashboards/nginx-security.json+ README) and adds GitHub Actions workflows:verify.ymlbuilds the image and runs the existing security/false-positive test scripts in a throwaway Docker network, andpublish.ymlbuilds/pushes multi-arch images to Docker Hub onmaster/tags with standard metadata tagging.Written by Cursor Bugbot for commit 07ee6c1. This will update automatically on new commits. Configure here.