name: KrakenD - Main Pipeline
on: workflow_call: inputs: # Runner configuration runner: description: 'Runner type' required: false type: string default: 'ubuntu-latest'
# KrakenD configuration dockerfile_path: description: 'Path to Dockerfile' required: false type: string default: '.'
# Pipeline steps control run_commit_lint: description: 'Run commit message validation' required: false type: boolean default: false run_trufflehog: description: 'Run TruffleHog secret scanning' required: false type: boolean default: false trufflehog_only_verified: description: 'Only report verified secrets' required: false type: boolean default: true trufflehog_fail_on_findings: description: 'Fail the workflow if secrets are found' required: false type: boolean default: true run_dependency_review: description: 'Run dependency review (PR only)' required: false type: boolean default: false dependency_review_severity: description: 'Minimum severity to fail: low, moderate, high, critical' required: false type: string default: 'high' run_build: description: 'Run build job (config validation)' required: false type: boolean default: true run_test: description: 'Run test job (config audit)' required: false type: boolean default: false run_artifact: description: 'Build and push Docker image to ECR' required: false type: boolean default: false run_deploy: description: 'Deploy after artifact build' required: false type: boolean default: false deploy_target: description: 'Deploy target: ec2, ec2-vpn, or eks' required: false type: string default: 'ec2' run_create_issue_on_failure: description: 'Create GitHub issue on pipeline failure' required: false type: boolean default: false issue_labels: description: 'Labels for the failure issue (comma-separated)' required: false type: string default: 'bug,pipeline-failure' run_notifications: description: 'Send notifications after pipeline completes' required: false type: boolean default: false notify_providers: description: 'Notification providers (comma-separated: slack, teams)' required: false type: string default: 'slack' notify_mention_on_failure: description: 'Mention on failure (Slack: @channel, Teams: @General)' required: false type: string default: '' run_cleanup: description: 'Delete merged branch after deploy' required: false type: boolean default: false run_release: description: 'Create release PR after deploy' required: false type: boolean default: false
# Test options audit_threshold: description: 'Minimum audit score (0-100)' required: false type: number default: 0
# Artifact & Deploy options image_tag: description: 'Docker image tag (empty = commit SHA)' required: false type: string default: '' docker_platform: description: 'Docker platform (linux/amd64, linux/arm64)' required: false type: string default: 'linux/arm64'
# Deploy options environment: description: 'GitHub environment (develop, prod)' required: false type: string default: 'develop' memory_limit: description: 'Container memory limit (e.g., 512m/512Mi)' required: false type: string default: '800m' memory_reservation: description: 'Container memory reservation (e.g., 256m/256Mi)' required: false type: string default: '256m' extra_volumes: description: 'Additional docker-compose volume mounts (one per line, including the leading "- ")' required: false type: string default: | - ./certs:/etc/krakend/certs:ro
# EKS-specific options eks_cluster_name: description: 'EKS cluster name (required when deploy_target: eks)' required: false type: string default: '' eks_namespace: description: 'Kubernetes namespace' required: false type: string default: 'default' eks_use_helm: description: 'Use Helm for EKS deployment' required: false type: boolean default: false eks_helm_chart_path: description: 'Path to Helm chart' required: false type: string default: './helm' eks_replicas: description: 'Number of EKS replicas' required: false type: number default: 1
# Release options release_target_branch: description: 'Target branch for release PR' required: false type: string default: 'main' release_strict_flow: description: 'Enforce GitFlow on release PR (base must be develop, target must be main)' required: false type: boolean default: true run_tag: description: 'Create git tag and GitHub Release after deploy' required: false type: boolean default: false
outputs: image_tag: description: 'Docker image tag pushed' value: ${{ jobs.artifact.outputs.image_tag }} image_uri: description: 'Full Docker image URI' value: ${{ jobs.artifact.outputs.image_uri }} audit_score: description: 'KrakenD audit score' value: ${{ jobs.test.outputs.audit_score }} deploy_status: description: 'Deployment status' value: ${{ jobs.deploy-ec2.outputs.deploy_status || jobs.deploy-ec2-vpn.outputs.deploy_status || jobs.deploy-eks.outputs.deploy_status }} deleted_branch: description: 'Name of deleted branch' value: ${{ jobs.cleanup.outputs.deleted_branch }} release_version: description: 'Release version created' value: ${{ jobs.release.outputs.version }} release_pr_url: description: 'Release PR URL' value: ${{ jobs.release.outputs.pr_url }} release_changelog: description: 'Release changelog' value: ${{ jobs.release.outputs.changelog }}
jobs: # ============================================ # COMMIT LINT (parallel, no deps) # ============================================ commit-lint: name: Commit Lint if: inputs.run_commit_lint uses: ./.github/workflows/shared-commit-lint.yml with: runner: ${{ inputs.runner }}
# ============================================ # SECURITY - TruffleHog (parallel, no deps) # ============================================ security: name: Security Scan if: inputs.run_trufflehog uses: ./.github/workflows/security-trufflehog.yml with: runner: ${{ inputs.runner }} only_verified: ${{ inputs.trufflehog_only_verified }} fail_on_findings: ${{ inputs.trufflehog_fail_on_findings }} secrets: inherit
# ============================================ # SECURITY - Dependency Review (parallel, no deps) # ============================================ dependency-review: name: Dependency Review if: inputs.run_dependency_review uses: ./.github/workflows/security-dependency-review.yml with: runner: ${{ inputs.runner }} fail_on_severity: ${{ inputs.dependency_review_severity }} secrets: inherit
# ============================================ # BUILD (Config Validation) # ============================================ build: name: Build if: inputs.run_build uses: ./.github/workflows/krakend-build.yml with: runner: ${{ inputs.runner }} dockerfile_path: ${{ inputs.dockerfile_path }} secrets: inherit
# ============================================ # TEST (Config Audit) # ============================================ test: name: Test & Audit if: inputs.run_test needs: build uses: ./.github/workflows/krakend-test.yml with: runner: ${{ inputs.runner }} dockerfile_path: ${{ inputs.dockerfile_path }} audit_threshold: ${{ inputs.audit_threshold }} secrets: inherit
# ============================================ # ARTIFACT - Build Docker & Push to ECR # ============================================ artifact: name: Build & Push ECR if: | inputs.run_artifact && always() && needs.build.result == 'success' && (needs.test.result == 'success' || needs.test.result == 'skipped') needs: [build, test] uses: ./.github/workflows/shared-artifact-docker-ecr.yml with: runner: ${{ inputs.runner }} image_tag: ${{ inputs.image_tag }} docker_platform: ${{ inputs.docker_platform }} dockerfile_path: ${{ inputs.dockerfile_path }} environment: ${{ inputs.environment }} build_from_source: false secrets: inherit
# ============================================ # DEPLOY - EC2 # ============================================ deploy-ec2: name: Deploy EC2 if: | inputs.run_deploy && inputs.deploy_target == 'ec2' && always() && needs.artifact.result == 'success' needs: [artifact] uses: ./.github/workflows/shared-deploy-ec2.yml with: runner: ${{ inputs.runner }} image_tag: ${{ needs.artifact.outputs.image_tag }} docker_platform: ${{ inputs.docker_platform }} environment: ${{ inputs.environment }} memory_limit: ${{ inputs.memory_limit }} memory_reservation: ${{ inputs.memory_reservation }} extra_volumes: ${{ inputs.extra_volumes }} secrets: inherit
# ============================================ # DEPLOY - EC2 via WireGuard VPN # ============================================ deploy-ec2-vpn: name: Deploy EC2 (VPN) if: | inputs.run_deploy && inputs.deploy_target == 'ec2-vpn' && always() && needs.artifact.result == 'success' needs: [artifact] uses: ./.github/workflows/shared-deploy-ec2-vpn.yml with: runner: ${{ inputs.runner }} image_tag: ${{ needs.artifact.outputs.image_tag }} docker_platform: ${{ inputs.docker_platform }} environment: ${{ inputs.environment }} memory_limit: ${{ inputs.memory_limit }} memory_reservation: ${{ inputs.memory_reservation }} extra_volumes: ${{ inputs.extra_volumes }} secrets: inherit
# ============================================ # DEPLOY - EKS # ============================================ deploy-eks: name: Deploy EKS if: | inputs.run_deploy && inputs.deploy_target == 'eks' && always() && needs.artifact.result == 'success' needs: [artifact] uses: ./.github/workflows/shared-deploy-eks.yml with: runner: ${{ inputs.runner }} image_tag: ${{ needs.artifact.outputs.image_tag }} environment: ${{ inputs.environment }} cluster_name: ${{ inputs.eks_cluster_name }} namespace: ${{ inputs.eks_namespace }} replicas: ${{ inputs.eks_replicas }} use_helm: ${{ inputs.eks_use_helm }} helm_chart_path: ${{ inputs.eks_helm_chart_path }} memory_limit: ${{ inputs.memory_limit }} memory_request: ${{ inputs.memory_reservation }} health_check_path: '/__health' secrets: inherit
# ============================================ # RELEASE - Create release PR # ============================================ release: name: Create Release if: | inputs.run_release && always() && (needs.deploy-ec2.result == 'success' || needs.deploy-ec2-vpn.result == 'success' || needs.deploy-eks.result == 'success') needs: [deploy-ec2, deploy-ec2-vpn, deploy-eks] uses: ./.github/workflows/shared-release.yml with: base_branch: ${{ github.ref_name }} target_branch: ${{ inputs.release_target_branch }} strict_flow: ${{ inputs.release_strict_flow }} secrets: inherit
# ============================================ # CLEANUP - Delete merged branch (runs after release PR created) # ============================================ cleanup: name: Delete Branch if: | inputs.run_cleanup && always() && (needs.deploy-ec2.result == 'success' || needs.deploy-ec2-vpn.result == 'success' || needs.deploy-eks.result == 'success') && (needs.release.result == 'success' || needs.release.result == 'skipped') needs: [deploy-ec2, deploy-ec2-vpn, deploy-eks, release] uses: ./.github/workflows/shared-delete-branch.yml secrets: inherit
# ============================================ # TAG - Create git tag and GitHub Release # ============================================ tag: name: Tag Release if: | inputs.run_tag && always() && (needs.deploy-ec2.result == 'success' || needs.deploy-ec2-vpn.result == 'success' || needs.deploy-eks.result == 'success') needs: [build, test, artifact, deploy-ec2, deploy-ec2-vpn, deploy-eks, cleanup, release] uses: ./.github/workflows/shared-tag-release.yml secrets: inherit
# ============================================ # NOTIFY - Notifications (runs last, always) # ============================================ notify: name: Notify if: | inputs.run_notifications && always() needs: [build, test, artifact, deploy-ec2, deploy-ec2-vpn, deploy-eks, cleanup, release, tag] uses: ./.github/workflows/shared-notifications.yml with: providers: ${{ inputs.notify_providers }} status: ${{ (needs.build.result == 'failure' || needs.test.result == 'failure' || needs.artifact.result == 'failure' || needs.deploy-ec2.result == 'failure' || needs.deploy-ec2-vpn.result == 'failure' || needs.deploy-eks.result == 'failure') && 'failure' || (needs.build.result == 'cancelled') && 'cancelled' || 'success' }} environment: ${{ inputs.environment }} version: ${{ needs.release.outputs.version }} changelog: ${{ needs.release.outputs.changelog }} mention_on_failure: ${{ inputs.notify_mention_on_failure }} secrets: inherit
# ============================================ # CREATE ISSUE - On failure (runs last, always) # ============================================ create-issue: name: Create Issue if: | inputs.run_create_issue_on_failure && always() needs: [build, test, artifact, deploy-ec2, deploy-ec2-vpn, deploy-eks, cleanup, release, tag] uses: ./.github/workflows/shared-create-issue-on-failure.yml with: status: ${{ (needs.build.result == 'failure' || needs.test.result == 'failure' || needs.artifact.result == 'failure' || needs.deploy-ec2.result == 'failure' || needs.deploy-ec2-vpn.result == 'failure' || needs.deploy-eks.result == 'failure') && 'failure' || 'success' }} environment: ${{ inputs.environment }} version: ${{ needs.release.outputs.version }} changelog: ${{ needs.release.outputs.changelog }} labels: ${{ inputs.issue_labels }} KrakenD· Reusable workflow ·on: workflow_call
Krakend Main Pipeline
KrakenD - Main Pipeline
.github/workflows/krakend-main-pipeline.yml