DevSecOps-Simplon-Training · thomase-spl · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026 · Jun 4, 2026
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,14 @@
+# Syntaxe : <pattern de fichier>  <@utilisateur ou @org/équipe>
+
+# Par défaut : tout changement requiert une review de ces personnes
+*                          @thomase-spl
+
+# Les workflows CI/CD ne peuvent être modifiés que par le lead DevOps
+.github/workflows/         @thomase-spl
+
+# Le fichier de dépendances requiert une validation technique
+ressources/requirements.txt  @thomase-spl
+
+# Les fichiers de sécurité requièrent une double validation
+.github/dependabot.yml     @thomase-spl
+.github/CODEOWNERS         @thomase-spl
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,21 @@
+version: 2
+
+updates:
+  # ── Mettre à jour les actions GitHub ──────────────────────────────
+  - package-ecosystem: "github-actions"
+    directory: "/"                    # cherche dans .github/workflows/
+    schedule:
+      interval: "weekly"             # vérifie chaque semaine
+    labels:
+      - "dependencies"
+      - "github-actions"
+
+  # ── Mettre à jour les dépendances Python ──────────────────────────
+  - package-ecosystem: "pip"
+    directory: "/ressources"         # cherche requirements.txt ici
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "python"
+    open-pull-requests-limit: 5      # max 5 PRs ouvertes en même temps
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,18 +1,62 @@
-name: CI
+name: CI — NexaCloud API
 
 on:
   push:
-    branches: [ "main" ]
+    branches: [main]
   pull_request:
-    branches: [ "main" ]
+    branches: [main]
 
 jobs:
-  build:
+  test:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Example step
-        run: echo "Add your build/test steps here!"
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Cache pip
+        uses: actions/cache@v4
+        with:
+          path: ~/.cache/pip
+          key: ${{ runner.os }}-pip-${{ hashFiles('ressources/requirements.txt') }}
+
+      - name: Installer les dépendances
+        run: pip install -r ressources/requirements.txt
+
+      - name: Lancer les tests
+        run: pytest ressources/ -v
+
+      - name: Tests avec couverture
+        run: pytest ressources/ -v --cov=ressources --cov-report=term-missing
+
+      - name: Générer le rapport HTML
+        run: pytest ressources/ --cov=ressources --cov-report=html
+
+      - name: Upload du rapport
+        uses: actions/upload-artifact@v7
+        with:
+          name: rapport-couverture
+          path: htmlcov/
+
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Installer flake8
+        run: pip install flake8
+
+      - name: Lint avec flake8
+        run: flake8 ressources/ --config ressources/.flake8
diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml
@@ -0,0 +1,88 @@
+name: CI/CD — NexaCloud API
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  # ── Job 1 : Qualité ────────────────────────────────────────────────
+  qualite:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - run: pip install -r ressources/requirements.txt
+
+      - name: Lint
+        run: flake8 ressources/ --config ressources/.flake8
+
+      - name: Tests
+        run: pytest ressources/ -v --cov=ressources
+
+  # ── Job 2 : Staging ───────────────────────────────────────────────
+  staging:
+    runs-on: ubuntu-latest
+    needs: qualite                 # attend que le job qualite réussisse
+    environment: staging
+    if: github.ref_name == 'main'  # uniquement sur la branche main
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Installer les dépendances
+        run: pip install -r ressources/requirements.txt
+
+      - name: Déployer sur Azure App Service (staging)
+        uses: azure/webapps-deploy@v3
+        with:
+          app-name: "ten-nexacloud-api-staging-27050"
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_STAGING }}
+          package: ressources/
+
+        # Smoke test post-déploiement : vérifier que l'app répond avant de valider
+      - name: Smoke test post-déploiement
+        run: |
+            sleep 30   # attendre que l'app démarre
+            curl --fail https://ten-nexacloud-api-staging-27050.azurewebsites.net/health || exit 1
+# Si ce test échoue, le job échoue → on peut déclencher un rollback
+
+  # ── Job 3 : Production ────────────────────────────────────────────
+  production:
+    runs-on: ubuntu-latest
+    needs: staging
+    environment: production
+    if: github.ref_name == 'main'
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Installer les dépendances
+        run: pip install -r ressources/requirements.txt
+
+      - name: Déployer sur Azure App Service (production)
+        uses: azure/webapps-deploy@v3
+        with:
+          app-name: "ten-nexacloud-api-production-29408"
+          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE_PRODUCTION }}
+          package: ressources/
+
+        # Smoke test post-déploiement : vérifier que l'app répond avant de valider
+      - name: Smoke test post-déploiement
+        run: |
+            sleep 30   # attendre que l'app démarre
+            curl --fail https://ten-nexacloud-api-production-29408.azurewebsites.net/health || exit 1
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,26 +1,32 @@
-name: Run Azure Login with OIDC
+name: Deploy
 
 on:
-  workflow_dispatch: 
-
-permissions:
-  id-token: write
-  contents: read
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Choix de l'environnement de déploiement"
+        required: true
+        default: "staging"
+        type: choice
+        options:
+          - staging
+          - production
 
 jobs:
-  build-and-deploy:
+  deploy:
     runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+
     steps:
-      - name: Azure login
-        uses: azure/login@v3
-        with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+      - name: Checkout
+        uses: actions/checkout@v4
 
-      - name: Azure CLI script
-        uses: azure/cli@v2
-        with:
-          azcliversion: latest
-          inlineScript: |
-            az account show
+      - name: Déployer en ${{ inputs.environment }}
+        run: |
+          if [ "${{ inputs.environment }}" = "production" ]; then
+            echo "🚀 Déploiement en PRODUCTION"
+            echo "URL : https://nexacloud.example.com"
+          else
+            echo "✅ Déploiement en STAGING"
+            echo "URL : https://staging.nexacloud.example.com"
+          fi
diff --git a/.github/workflows/hello.yml b/.github/workflows/hello.yml
@@ -0,0 +1,27 @@
+name: Hello NexaCloud
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:       # permet de déclencher manuellement depuis l'interface GitHub
+
+jobs:
+  salutation:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout du code
+        uses: actions/checkout@v4
+
+      - name: Informations sur l'environnement
+        run: |
+          echo "Repo    : ${{ github.repository }}"
+          echo "Branche : ${{ github.ref_name }}"
+          echo "Commit  : ${{ github.sha }}"
+          echo "Acteur  : ${{ github.actor }}"
+
+      - name: Lister les fichiers du repo
+        run: ls -la
+
+      - name: Afficher la date et l'heure
+        run: date
diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml
@@ -0,0 +1,15 @@
+name: Demo Secrets
+
+on:
+  workflow_dispatch:
+
+jobs:
+  demo:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Utiliser le secret
+        run: |
+          echo "La clé existe : ${{ secrets.API_KEY != '' }}"
+          # ⚠️ Cette ligne sera masquée dans les logs :
+          echo "Valeur : ${{ secrets.API_KEY }}"
diff --git a/notes.md b/notes.md
@@ -0,0 +1 @@
+# Mon TP GitHub Actions 
diff --git a/ressources/test_app.py b/ressources/test_app.py
@@ -57,3 +57,5 @@ def test_logs_critical_alerte(client):
     assert "critical_count" in data
     assert "alerte" in data
     assert data["alerte"] is True
+
+# no change, some test