chore(security): enhance environment configuration, CI workflows, and wallet daemon with security improvements

- Restructure .env.example with security-focused documentation, service-specific environment file references, and AWS Secrets Manager integration - Update CLI tests workflow to single Python 3.13 version, add pytest-mock dependency, and consolidate test execution with coverage - Add comprehensive security validation to package publishing workflow with manual approval gates, secret scanning, and release
2026-03-03 10:33:46 +01:00
parent 00d00cb964
commit f353e00172
220 changed files with 42506 additions and 921 deletions
--- a/.github/workflows/production-deploy.yml
+++ b/.github/workflows/production-deploy.yml
@@ -0,0 +1,188 @@
+name: Production Deployment
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Deployment environment'
+        required: true
+        default: 'staging'
+        type: choice
+        options:
+        - staging
+        - production
+
+jobs:
+  security-scan:
+    runs-on: ubuntu-latest
+    name: Security Scanning
+    outputs:
+      security-passed: ${{ steps.security-check.outputs.passed }}
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Run comprehensive security scan
+        run: |
+          python scripts/focused_dotenv_linter.py --check
+          bandit -r . -f json -o bandit-report.json
+          slither contracts/ --json slither-report.json
+          
+      - name: Security validation
+        id: security-check
+        run: |
+          if [ -f bandit-report.json ] && [ -f slither-report.json ]; then
+            echo "passed=true" >> $GITHUB_OUTPUT
+          else
+            echo "passed=false" >> $GITHUB_OUTPUT
+            exit 1
+          fi
+
+  build-and-test:
+    runs-on: ubuntu-latest
+    name: Build and Test
+    needs: security-scan
+    if: needs.security-scan.outputs.security-passed == 'true'
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+          cache: 'pip'
+      
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .
+          pip install -e packages/py/aitbc-crypto
+          pip install pytest pytest-cov pytest-asyncio
+      
+      - name: Run comprehensive tests
+        run: |
+          python -m pytest -m "not slow" --cov=aitbc_cli --cov-report=xml --cov-fail-under=90
+      
+      - name: Build application
+        run: |
+          python -m build
+          
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist/
+          retention-days: 30
+
+  deploy-staging:
+    runs-on: ubuntu-latest
+    name: Deploy to Staging
+    needs: build-and-test
+    if: github.ref == 'refs/heads/main' || github.event.inputs.environment == 'staging'
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist/
+      
+      - name: Deploy to staging
+        run: |
+          echo "Deploying to staging environment..."
+          # Add staging deployment commands here
+          # Example: scp to staging server, restart services, etc.
+      
+      - name: Run smoke tests
+        run: |
+          python scripts/smoke_tests.py --environment=staging
+      
+      - name: Health check
+        run: |
+          curl -f https://staging.aitbc.dev/health || exit 1
+
+  deploy-production:
+    runs-on: ubuntu-latest
+    name: Deploy to Production
+    needs: [build-and-test, deploy-staging]
+    if: startsWith(github.ref, 'refs/tags/v') || github.event.inputs.environment == 'production'
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist/
+      
+      - name: Create production backup
+        run: |
+          echo "Creating production backup..."
+          # Add backup commands here
+      
+      - name: Deploy to production
+        run: |
+          echo "Deploying to production environment..."
+          # Add production deployment commands here
+      
+      - name: Run production smoke tests
+        run: |
+          python scripts/smoke_tests.py --environment=production
+      
+      - name: Production health check
+        run: |
+          curl -f https://api.aitbc.dev/health || exit 1
+      
+      - name: Update monitoring
+        run: |
+          if [ -n "${{ secrets.MONITORING_TOKEN }}" ]; then
+            curl -X POST https://monitoring.aitbc.net/api/deployment \
+              -H "Authorization: Bearer ${{ secrets.MONITORING_TOKEN }}" \
+              -d '{"version": "${{ github.ref_name }}", "environment": "production"}'
+          fi
+
+  post-deployment:
+    runs-on: ubuntu-latest
+    name: Post-Deployment Verification
+    needs: [deploy-staging, deploy-production]
+    if: always() && (needs.deploy-staging.result == 'success' || needs.deploy-production.result == 'success')
+    steps:
+      - name: Notify team
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const environment = '${{ github.event.inputs.environment || (startsWith(github.ref, 'refs/tags/v') && 'production' || 'staging') }}';
+            const deploymentUrl = environment === 'production' ? 'https://aitbc.dev' : 'https://staging.aitbc.dev';
+            
+            const message = `🚀 **Deployment Complete**
+            
+            **Environment**: ${environment}
+            **Version**: ${github.ref_name}
+            **URL**: ${deploymentUrl}
+            **Commit**: ${github.sha}
+            
+            **Next Steps**:
+            1. Verify functionality at ${deploymentUrl}
+            2. Check monitoring dashboard
+            3. Review deployment logs
+            4. Update documentation if needed`;
+            
+            github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: `Deployment Complete: ${environment} - ${github.ref_name}`,
+              body: message,
+              labels: ['deployment', environment]
+            });
+      
+      - name: Update documentation
+        run: |
+          echo "Updating API documentation..."
+          # Add documentation update commands here
+      
+      - name: Performance baseline
+        run: |
+          python scripts/performance_baseline.py --environment=${{ github.event.inputs.environment || 'staging' }}