8 files changed, 118 insertions, 152 deletions

diff --git a/.github/workflows/cd-dev.yml b/.github/workflows/cd-dev.yml
new file mode 100644
index 0000000..9610ca9
--- /dev/null
+++ b/.github/workflows/cd-dev.yml
@@ -0,0 +1,31 @@
+name: Create and release development container
+on:
+  workflow_run:
+    workflows: ["Build, test, security"]
+    types:
+      - completed
+    branches:
+      - dev
+jobs:
+  Create-and-release-dev-container:
+    name: Build the dev docker container image and push it to dockerhub
+    runs-on: ubuntu-latest
+    needs: Build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dawidd6/action-download-artifact@v6
+        with:
+          github_token: ${{ secrets.TOKEN_GITHUB }}
+          workflow: ${{ github.workflow_run.id }}
+          name: dev-build-files
+          path: ./build
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - uses: docker/build-push-action@v5
+        with:
+          push: true
+          context: .
+          file: ./docker/dev/Dockerfile
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-dev:latest
diff --git a/.github/workflows/main-branch.yml b/.github/workflows/cd.yml
index aaf378c..2419fe2 100644
--- a/.github/workflows/main-branch.yml
+++ b/.github/workflows/cd.yml
@@ -1,4 +1,4 @@
-name: Create release and push production server image to dockerhub
+name: Release and deploy new version
 on:
   push:
     branches:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000..0765ada
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,62 @@
+name: Build, test, security
+on:
+  push:
+    branches-ignore:
+      - main
+jobs:
+  Clone-repo:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - uses: actions/upload-artifact@v3
+        with:
+          name: source-code
+          path: .
+
+  SAST-Unit-tests:
+    runs-on: ubuntu-latest
+    needs: Clone-repo
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: source-code
+          path: .
+      - run: make tests
+
+  SAST-clang:
+    runs-on: ubuntu-latest
+    needs: Clone-repo
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: source-code
+          path: .
+      - run: make static-analysis
+
+  SAST-flawfinder:
+    runs-on: ubuntu-latest
+    needs: Clone-repo
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: source-code
+          path: .
+      - run: sudo apt-get install -y flawfinder
+      - run: make security-analysis
+
+  Build:
+    runs-on: ubuntu-latest
+    needs: [ SAST-Unit-tests, SAST-clang, SAST-flawfinder ]
+    steps:
+      - uses: actions/download-artifact@v3
+        with:
+          name: source-code
+          path: .
+      - name: Build server and browser
+        run: make dev
+      - uses: actions/upload-artifact@v3
+        with:
+          name: dev-build-files
+          path: ./build
diff --git a/.github/workflows/dev-branch.yml b/.github/workflows/dev-branch.yml
deleted file mode 100644
index 7198d8e..0000000
--- a/.github/workflows/dev-branch.yml
+++ /dev/null
@@ -1,90 +0,0 @@
-name: Tests, analysis and push to dev dockerhub
-on:
-  push:
-    branches:
-      - dev
-jobs:
-  # This is done to prevent potential race conditions;
-  # multiple jobs start with the source code, but since
-  # they have no "needs", one could start a little bit later,
-  # and in meantime a commit could be pushed
-  Clone-repo:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
-      - uses: actions/upload-artifact@v3
-        with:
-          name: source-code
-          path: .
-
-  Tests:
-    runs-on: ubuntu-latest
-    needs: Clone-repo
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: source-code
-          path: .
-      - name: Run tests
-        run: make tests
-  
-  Static-analysis:
-    runs-on: ubuntu-latest
-    needs: Clone-repo
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: source-code
-          path: .
-      - name: Run satic analysis
-        run: make static-analysis
-
-  Security-analysis:
-    runs-on: ubuntu-latest
-    needs: Clone-repo
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: source-code
-          path: .
-      - run: sudo apt-get install -y flawfinder
-      - name: Run security analysis
-        run: make security-analysis
-
-  Build:
-    runs-on: ubuntu-latest
-    needs: [ Tests, Static-analysis, Security-analysis ]
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: source-code
-          path: .
-      - name: Build server and browser
-        run: make dev
-      - uses: actions/upload-artifact@v3
-        with:
-          name: dev-build-files
-          path: ./build
-
-  Build-docker-and-push:
-    name: Build the docker container image and push it to dockerhub
-    runs-on: ubuntu-latest
-    needs: Build
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v3
-        with:
-          name: dev-build-files
-          path: ./build
-      - uses: docker/login-action@v3
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - uses: docker/build-push-action@v5
-        with:
-          push: true
-          context: .
-          file: ./docker/dev/Dockerfile
-          tags: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-dev:latest
diff --git a/.github/workflows/feature-branch.yml b/.github/workflows/feature-branch.yml
deleted file mode 100644
index 3ff1833..0000000
--- a/.github/workflows/feature-branch.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Tests and static analysis
-on:
-  push:
-    branches-ignore:
-      - main
-      - dev
-jobs:
-  # This is done to prevent potential race conditions;
-  # multiple jobs start with the source code, but since
-  # they have no "needs", one could start a little bit later,
-  # and in meantime a commit could be pushed
-  Clone-repo:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: recursive
-      - uses: actions/upload-artifact@v3
-        with:
-          name: source-code
-          path: .
-
-  Tests:
-    runs-on: ubuntu-latest
-    needs: Clone-repo
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: source-code
-          path: .
-      - name: Run tests
-        run: make tests
-  
-  Static-analysis:
-    runs-on: ubuntu-latest
-    needs: Clone-repo
-    steps:
-      - uses: actions/download-artifact@v3
-        with:
-          name: source-code
-          path: .
-      - name: Run static analysis
-        run: make static-analysis
diff --git a/.github/workflows/main-pr-release.yml b/.github/workflows/main-pr-label.yml
index cc37dc7..73518b9 100644
--- a/.github/workflows/main-pr-release.yml
+++ b/.github/workflows/main-pr-label.yml
@@ -1,4 +1,4 @@
-name: Check for release label inside pull request
+name: Check for release label inside PR to main
 on:
   pull_request:
     types: [opened, edited, reopened, labeled, unlabeled, ready_for_review, review_requested, synchronize]
diff --git a/.github/workflows/main-pr.yml b/.github/workflows/main-pr-redirect.yml
index f68aaaf..52779a6 100644
--- a/.github/workflows/main-pr.yml
+++ b/.github/workflows/main-pr-redirect.yml
@@ -1,4 +1,4 @@
-name: Force to dev PRs not from dev to main
+name: Redirect PR base when it's main and head isn't dev
 on:
   pull_request:
     types: [opened, edited, reopened, synchronize]
diff --git a/README.md b/README.md
index b1b36f6..8061058 100644
--- a/README.md
+++ b/README.md
@@ -1,50 +1,56 @@
 # pico-web
 
-Small client-server application.
+Small client-server network socket application.
 The server receives a URL from a client and returns the appropriate page.
 
-## DevOps lifecycle
+## DevSecOps lifecycle
 
 ### 1. Plan
 
-With [GitHub issues](https://github.com/Syndamia/pico-web/issues) modifications to the project are started and discussed
+With [GitHub issues](https://github.com/Syndamia/pico-web/issues) and/or [GitHub pull requests](https://github.com/Syndamia/pico-web/pulls) modifications to the project are started and discussed
 
 ### 2. Code
 
 Our branching strategy is a "feature workflow with stable branches", meaning:
 
-- a feature branch is created for each issue
-- after the issue is resolved in that branch, it is merged into the `dev` branch
+- a feature branch is created (for each issue)
+- after the feature is completed in the branch, it is merged into the `dev` branch
 - after enough time has passed, the `dev` branch is merged into the `main` branch
 
-You must only push commits to feature branches.  
+Feature branches don't require special naming (though obviously can't be called `dev` or `main`).  
 Code can be added to `dev` only via pull requests from feature branches.  
 Code can be added to `main` only via pull requests from `dev`.  
 
 Merge requests must always be approved by a contributor and `dev` merge requests to `main` must always have one of these labels: `release:major`, `release:minor` or `release:patch`.
 
-### 3. CI
+These constraints are checked with workflows.
 
-On each push to feature branches and `dev` we execute the "feature-branch" pipeline, during which we run:
+### 3. Continuous Integration: Build, Test, Security
 
-- SAST: unit tests, [clang](TODO)'s `--analyze` static analysis and [flawfinder](TODO)'s security analysis <!-- and SonarCloud, Trivy -->
+On each push to feature branches and `dev` we execute the "cd" pipeline, during which we do:
+
+- SAST, with multiple different tools:
+  - unit tests
+  - [clang](TODO)'s `--analyze` static analysis
+  - [flawfinder](TODO)'s security analysis
+  <!-- and SonarCloud, Trivy -->
 <!--
 - SCA: https://github.com/multilang-depends/depends
 -->
-- the `Makefile` for building our application
+- Application build
+- *(on `dev` branch)* Build and push to development [dockerhub](https://hub.docker.com/r/syndamia/pico-web-dev)
 
-### 4. CD
+### 4. Continuous Deployment: Release, Deploy
 
 On each successful merge request to `dev`,
 
-- a development docker image is deployed to [dockerhub](https://hub.docker.com/r/syndamia/pico-web-dev) and
-- the development Kubernetes cluster is deployed with [minikube](TODO) in the pipeline
+- a development docker image is released to [dockerhub](https://hub.docker.com/r/syndamia/pico-web-dev)
 
 On each successful merge request to `main`,
 
-- the production docker image is deployed to [dockerhub](https://hub.docker.com/r/syndamia/pico-web),
-- the production Kubernetes cluster is deployed with [minkube](TODO) in the pipeline and
-- a [GitHub release](https://github.com/Syndamia/pico-web/releases) is created, according to the pull request label
+- the production docker image is released to [dockerhub](https://hub.docker.com/r/syndamia/pico-web),
+- a [GitHub release](https://github.com/Syndamia/pico-web/releases) is created, according to the pull request label, and
+- the kubernetes cluster is deployed with [minkube](TODO) in the pipeline
 
 ## Project details