From 3e702fdbf3ccb200193ee837870cd5e9b65530ae Mon Sep 17 00:00:00 2001 From: syoul Date: Mon, 23 Mar 2026 14:41:32 +0100 Subject: [PATCH] ci: remplace plugin-docker-buildx par docker:27-cli + socket MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Evite le mode privileged (non supporté par YunoHost Woodpecker). Pattern: write-docker-creds (from_secret) → docker-backend/frontend (volumes). Co-Authored-By: Claude Sonnet 4.6 --- .woodpecker.yml | 95 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 62 insertions(+), 33 deletions(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index 8f5b62f..a9970b2 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -29,45 +29,74 @@ steps: - npm ci - npm run build - - name: docker-backend - image: woodpeckerci/plugin-docker-buildx - privileged: true + # NOTE: from_secret + pas de volumes : compatible + - name: write-docker-creds + image: alpine:3.20 depends_on: - test-backend - settings: - repo: ${CI_FORGE_URL}/${CI_REPO}/backend - dockerfile: docker/backend.Dockerfile - context: . - tag: - - latest - - ${CI_COMMIT_SHA:0:8} - target: production - registry: - from_secret: docker_registry - username: - from_secret: docker_username - password: - from_secret: docker_password - - - name: docker-frontend - image: woodpeckerci/plugin-docker-buildx - privileged: true - depends_on: - test-frontend - settings: - repo: ${CI_FORGE_URL}/${CI_REPO}/frontend - dockerfile: docker/frontend.Dockerfile - context: . - tag: - - latest - - ${CI_COMMIT_SHA:0:8} - target: production - registry: + environment: + REGISTRY: from_secret: docker_registry - username: + REGISTRY_USER: from_secret: docker_username - password: + REGISTRY_PASS: from_secret: docker_password + commands: + - echo "REGISTRY=$REGISTRY" > .docker-creds + - echo "REGISTRY_USER=$REGISTRY_USER" >> .docker-creds + - echo "REGISTRY_PASS=$REGISTRY_PASS" >> .docker-creds + - echo "Docker creds ecrites" + + # NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis. + - name: docker-backend + image: docker:27-cli + depends_on: + - write-docker-creds + volumes: + - /var/run/docker.sock:/var/run/docker.sock + commands: + - | + REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2) + REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2) + REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2) + docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS" + - | + REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2) + SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8) + REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z') + IMAGE="$REGISTRY/$REPO/backend" + docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \ + -f docker/backend.Dockerfile \ + --target production \ + . + docker push "$IMAGE:latest" + docker push "$IMAGE:$SHA" + + # NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis. + - name: docker-frontend + image: docker:27-cli + depends_on: + - write-docker-creds + volumes: + - /var/run/docker.sock:/var/run/docker.sock + commands: + - | + REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2) + REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2) + REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2) + docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS" + - | + REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2) + SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8) + REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z') + IMAGE="$REGISTRY/$REPO/frontend" + docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \ + -f docker/frontend.Dockerfile \ + --target production \ + . + docker push "$IMAGE:latest" + docker push "$IMAGE:$SHA" # SBOM — inventaire des dépendances (filesystem scan, pas de registry auth requis) - name: sbom-generate