forked from yvv/decision
73c5bf148c
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- docker-compose.yml : labels SERVICE_* Registrator, réseau sonic external, container_name explicite, name COMPOSE_PROJECT_NAME - pipeline : APP_DOMAIN (au lieu de DOMAIN), ACME sonic-acme-1 pour TLS, test-deploy sans suffixe -1 (container_name fixe) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
226 lines
7.9 KiB
YAML
226 lines
7.9 KiB
YAML
when:
|
|
- branch: main
|
|
event: push
|
|
|
|
steps:
|
|
|
|
- name: security-check
|
|
image: alpine:3.20
|
|
commands:
|
|
- |
|
|
if [ -f .env ]; then
|
|
echo "ERREUR: .env ne doit pas etre commite dans le depot"
|
|
exit 1
|
|
fi
|
|
- 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
|
|
- echo "Security check OK"
|
|
|
|
- name: test-backend
|
|
image: python:3.11-slim
|
|
commands:
|
|
- cd backend
|
|
- pip install --no-cache-dir -r requirements.txt
|
|
- pytest app/tests/ -v --tb=short
|
|
|
|
- name: test-frontend
|
|
image: node:20-slim
|
|
commands:
|
|
- cd frontend
|
|
- npm ci
|
|
- npm run build
|
|
|
|
# NOTE: volumes + pas de from_secret : compatible
|
|
- name: build-backend
|
|
image: docker:27-cli
|
|
depends_on:
|
|
- test-backend
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
commands:
|
|
- docker build -t libredecision-backend:latest -f docker/backend.Dockerfile --target production .
|
|
- echo "Image backend construite"
|
|
|
|
# NOTE: volumes + pas de from_secret : compatible
|
|
- name: build-frontend
|
|
image: docker:27-cli
|
|
depends_on:
|
|
- test-frontend
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
commands:
|
|
- docker build -t libredecision-frontend:latest -f docker/frontend.Dockerfile --target production .
|
|
- echo "Image frontend construite"
|
|
|
|
# NOTE: volumes + pas de from_secret : compatible
|
|
- name: sbom-generate
|
|
image: alpine:3.20
|
|
depends_on:
|
|
- build-backend
|
|
- build-frontend
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
commands:
|
|
- apk add --no-cache curl
|
|
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
|
|
- mkdir -p .reports
|
|
- syft libredecision-backend:latest -o cyclonedx-json --file .reports/sbom-backend.cyclonedx.json
|
|
- syft libredecision-frontend:latest -o cyclonedx-json --file .reports/sbom-frontend.cyclonedx.json
|
|
- echo "SBOM generes"
|
|
|
|
# NOTE: volumes + pas de from_secret : compatible
|
|
- name: sbom-scan
|
|
image: aquasec/trivy:latest
|
|
depends_on:
|
|
- sbom-generate
|
|
volumes:
|
|
- /home/syoul/trivy-cache:/root/.cache/trivy
|
|
commands:
|
|
- trivy sbom --format json --output .reports/trivy-backend.json .reports/sbom-backend.cyclonedx.json
|
|
- trivy sbom --format json --output .reports/trivy-frontend.json .reports/sbom-frontend.cyclonedx.json
|
|
- echo "Scan CVE termine"
|
|
|
|
# NOTE: from_secret + pas de volumes : compatible
|
|
- name: sbom-publish
|
|
image: alpine/curl:latest
|
|
depends_on:
|
|
- sbom-scan
|
|
environment:
|
|
DTRACK_TOKEN:
|
|
from_secret: dependency_track_token
|
|
DTRACK_DOMAIN:
|
|
from_secret: dtrack_domain
|
|
commands:
|
|
- |
|
|
VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
|
|
for COMPONENT in backend frontend; do
|
|
HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \
|
|
-H "X-Api-Key: $DTRACK_TOKEN" \
|
|
-F "autoCreate=true" \
|
|
-F "projectName=libredecision-$COMPONENT" \
|
|
-F "projectVersion=$VERSION" \
|
|
-F "bom=@.reports/sbom-$COMPONENT.cyclonedx.json")
|
|
echo "HTTP $HTTP ($COMPONENT) : $(cat /tmp/dtrack-resp.txt)"
|
|
[ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
|
|
done
|
|
|
|
# NOTE: from_secret + pas de volumes : compatible
|
|
- name: write-env
|
|
image: alpine:3.20
|
|
depends_on:
|
|
- sbom-publish
|
|
environment:
|
|
APP_DOMAIN:
|
|
from_secret: app_domain
|
|
POSTGRES_PASSWORD:
|
|
from_secret: postgres_password
|
|
SECRET_KEY:
|
|
from_secret: secret_key
|
|
commands:
|
|
- echo "APP_DOMAIN=$APP_DOMAIN" > .env.deploy
|
|
- echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> .env.deploy
|
|
- echo "SECRET_KEY=$SECRET_KEY" >> .env.deploy
|
|
- OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
|
|
- echo ".env.deploy cree ($(wc -c < .env.deploy) octets)"
|
|
|
|
- name: test-env
|
|
image: alpine:3.20
|
|
depends_on:
|
|
- write-env
|
|
commands:
|
|
- |
|
|
[ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; }
|
|
echo "PASS: .env.deploy present"
|
|
- |
|
|
VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
|
|
[ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1
|
|
echo "PASS: COMPOSE_PROJECT_NAME = $VAL"
|
|
- |
|
|
VAL=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
|
|
[ -z "$VAL" ] && echo "FAIL: APP_DOMAIN vide" && exit 1
|
|
echo "PASS: APP_DOMAIN = $VAL"
|
|
|
|
# NOTE: volumes + pas de from_secret : compatible
|
|
# Fabio/Traefik routing géré via labels du docker-compose.yml
|
|
- name: deploy
|
|
image: docker:27-cli
|
|
depends_on:
|
|
- test-env
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- /opt/libredecision:/opt/libredecision
|
|
commands:
|
|
- cp .env.deploy /opt/libredecision/.env
|
|
- chmod 600 /opt/libredecision/.env
|
|
- cp docker/docker-compose.yml /opt/libredecision/docker-compose.yml
|
|
# Arreter avant le challenge ACME : libere le webroot pour sonic-acme-1
|
|
- cd /opt/libredecision && docker compose stop
|
|
- |
|
|
DOMAIN=$(grep '^APP_DOMAIN=' /opt/libredecision/.env | cut -d= -f2)
|
|
ACME_EXIT=0
|
|
docker exec sonic-acme-1 /app/acme.sh \
|
|
--home /etc/acme.sh \
|
|
--issue -d "$DOMAIN" \
|
|
--webroot /usr/share/nginx/html \
|
|
--server letsencrypt \
|
|
--accountemail support+acme@asycn.io || ACME_EXIT=$?
|
|
if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
|
|
echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
|
|
exit 1
|
|
fi
|
|
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
|
|
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
|
|
echo "TLS OK (acme exit $ACME_EXIT)"
|
|
# Images construites localement dans la pipeline : pas de docker compose pull
|
|
- cd /opt/libredecision && docker compose up -d --remove-orphans
|
|
- cd /opt/libredecision && docker compose ps
|
|
|
|
# Vérification que les containers sont running
|
|
- name: test-deploy
|
|
image: docker:27-cli
|
|
depends_on:
|
|
- deploy
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- /opt/libredecision:/opt/libredecision
|
|
commands:
|
|
- |
|
|
PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/libredecision/.env | cut -d= -f2)
|
|
for SVC in backend frontend; do
|
|
STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-$SVC" 2>/dev/null || echo "absent")
|
|
echo "$PROJECT-$SVC : $STATUS"
|
|
[ "$STATUS" = "running" ] || { echo "FAIL: $PROJECT-$SVC non running"; exit 1; }
|
|
done
|
|
echo "PASS: tous les containers running"
|
|
|
|
- name: healthcheck
|
|
image: alpine:3.20
|
|
depends_on:
|
|
- test-deploy
|
|
commands:
|
|
- apk add --no-cache --quiet curl
|
|
- |
|
|
SITE=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
|
|
TARGET="https://$SITE"
|
|
echo "Healthcheck $TARGET..."
|
|
MAX=60
|
|
i=0
|
|
until [ $i -ge $MAX ]; do
|
|
CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
|
|
echo "Tentative $((i+1))/$MAX - HTTP $CODE"
|
|
if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
|
|
echo "PASS: app repond sur $TARGET"
|
|
exit 0
|
|
fi
|
|
i=$((i+1))
|
|
sleep 10
|
|
done
|
|
echo "FAIL: app ne repond pas apres 10 minutes"
|
|
exit 1
|
|
|
|
- name: notify-failure
|
|
image: alpine:3.20
|
|
commands:
|
|
- 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"'
|
|
when:
|
|
- status: failure
|