EHV/decision
7
0
Fork 0
forked from yvv/decision
Code Pull Requests Activity
Files
3e702fdbf3ccb200193ee837870cd5e9b65530ae
decision/.woodpecker.yml
syoul 3e702fdbf3 ci: remplace plugin-docker-buildx par docker:27-cli + socket 
Evite le mode privileged (non supporté par YunoHost Woodpecker).
Pattern: write-docker-creds (from_secret) → docker-backend/frontend (volumes).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 14:41:32 +01:00

253 lines
8.7 KiB
YAML
Raw Blame History

when:
- branch: main
event: push
steps:
- name: security-check
image: alpine:3.20
commands:
- |
if [ -f .env ]; then
echo "ERREUR: .env ne doit pas etre commite dans le depot"
exit 1
fi
- 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
- echo "Security check OK"
- name: test-backend
image: python:3.11-slim
commands:
- cd backend
- pip install --no-cache-dir -r requirements.txt
- pytest app/tests/ -v --tb=short
- name: test-frontend
image: node:20-slim
commands:
- cd frontend
- npm ci
- npm run build
# NOTE: from_secret + pas de volumes : compatible
- name: write-docker-creds
image: alpine:3.20
depends_on:
- test-backend
- test-frontend
environment:
REGISTRY:
from_secret: docker_registry
REGISTRY_USER:
from_secret: docker_username
REGISTRY_PASS:
from_secret: docker_password
commands:
- echo "REGISTRY=$REGISTRY" > .docker-creds
- echo "REGISTRY_USER=$REGISTRY_USER" >> .docker-creds
- echo "REGISTRY_PASS=$REGISTRY_PASS" >> .docker-creds
- echo "Docker creds ecrites"
# NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis.
- name: docker-backend
image: docker:27-cli
depends_on:
- write-docker-creds
volumes:
- /var/run/docker.sock:/var/run/docker.sock
commands:
- |
REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2)
REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2)
docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS"
- |
REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z')
IMAGE="$REGISTRY/$REPO/backend"
docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \
-f docker/backend.Dockerfile \
--target production \
.
docker push "$IMAGE:latest"
docker push "$IMAGE:$SHA"
# NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis.
- name: docker-frontend
image: docker:27-cli
depends_on:
- write-docker-creds
volumes:
- /var/run/docker.sock:/var/run/docker.sock
commands:
- |
REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2)
REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2)
docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS"
- |
REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z')
IMAGE="$REGISTRY/$REPO/frontend"
docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \
-f docker/frontend.Dockerfile \
--target production \
.
docker push "$IMAGE:latest"
docker push "$IMAGE:$SHA"
# SBOM — inventaire des dépendances (filesystem scan, pas de registry auth requis)
- name: sbom-generate
image: alpine:3.20
depends_on:
- docker-backend
- docker-frontend
commands:
- apk add --no-cache curl
- curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
- mkdir -p .reports
- syft dir:backend -o cyclonedx-json --file .reports/sbom-backend.cyclonedx.json
- syft dir:frontend -o cyclonedx-json --file .reports/sbom-frontend.cyclonedx.json
- echo "SBOM genere"
# NOTE: volumes + pas de from_secret : compatible
- name: sbom-scan
image: aquasec/trivy:latest
depends_on:
- sbom-generate
volumes:
- /home/syoul/trivy-cache:/root/.cache/trivy
commands:
- trivy sbom --format json --output .reports/trivy-backend.json .reports/sbom-backend.cyclonedx.json
- trivy sbom --format json --output .reports/trivy-frontend.json .reports/sbom-frontend.cyclonedx.json
- echo "Scan CVE termine"
# NOTE: from_secret + pas de volumes : compatible
- name: sbom-publish
image: alpine/curl:latest
depends_on:
- sbom-scan
environment:
DTRACK_TOKEN:
from_secret: dependency_track_token
DTRACK_DOMAIN:
from_secret: dtrack_domain
commands:
- |
VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
for COMPONENT in backend frontend; do
HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \
-H "X-Api-Key: $DTRACK_TOKEN" \
-F "autoCreate=true" \
-F "projectName=libredecision-$COMPONENT" \
-F "projectVersion=$VERSION" \
-F "bom=@.reports/sbom-$COMPONENT.cyclonedx.json")
echo "HTTP $HTTP ($COMPONENT) : $(cat /tmp/dtrack-resp.txt)"
[ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
done
# NOTE: from_secret + pas de volumes : compatible
- name: write-env
image: alpine:3.20
depends_on:
- sbom-publish
environment:
APP_DOMAIN:
from_secret: app_domain
POSTGRES_PASSWORD:
from_secret: postgres_password
SECRET_KEY:
from_secret: secret_key
commands:
- echo "DOMAIN=$APP_DOMAIN" > .env.deploy
- echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> .env.deploy
- echo "SECRET_KEY=$SECRET_KEY" >> .env.deploy
- OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
- echo ".env.deploy cree ($(wc -c < .env.deploy) octets)"
- name: test-env
image: alpine:3.20
depends_on:
- write-env
commands:
- |
[ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; }
echo "PASS: .env.deploy present"
- |
VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
[ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1
echo "PASS: COMPOSE_PROJECT_NAME = $VAL"
- |
VAL=$(grep '^DOMAIN=' .env.deploy | cut -d= -f2)
[ -z "$VAL" ] && echo "FAIL: DOMAIN vide" && exit 1
echo "PASS: DOMAIN = $VAL"
# NOTE: volumes + pas de from_secret : compatible
# Fabio/Traefik routing géré via labels du docker-compose.yml
- name: deploy
image: docker:27-cli
depends_on:
- test-env
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/libredecision:/opt/libredecision
commands:
- cp .env.deploy /opt/libredecision/.env
- chmod 600 /opt/libredecision/.env
- cp docker/docker-compose.yml /opt/libredecision/docker-compose.yml
- cd /opt/libredecision && docker compose pull
- cd /opt/libredecision && docker compose up -d --remove-orphans
- cd /opt/libredecision && docker compose ps
# Vérification que les containers sont running
- name: test-deploy
image: docker:27-cli
depends_on:
- deploy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/libredecision:/opt/libredecision
commands:
- |
PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/libredecision/.env | cut -d= -f2)
for SVC in backend frontend; do
STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-$SVC-1" 2>/dev/null || echo "absent")
echo "$PROJECT-$SVC-1 : $STATUS"
[ "$STATUS" = "running" ] || { echo "FAIL: $PROJECT-$SVC-1 non running"; exit 1; }
done
echo "PASS: tous les containers running"
- name: healthcheck
image: alpine:3.20
depends_on:
- test-deploy
commands:
- apk add --no-cache --quiet curl
- |
SITE=$(grep '^DOMAIN=' .env.deploy | cut -d= -f2)
TARGET="https://$SITE"
echo "Healthcheck $TARGET..."
MAX=60
i=0
until [ $i -ge $MAX ]; do
CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
echo "Tentative $((i+1))/$MAX - HTTP $CODE"
if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
echo "PASS: app repond sur $TARGET"
exit 0
fi
i=$((i+1))
sleep 10
done
echo "FAIL: app ne repond pas apres 10 minutes"
exit 1
- name: notify-failure
image: alpine:3.20
commands:
- 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"'
when:
- status: failure
View Git Blame Copy Permalink