From 4951e200996a6b51bf205de53b6ffe2e390de1f9 Mon Sep 17 00:00:00 2001 From: syoul Date: Mon, 23 Mar 2026 12:09:40 +0100 Subject: [PATCH] =?UTF-8?q?ci:=20r=C3=A9=C3=A9criture=20pipeline=20Woodpec?= =?UTF-8?q?ker=20next=20+=20migration=20Fabio?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Format liste steps (Woodpecker next) - Séparation from_secret / volumes (bug Woodpecker next) - Suppression $\{VAR\} → $VAR dans les commands - Ajout security-check, validate, test-backend - Ajout SBOM : syft + trivy + dependency-track - Ajout write-env / test-env / test-deploy / healthcheck - Remplacement SSH+registry → build local + deploy via Docker socket - docker-compose : Traefik → Fabio/Registrator (labels SERVICE_*) - docker-compose : build: → image: pré-construites Co-Authored-By: Claude Sonnet 4.6 --- .woodpecker.yml | 246 ++++++++++++++++++++++++++++++-------- docker/docker-compose.yml | 46 +++---- 2 files changed, 217 insertions(+), 75 deletions(-) diff --git a/.woodpecker.yml b/.woodpecker.yml index 76d536a..10b4460 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -1,63 +1,205 @@ when: - branch: main - event: push + - branch: main + event: push steps: - build-frontend: - image: node:20-slim - commands: - - cd frontend && npm ci && npm run build - build-backend: + - name: security-check + image: alpine:3.20 + commands: + - | + if [ -f .env ]; then + echo "ERREUR: .env ne doit pas etre commite dans le depot" + exit 1 + fi + - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)' + - echo "Security check OK" + + - name: validate + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + APP_DOMAIN: validate.example.com + SECRET_KEY: placeholder + commands: + - | + export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') + docker compose -f docker/docker-compose.yml config --quiet + - echo "docker-compose.yml valide" + + - name: test-backend image: python:3.11-slim commands: - pip install -r backend/requirements.txt - - cd backend && python -m pytest tests/ -v --tb=short || true + - cd backend && python -m pytest tests/ -v --tb=short - docker-backend: - image: woodpeckerci/plugin-docker-buildx - settings: - repo: - from_secret: registry_repo_backend - registry: - from_secret: registry_host - username: - from_secret: registry_user - password: - from_secret: registry_password - dockerfile: docker/backend.Dockerfile - target: production - tags: latest - when: - status: success + # NOTE: volumes + pas de from_secret : compatible + - name: build-backend + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + commands: + - docker build -t sejeteralo-backend:latest -f docker/backend.Dockerfile --target production . + - echo "Image backend construite" - docker-frontend: - image: woodpeckerci/plugin-docker-buildx - settings: - repo: - from_secret: registry_repo_frontend - registry: - from_secret: registry_host - username: - from_secret: registry_user - password: - from_secret: registry_password - dockerfile: docker/frontend.Dockerfile - target: production - tags: latest - when: - status: success + # NOTE: volumes + pas de from_secret : compatible + - name: build-frontend + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + commands: + - docker build -t sejeteralo-frontend:latest -f docker/frontend.Dockerfile --target production . + - echo "Image frontend construite" - deploy: - image: appleboy/drone-ssh - settings: - host: - from_secret: deploy_host - username: - from_secret: deploy_user - key: - from_secret: deploy_key - script: - - cd /opt/sejeteralo && docker compose -f docker/docker-compose.yml pull && docker compose -f docker/docker-compose.yml up -d + # NOTE: volumes + pas de from_secret : compatible + - name: sbom-generate + image: alpine:3.20 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + commands: + - apk add --no-cache curl + - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest + - mkdir -p .reports + - syft sejeteralo-backend:latest -o cyclonedx-json --file .reports/sbom-backend.cyclonedx.json + - syft sejeteralo-frontend:latest -o cyclonedx-json --file .reports/sbom-frontend.cyclonedx.json + - echo "SBOM generes" + + # NOTE: volumes + pas de from_secret : compatible + - name: sbom-scan + image: aquasec/trivy:latest + volumes: + - /home/syoul/trivy-cache:/root/.cache/trivy + commands: + - trivy sbom --format json --output .reports/trivy-backend.json .reports/sbom-backend.cyclonedx.json + - trivy sbom --format json --output .reports/trivy-frontend.json .reports/sbom-frontend.cyclonedx.json + - echo "Scan CVE termine" + + # NOTE: from_secret + pas de volumes : compatible + - name: sbom-publish + image: alpine/curl:latest + environment: + DTRACK_TOKEN: + from_secret: dependency_track_token + DTRACK_DOMAIN: + from_secret: dtrack_domain + commands: + - | + VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8) + for COMPONENT in backend frontend; do + HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \ + -H "X-Api-Key: $DTRACK_TOKEN" \ + -F "autoCreate=true" \ + -F "projectName=sejeteralo-$COMPONENT" \ + -F "projectVersion=$VERSION" \ + -F "bom=@.reports/sbom-$COMPONENT.cyclonedx.json") + echo "HTTP $HTTP sejeteralo-$COMPONENT : $(cat /tmp/dtrack-resp.txt)" + [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1 + done + + # NOTE: from_secret + pas de volumes : compatible + - name: write-env + image: alpine:3.20 + environment: + APP_DOMAIN: + from_secret: app_domain + SECRET_KEY: + from_secret: secret_key + commands: + - env | grep -E "^(APP_DOMAIN|SECRET_KEY)=" > .env.deploy + - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy + - echo ".env.deploy cree ($(wc -c < .env.deploy) octets)" + + - name: test-env + image: alpine:3.20 + commands: + - | + [ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; } + echo "PASS: .env.deploy present" + - | + VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2) + [ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1 + echo "PASS: COMPOSE_PROJECT_NAME = $VAL" + - | + VAL=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2) + [ -z "$VAL" ] && echo "FAIL: APP_DOMAIN vide" && exit 1 + echo "PASS: APP_DOMAIN = $VAL" + + # NOTE: volumes + pas de from_secret : compatible + # Routing Fabio gere automatiquement par Registrator via labels SERVICE_* du compose + - name: deploy + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /opt/sejeteralo:/opt/sejeteralo + commands: + - cp .env.deploy /opt/sejeteralo/.env + - chmod 600 /opt/sejeteralo/.env + - cp docker/docker-compose.yml /opt/sejeteralo/docker-compose.yml + # Arreter avant le challenge ACME : libere le webroot pour sonic-acme-1 + - cd /opt/sejeteralo && docker compose stop + - | + DOMAIN=$(grep '^APP_DOMAIN=' /opt/sejeteralo/.env | cut -d= -f2) + ACME_EXIT=0 + docker exec sonic-acme-1 /app/acme.sh \ + --home /etc/acme.sh \ + --issue -d "$DOMAIN" \ + --webroot /usr/share/nginx/html \ + --server letsencrypt \ + --accountemail support+acme@asycn.io || ACME_EXIT=$? + if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then + echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)" + exit 1 + fi + docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem + docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem + echo "TLS OK (acme exit $ACME_EXIT)" + # Images construites localement dans la pipeline : pas de docker compose pull + - cd /opt/sejeteralo && docker compose up -d --remove-orphans + - cd /opt/sejeteralo && docker compose ps + + # NOTE: volumes + pas de from_secret : compatible + - name: test-deploy + image: docker:27-cli + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - /opt/sejeteralo:/opt/sejeteralo + commands: + - | + PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/sejeteralo/.env | cut -d= -f2) + for SVC in backend frontend; do + STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-$SVC" 2>/dev/null || echo "absent") + echo "$PROJECT-$SVC : $STATUS" + [ "$STATUS" = "running" ] || { echo "FAIL: $PROJECT-$SVC non running"; exit 1; } + done + echo "PASS: tous les containers running" + + - name: healthcheck + image: alpine:3.20 + commands: + - apk add --no-cache --quiet curl + - | + SITE=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2) + TARGET="https://$SITE" + echo "Healthcheck $TARGET..." + MAX=60 + i=0 + until [ $i -ge $MAX ]; do + CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null) + echo "Tentative $((i+1))/$MAX - HTTP $CODE" + if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then + echo "PASS: app repond sur $TARGET" + exit 0 + fi + i=$((i+1)) + sleep 10 + done + echo "FAIL: app ne repond pas apres 10 minutes" + exit 1 + + - name: notify-failure + image: alpine:3.20 + commands: + - 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"' when: - status: success + - status: failure diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 9429420..6838905 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -1,43 +1,43 @@ -name: sejeteralo +name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main} services: backend: - build: - context: ../ - dockerfile: docker/backend.Dockerfile - target: production + image: sejeteralo-backend:latest + container_name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-backend + restart: always environment: DATABASE_URL: sqlite+aiosqlite:///./sejeteralo.db SECRET_KEY: ${SECRET_KEY} DEBUG: "false" - CORS_ORIGINS: '["https://${DOMAIN:-sejeteralo.org}"]' + CORS_ORIGINS: '["https://${APP_DOMAIN:-sejeteralo.fr}"]' volumes: - backend-data:/app - restart: always labels: - - "traefik.enable=true" - - "traefik.http.routers.sejeteralo-api.rule=Host(`${DOMAIN:-sejeteralo.org}`) && PathPrefix(`/api`)" - - "traefik.http.routers.sejeteralo-api.entrypoints=websecure" - - "traefik.http.routers.sejeteralo-api.tls.certresolver=letsencrypt" - - "traefik.http.services.sejeteralo-api.loadbalancer.server.port=8000" + - SERVICE_8000_NAME=${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-backend-8000 + - SERVICE_8000_TAGS=urlprefix-${APP_DOMAIN:-sejeteralo.fr}/api/* + - SERVICE_8000_CHECK_TCP=true + networks: + - sonic frontend: - build: - context: ../ - dockerfile: docker/frontend.Dockerfile - target: production + image: sejeteralo-frontend:latest + container_name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-frontend + restart: always environment: NODE_ENV: production - NUXT_PUBLIC_API_BASE: http://backend:8000/api/v1 + NUXT_PUBLIC_API_BASE: https://${APP_DOMAIN:-sejeteralo.fr}/api/v1 depends_on: - backend - restart: always labels: - - "traefik.enable=true" - - "traefik.http.routers.sejeteralo.rule=Host(`${DOMAIN:-sejeteralo.org}`)" - - "traefik.http.routers.sejeteralo.entrypoints=websecure" - - "traefik.http.routers.sejeteralo.tls.certresolver=letsencrypt" - - "traefik.http.services.sejeteralo.loadbalancer.server.port=3000" + - SERVICE_3000_NAME=${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-frontend-3000 + - SERVICE_3000_TAGS=urlprefix-${APP_DOMAIN:-sejeteralo.fr}/* + - SERVICE_3000_CHECK_TCP=true + networks: + - sonic volumes: backend-data: + +networks: + sonic: + external: true