ci: réécriture pipeline Woodpecker next + migration Fabio

- Format liste steps (Woodpecker next)
- Séparation from_secret / volumes (bug Woodpecker next)
- Suppression $\{VAR\} → $VAR dans les commands
- Ajout security-check, validate, test-backend
- Ajout SBOM : syft + trivy + dependency-track
- Ajout write-env / test-env / test-deploy / healthcheck
- Remplacement SSH+registry → build local + deploy via Docker socket
- docker-compose : Traefik → Fabio/Registrator (labels SERVICE_*)
- docker-compose : build: → image: pré-construites

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker/docker-compose.yml

@@ -1,43 +1,43 @@
-name: sejeteralo
+name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}
 
 services:
   backend:
-    build:
-      context: ../
-      dockerfile: docker/backend.Dockerfile
-      target: production
+    image: sejeteralo-backend:latest
+    container_name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-backend
+    restart: always
     environment:
       DATABASE_URL: sqlite+aiosqlite:///./sejeteralo.db
       SECRET_KEY: ${SECRET_KEY}
       DEBUG: "false"
-      CORS_ORIGINS: '["https://${DOMAIN:-sejeteralo.org}"]'
+      CORS_ORIGINS: '["https://${APP_DOMAIN:-sejeteralo.fr}"]'
     volumes:
       - backend-data:/app
-    restart: always
     labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.sejeteralo-api.rule=Host(`${DOMAIN:-sejeteralo.org}`) && PathPrefix(`/api`)"
-      - "traefik.http.routers.sejeteralo-api.entrypoints=websecure"
-      - "traefik.http.routers.sejeteralo-api.tls.certresolver=letsencrypt"
-      - "traefik.http.services.sejeteralo-api.loadbalancer.server.port=8000"
+      - SERVICE_8000_NAME=${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-backend-8000
+      - SERVICE_8000_TAGS=urlprefix-${APP_DOMAIN:-sejeteralo.fr}/api/*
+      - SERVICE_8000_CHECK_TCP=true
+    networks:
+      - sonic
 
   frontend:
-    build:
-      context: ../
-      dockerfile: docker/frontend.Dockerfile
-      target: production
+    image: sejeteralo-frontend:latest
+    container_name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-frontend
+    restart: always
     environment:
       NODE_ENV: production
-      NUXT_PUBLIC_API_BASE: http://backend:8000/api/v1
+      NUXT_PUBLIC_API_BASE: https://${APP_DOMAIN:-sejeteralo.fr}/api/v1
     depends_on:
       - backend
-    restart: always
     labels:
-      - "traefik.enable=true"
-      - "traefik.http.routers.sejeteralo.rule=Host(`${DOMAIN:-sejeteralo.org}`)"
-      - "traefik.http.routers.sejeteralo.entrypoints=websecure"
-      - "traefik.http.routers.sejeteralo.tls.certresolver=letsencrypt"
-      - "traefik.http.services.sejeteralo.loadbalancer.server.port=3000"
+      - SERVICE_3000_NAME=${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-frontend-3000
+      - SERVICE_3000_TAGS=urlprefix-${APP_DOMAIN:-sejeteralo.fr}/*
+      - SERVICE_3000_CHECK_TCP=true
+    networks:
+      - sonic
 
 volumes:
   backend-data:
+
+networks:
+  sonic:
+    external: true