ci: réécriture pipeline Woodpecker next + migration Fabio

- Format liste steps (Woodpecker next)
- Séparation from_secret / volumes (bug Woodpecker next)
- Suppression $\{VAR\} → $VAR dans les commands
- Ajout security-check, validate, test-backend
- Ajout SBOM : syft + trivy + dependency-track
- Ajout write-env / test-env / test-deploy / healthcheck
- Remplacement SSH+registry → build local + deploy via Docker socket
- docker-compose : Traefik → Fabio/Registrator (labels SERVICE_*)
- docker-compose : build: → image: pré-construites

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.woodpecker.yml

@@ -1,63 +1,205 @@
 when:
-  branch: main
+  - branch: main
     event: push
 
 steps:
-  build-frontend:
-    image: node:20-slim
-    commands:
-      - cd frontend && npm ci && npm run build
 
-  build-backend:
+  - name: security-check
+    image: alpine:3.20
+    commands:
+      - |
+        if [ -f .env ]; then
+          echo "ERREUR: .env ne doit pas etre commite dans le depot"
+          exit 1
+        fi
+      - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
+      - echo "Security check OK"
+
+  - name: validate
+    image: docker:27-cli
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      APP_DOMAIN: validate.example.com
+      SECRET_KEY: placeholder
+    commands:
+      - |
+        export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
+        docker compose -f docker/docker-compose.yml config --quiet
+      - echo "docker-compose.yml valide"
+
+  - name: test-backend
     image: python:3.11-slim
     commands:
       - pip install -r backend/requirements.txt
-      - cd backend && python -m pytest tests/ -v --tb=short || true
+      - cd backend && python -m pytest tests/ -v --tb=short
 
-  docker-backend:
+  # NOTE: volumes + pas de from_secret : compatible
-    image: woodpeckerci/plugin-docker-buildx
+  - name: build-backend
-    settings:
+    image: docker:27-cli
-      repo:
+    volumes:
-        from_secret: registry_repo_backend
+      - /var/run/docker.sock:/var/run/docker.sock
-      registry:
+    commands:
-        from_secret: registry_host
+      - docker build -t sejeteralo-backend:latest -f docker/backend.Dockerfile --target production .
-      username:
+      - echo "Image backend construite"
-        from_secret: registry_user
-      password:
-        from_secret: registry_password
-      dockerfile: docker/backend.Dockerfile
-      target: production
-      tags: latest
-    when:
-      status: success
 
-  docker-frontend:
+  # NOTE: volumes + pas de from_secret : compatible
-    image: woodpeckerci/plugin-docker-buildx
+  - name: build-frontend
-    settings:
+    image: docker:27-cli
-      repo:
+    volumes:
-        from_secret: registry_repo_frontend
+      - /var/run/docker.sock:/var/run/docker.sock
-      registry:
+    commands:
-        from_secret: registry_host
+      - docker build -t sejeteralo-frontend:latest -f docker/frontend.Dockerfile --target production .
-      username:
+      - echo "Image frontend construite"
-        from_secret: registry_user
-      password:
-        from_secret: registry_password
-      dockerfile: docker/frontend.Dockerfile
-      target: production
-      tags: latest
-    when:
-      status: success
 
-  deploy:
+  # NOTE: volumes + pas de from_secret : compatible
-    image: appleboy/drone-ssh
+  - name: sbom-generate
-    settings:
+    image: alpine:3.20
-      host:
+    volumes:
-        from_secret: deploy_host
+      - /var/run/docker.sock:/var/run/docker.sock
-      username:
+    commands:
-        from_secret: deploy_user
+      - apk add --no-cache curl
-      key:
+      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
-        from_secret: deploy_key
+      - mkdir -p .reports
-      script:
+      - syft sejeteralo-backend:latest -o cyclonedx-json --file .reports/sbom-backend.cyclonedx.json
-        - cd /opt/sejeteralo && docker compose -f docker/docker-compose.yml pull && docker compose -f docker/docker-compose.yml up -d
+      - syft sejeteralo-frontend:latest -o cyclonedx-json --file .reports/sbom-frontend.cyclonedx.json
+      - echo "SBOM generes"
+
+  # NOTE: volumes + pas de from_secret : compatible
+  - name: sbom-scan
+    image: aquasec/trivy:latest
+    volumes:
+      - /home/syoul/trivy-cache:/root/.cache/trivy
+    commands:
+      - trivy sbom --format json --output .reports/trivy-backend.json .reports/sbom-backend.cyclonedx.json
+      - trivy sbom --format json --output .reports/trivy-frontend.json .reports/sbom-frontend.cyclonedx.json
+      - echo "Scan CVE termine"
+
+  # NOTE: from_secret + pas de volumes : compatible
+  - name: sbom-publish
+    image: alpine/curl:latest
+    environment:
+      DTRACK_TOKEN:
+        from_secret: dependency_track_token
+      DTRACK_DOMAIN:
+        from_secret: dtrack_domain
+    commands:
+      - |
+        VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+        for COMPONENT in backend frontend; do
+          HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \
+            -H "X-Api-Key: $DTRACK_TOKEN" \
+            -F "autoCreate=true" \
+            -F "projectName=sejeteralo-$COMPONENT" \
+            -F "projectVersion=$VERSION" \
+            -F "bom=@.reports/sbom-$COMPONENT.cyclonedx.json")
+          echo "HTTP $HTTP sejeteralo-$COMPONENT : $(cat /tmp/dtrack-resp.txt)"
+          [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
+        done
+
+  # NOTE: from_secret + pas de volumes : compatible
+  - name: write-env
+    image: alpine:3.20
+    environment:
+      APP_DOMAIN:
+        from_secret: app_domain
+      SECRET_KEY:
+        from_secret: secret_key
+    commands:
+      - env | grep -E "^(APP_DOMAIN|SECRET_KEY)=" > .env.deploy
+      - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
+      - echo ".env.deploy cree ($(wc -c < .env.deploy) octets)"
+
+  - name: test-env
+    image: alpine:3.20
+    commands:
+      - |
+        [ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; }
+        echo "PASS: .env.deploy present"
+      - |
+        VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
+        [ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1
+        echo "PASS: COMPOSE_PROJECT_NAME = $VAL"
+      - |
+        VAL=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
+        [ -z "$VAL" ] && echo "FAIL: APP_DOMAIN vide" && exit 1
+        echo "PASS: APP_DOMAIN = $VAL"
+
+  # NOTE: volumes + pas de from_secret : compatible
+  # Routing Fabio gere automatiquement par Registrator via labels SERVICE_* du compose
+  - name: deploy
+    image: docker:27-cli
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/sejeteralo:/opt/sejeteralo
+    commands:
+      - cp .env.deploy /opt/sejeteralo/.env
+      - chmod 600 /opt/sejeteralo/.env
+      - cp docker/docker-compose.yml /opt/sejeteralo/docker-compose.yml
+      # Arreter avant le challenge ACME : libere le webroot pour sonic-acme-1
+      - cd /opt/sejeteralo && docker compose stop
+      - |
+        DOMAIN=$(grep '^APP_DOMAIN=' /opt/sejeteralo/.env | cut -d= -f2)
+        ACME_EXIT=0
+        docker exec sonic-acme-1 /app/acme.sh \
+          --home /etc/acme.sh \
+          --issue -d "$DOMAIN" \
+          --webroot /usr/share/nginx/html \
+          --server letsencrypt \
+          --accountemail support+acme@asycn.io || ACME_EXIT=$?
+        if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
+          echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
+          exit 1
+        fi
+        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
+        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
+        echo "TLS OK (acme exit $ACME_EXIT)"
+      # Images construites localement dans la pipeline : pas de docker compose pull
+      - cd /opt/sejeteralo && docker compose up -d --remove-orphans
+      - cd /opt/sejeteralo && docker compose ps
+
+  # NOTE: volumes + pas de from_secret : compatible
+  - name: test-deploy
+    image: docker:27-cli
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/sejeteralo:/opt/sejeteralo
+    commands:
+      - |
+        PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/sejeteralo/.env | cut -d= -f2)
+        for SVC in backend frontend; do
+          STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-$SVC" 2>/dev/null || echo "absent")
+          echo "$PROJECT-$SVC : $STATUS"
+          [ "$STATUS" = "running" ] || { echo "FAIL: $PROJECT-$SVC non running"; exit 1; }
+        done
+        echo "PASS: tous les containers running"
+
+  - name: healthcheck
+    image: alpine:3.20
+    commands:
+      - apk add --no-cache --quiet curl
+      - |
+        SITE=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
+        TARGET="https://$SITE"
+        echo "Healthcheck $TARGET..."
+        MAX=60
+        i=0
+        until [ $i -ge $MAX ]; do
+          CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
+          echo "Tentative $((i+1))/$MAX - HTTP $CODE"
+          if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
+            echo "PASS: app repond sur $TARGET"
+            exit 0
+          fi
+          i=$((i+1))
+          sleep 10
+        done
+        echo "FAIL: app ne repond pas apres 10 minutes"
+        exit 1
+
+  - name: notify-failure
+    image: alpine:3.20
+    commands:
+      - 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"'
     when:
-      status: success
+      - status: failure

docker/docker-compose.yml

@@ -1,43 +1,43 @@
-name: sejeteralo
+name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}
 
 services:
   backend:
-    build:
+    image: sejeteralo-backend:latest
-      context: ../
+    container_name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-backend
-      dockerfile: docker/backend.Dockerfile
+    restart: always
-      target: production
     environment:
       DATABASE_URL: sqlite+aiosqlite:///./sejeteralo.db
       SECRET_KEY: ${SECRET_KEY}
       DEBUG: "false"
-      CORS_ORIGINS: '["https://${DOMAIN:-sejeteralo.org}"]'
+      CORS_ORIGINS: '["https://${APP_DOMAIN:-sejeteralo.fr}"]'
     volumes:
       - backend-data:/app
-    restart: always
     labels:
-      - "traefik.enable=true"
+      - SERVICE_8000_NAME=${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-backend-8000
-      - "traefik.http.routers.sejeteralo-api.rule=Host(`${DOMAIN:-sejeteralo.org}`) && PathPrefix(`/api`)"
+      - SERVICE_8000_TAGS=urlprefix-${APP_DOMAIN:-sejeteralo.fr}/api/*
-      - "traefik.http.routers.sejeteralo-api.entrypoints=websecure"
+      - SERVICE_8000_CHECK_TCP=true
-      - "traefik.http.routers.sejeteralo-api.tls.certresolver=letsencrypt"
+    networks:
-      - "traefik.http.services.sejeteralo-api.loadbalancer.server.port=8000"
+      - sonic
 
   frontend:
-    build:
+    image: sejeteralo-frontend:latest
-      context: ../
+    container_name: ${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-frontend
-      dockerfile: docker/frontend.Dockerfile
+    restart: always
-      target: production
     environment:
       NODE_ENV: production
-      NUXT_PUBLIC_API_BASE: http://backend:8000/api/v1
+      NUXT_PUBLIC_API_BASE: https://${APP_DOMAIN:-sejeteralo.fr}/api/v1
     depends_on:
       - backend
-    restart: always
     labels:
-      - "traefik.enable=true"
+      - SERVICE_3000_NAME=${COMPOSE_PROJECT_NAME:-syoul-sejeteralo-main}-frontend-3000
-      - "traefik.http.routers.sejeteralo.rule=Host(`${DOMAIN:-sejeteralo.org}`)"
+      - SERVICE_3000_TAGS=urlprefix-${APP_DOMAIN:-sejeteralo.fr}/*
-      - "traefik.http.routers.sejeteralo.entrypoints=websecure"
+      - SERVICE_3000_CHECK_TCP=true
-      - "traefik.http.routers.sejeteralo.tls.certresolver=letsencrypt"
+    networks:
-      - "traefik.http.services.sejeteralo.loadbalancer.server.port=3000"
+      - sonic
 
 volumes:
   backend-data:
+
+networks:
+  sonic:
+    external: true