feat: pipeline CI + Docker pour déploiement sur sonic

- Dockerfile multi-stage (node:20 build + nginx:alpine serve)
- nginx.conf SPA avec try_files et gzip
- docker-compose.yml avec labels Registrator/Fabio (SERVICE_80_CHECK_TCP)
- .woodpecker.yml : validate, security-check, build-image, SBOM, write-env,
  test-env, deploy (stop→acme→up), test-deploy, healthcheck
- .gitignore : ajout .env et /.reports/

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.gitignore

@@ -1,3 +1,8 @@
+.env
+.env.*
+!.env.example
+/.reports/
+
 # Logs
 logs
 *.log

.woodpecker.yml

@@ -0,0 +1,193 @@
+when:
+  - branch: main
+    event: push
+
+steps:
+
+  # Etape 1 : Validation syntaxique du docker-compose.yml
+  - name: validate
+    image: docker:27-cli
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      APP_DOMAIN: validate.example.com
+    commands:
+      - |
+        export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
+        docker compose config --quiet
+      - echo "docker-compose.yml valide"
+
+  # Etape 2 : Verifications de securite
+  - name: security-check
+    image: alpine:3.20
+    commands:
+      - |
+        if [ -f .env ]; then
+          echo "ERREUR: .env ne doit pas etre commite dans le depot"
+          exit 1
+        fi
+      - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
+      - echo "Verifications de securite OK"
+
+  # Etape 3 : Build de l'image Docker en local sur sonic
+  # VITE_USE_LIVE_API=true est bake dans l'image au moment du build (Vite)
+  # NOTE: volumes + pas de from_secret : compatible
+  - name: build-image
+    image: docker:27-cli
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - docker build -t g1flux:latest .
+      - echo "Image g1flux:latest construite"
+
+  # Etape 4a : Generation SBOM (Syft) depuis l'image locale
+  # NOTE: volumes + pas de from_secret : compatible
+  - name: sbom-generate
+    image: alpine:3.20
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - apk add --no-cache curl
+      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
+      - mkdir -p .reports
+      - syft g1flux:latest -o cyclonedx-json --file .reports/sbom-app.cyclonedx.json
+      - echo "SBOM genere"
+
+  # Etape 4b : Scan CVE (Trivy) depuis le SBOM
+  - name: sbom-scan
+    image: aquasec/trivy:latest
+    volumes:
+      - /home/syoul/trivy-cache:/root/.cache/trivy
+    commands:
+      - trivy sbom --format json --output .reports/trivy-app.json .reports/sbom-app.cyclonedx.json
+      - echo "Scan CVE termine"
+
+  # Etape 4c : Publication SBOM vers Dependency-Track
+  # NOTE: from_secret + pas de volumes : compatible
+  - name: sbom-publish
+    image: alpine/curl:latest
+    environment:
+      DTRACK_TOKEN:
+        from_secret: dependency_track_token
+      DTRACK_DOMAIN:
+        from_secret: dtrack_domain
+    commands:
+      - |
+        VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
+        HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \
+          -H "X-Api-Key: $DTRACK_TOKEN" \
+          -F "autoCreate=true" \
+          -F "projectName=g1flux-app" \
+          -F "projectVersion=$VERSION" \
+          -F "bom=@.reports/sbom-app.cyclonedx.json")
+        echo "HTTP $HTTP : $(cat /tmp/dtrack-resp.txt)"
+        [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
+
+  # Etape 5a : Ecriture du .env.deploy depuis les secrets
+  # NOTE: from_secret + pas de volumes : compatible
+  - name: write-env
+    image: alpine:3.20
+    environment:
+      APP_DOMAIN:
+        from_secret: app_domain
+    commands:
+      - env | grep -E "^(APP_DOMAIN)=" > .env.deploy
+      - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
+      - echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"
+
+  # Etape 5b : Validation du .env.deploy
+  - name: test-env
+    image: alpine:3.20
+    commands:
+      - |
+        [ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; }
+        echo "PASS: .env.deploy present"
+      - |
+        VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
+        [ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1
+        echo "PASS: COMPOSE_PROJECT_NAME = $VAL"
+      - |
+        VAL=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
+        [ -z "$VAL" ] && echo "FAIL: APP_DOMAIN vide" && exit 1
+        echo "PASS: APP_DOMAIN = $VAL"
+
+  # Etape 6 : Deploiement sur sonic via Docker socket
+  # Fabio routing gere automatiquement par Registrator via les labels SERVICE_* du compose
+  # NOTE: volumes + pas de from_secret : compatible
+  - name: deploy
+    image: docker:27-cli
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/g1flux:/opt/g1flux
+    commands:
+      - cp .env.deploy /opt/g1flux/.env
+      - chmod 600 /opt/g1flux/.env
+      - cp docker-compose.yml /opt/g1flux/docker-compose.yml
+      - cd /opt/g1flux && docker compose stop
+      - |
+        DOMAIN=$(grep '^APP_DOMAIN=' /opt/g1flux/.env | cut -d= -f2)
+
+        # Certificat TLS (acme.sh, idempotent)
+        # Exit 0 = emis/renouvele, exit 2 = skip (cert valide), autres = erreur
+        ACME_EXIT=0
+        docker exec sonic-acme-1 /app/acme.sh \
+          --home /etc/acme.sh \
+          --issue -d "$DOMAIN" \
+          --webroot /usr/share/nginx/html \
+          --server letsencrypt \
+          --accountemail support+acme@asycn.io || ACME_EXIT=$?
+        if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
+          echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
+          exit 1
+        fi
+        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
+        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
+        echo "Cert TLS OK (acme exit $ACME_EXIT)"
+      - cd /opt/g1flux && docker compose up -d --remove-orphans
+      - cd /opt/g1flux && docker compose ps
+
+  # Etape 7 : Verification que le container est running
+  - name: test-deploy
+    image: docker:27-cli
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /opt/g1flux:/opt/g1flux
+    commands:
+      - |
+        PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/g1flux/.env | cut -d= -f2)
+        STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-app" 2>/dev/null || echo "absent")
+        echo "$PROJECT-app : $STATUS"
+        [ "$STATUS" = "running" ] || { echo "FAIL: container non running"; exit 1; }
+        echo "PASS: container running"
+
+  # Etape 8 : Healthcheck HTTP public
+  - name: healthcheck
+    image: alpine:3.20
+    commands:
+      - apk add --no-cache --quiet curl
+      - |
+        SITE=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
+        TARGET="https://$SITE"
+        echo "Healthcheck $TARGET..."
+        MAX=18
+        i=0
+        until [ $i -ge $MAX ]; do
+          CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
+          echo "Tentative $((i+1))/$MAX - HTTP $CODE"
+          if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
+            echo "PASS: app repond sur $TARGET"
+            exit 0
+          fi
+          i=$((i+1))
+          sleep 10
+        done
+        echo "FAIL: app ne repond pas apres 3 minutes"
+        exit 1
+
+  # Notification en cas d'echec
+  - name: notify-failure
+    image: alpine:3.20
+    commands:
+      - 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"'
+    when:
+      - status: failure

Dockerfile

@@ -0,0 +1,11 @@
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN VITE_USE_LIVE_API=true npm run build
+
+FROM nginx:alpine
+COPY --from=builder /app/dist /usr/share/nginx/html
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+EXPOSE 80

docker-compose.yml

@@ -0,0 +1,18 @@
+name: ${COMPOSE_PROJECT_NAME:-syoul-g1flux-main}
+
+services:
+  app:
+    image: g1flux:latest
+    container_name: ${COMPOSE_PROJECT_NAME:-syoul-g1flux-main}-app
+    restart: always
+    labels:
+      - SERVICE_80_NAME=${COMPOSE_PROJECT_NAME:-syoul-g1flux-main}-app-80
+      - SERVICE_80_TAGS=urlprefix-${APP_DOMAIN}/*
+      - SERVICE_80_CHECK_TCP=true
+      - LETSENCRYPT_HOST=${APP_DOMAIN}
+    networks:
+      - sonic
+
+networks:
+  sonic:
+    external: true

nginx.conf

@@ -0,0 +1,12 @@
+server {
+    listen 80;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    gzip on;
+    gzip_types text/css application/javascript application/json image/svg+xml;
+}