when: - branch: main event: push steps: # Etape 1 : Validation syntaxique du docker-compose.yml - name: validate image: docker:27-cli volumes: - /var/run/docker.sock:/var/run/docker.sock environment: APP_DOMAIN: validate.example.com commands: - | export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') docker compose config --quiet - echo "docker-compose.yml valide" # Etape 2 : Verifications de securite - name: security-check image: alpine:3.20 commands: - | if [ -f .env ]; then echo "ERREUR: .env ne doit pas etre commite dans le depot" exit 1 fi - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)' - echo "Verifications de securite OK" # Etape 3 : Build de l'image Docker en local sur sonic # VITE_USE_LIVE_API=true est bake dans l'image au moment du build (Vite) # NOTE: volumes + pas de from_secret : compatible - name: build-image image: docker:27-cli volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - docker build -t g1flux:latest . - echo "Image g1flux:latest construite" # Etape 4a : Generation SBOM (Syft) depuis l'image locale # NOTE: volumes + pas de from_secret : compatible - name: sbom-generate image: alpine:3.20 volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - apk add --no-cache curl - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest - mkdir -p .reports - syft g1flux:latest -o cyclonedx-json --file .reports/sbom-app.cyclonedx.json - echo "SBOM genere" # Etape 4b : Scan CVE (Trivy) depuis le SBOM - name: sbom-scan image: aquasec/trivy:latest volumes: - /home/syoul/trivy-cache:/root/.cache/trivy commands: - trivy sbom --format json --output .reports/trivy-app.json .reports/sbom-app.cyclonedx.json - echo "Scan CVE termine" # Etape 4c : Publication SBOM vers Dependency-Track # NOTE: from_secret + pas de volumes : compatible - name: sbom-publish image: alpine/curl:latest environment: DTRACK_TOKEN: from_secret: dependency_track_token DTRACK_DOMAIN: from_secret: dtrack_domain commands: - | VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8) HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \ -H "X-Api-Key: $DTRACK_TOKEN" \ -F "autoCreate=true" \ -F "projectName=g1flux-app" \ -F "projectVersion=$VERSION" \ -F "bom=@.reports/sbom-app.cyclonedx.json") echo "HTTP $HTTP : $(cat /tmp/dtrack-resp.txt)" [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1 # Etape 5a : Ecriture du .env.deploy depuis les secrets # NOTE: from_secret + pas de volumes : compatible - name: write-env image: alpine:3.20 environment: APP_DOMAIN: from_secret: app_domain commands: - env | grep -E "^(APP_DOMAIN)=" > .env.deploy - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy - echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)" # Etape 5b : Validation du .env.deploy - name: test-env image: alpine:3.20 commands: - | [ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; } echo "PASS: .env.deploy present" - | VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2) [ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1 echo "PASS: COMPOSE_PROJECT_NAME = $VAL" - | VAL=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2) [ -z "$VAL" ] && echo "FAIL: APP_DOMAIN vide" && exit 1 echo "PASS: APP_DOMAIN = $VAL" # Etape 6 : Deploiement sur sonic via Docker socket # Fabio routing gere automatiquement par Registrator via les labels SERVICE_* du compose # NOTE: volumes + pas de from_secret : compatible - name: deploy image: docker:27-cli volumes: - /var/run/docker.sock:/var/run/docker.sock - /opt/g1flux:/opt/g1flux commands: - cp .env.deploy /opt/g1flux/.env - chmod 600 /opt/g1flux/.env - cp docker-compose.yml /opt/g1flux/docker-compose.yml - cd /opt/g1flux && docker compose stop - | DOMAIN=$(grep '^APP_DOMAIN=' /opt/g1flux/.env | cut -d= -f2) # Certificat TLS (acme.sh, idempotent) # Exit 0 = emis/renouvele, exit 2 = skip (cert valide), autres = erreur ACME_EXIT=0 docker exec sonic-acme-1 /app/acme.sh \ --home /etc/acme.sh \ --issue -d "$DOMAIN" \ --webroot /usr/share/nginx/html \ --server letsencrypt \ --accountemail support+acme@asycn.io || ACME_EXIT=$? if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)" exit 1 fi docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem echo "Cert TLS OK (acme exit $ACME_EXIT)" - cd /opt/g1flux && docker compose up -d --remove-orphans - cd /opt/g1flux && docker compose ps # Etape 7 : Verification que le container est running - name: test-deploy image: docker:27-cli volumes: - /var/run/docker.sock:/var/run/docker.sock - /opt/g1flux:/opt/g1flux commands: - | PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/g1flux/.env | cut -d= -f2) STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-app" 2>/dev/null || echo "absent") echo "$PROJECT-app : $STATUS" [ "$STATUS" = "running" ] || { echo "FAIL: container non running"; exit 1; } echo "PASS: container running" # Etape 8 : Healthcheck HTTP public - name: healthcheck image: alpine:3.20 commands: - apk add --no-cache --quiet curl - | SITE=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2) TARGET="https://$SITE" echo "Healthcheck $TARGET..." MAX=18 i=0 until [ $i -ge $MAX ]; do CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null) echo "Tentative $((i+1))/$MAX - HTTP $CODE" if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then echo "PASS: app repond sur $TARGET" exit 0 fi i=$((i+1)) sleep 10 done echo "FAIL: app ne repond pas apres 3 minutes" exit 1 # Notification en cas d'echec - name: notify-failure image: alpine:3.20 commands: - 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"' when: - status: failure