syoul/g1flux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
c02f207b6c8a6e8c4aa1633d5d09ab22b9c3a9b6
g1flux/.woodpecker.yml
T
syoul c02f207b6c
ci/woodpecker/push/woodpecker Pipeline failed
Details
fix: sbom-generate — alpine + syft pinné via GitHub releases 
anchore/syft:vX est distroless (pas de /bin/sh), incompatible avec
les commands Woodpecker. Retour sur alpine:3.20 avec téléchargement
direct du tarball v1.42.3 depuis GitHub releases (pas install.sh
qui tire latest).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-24 12:14:16 +01:00

221 lines
8.0 KiB
YAML
Raw Blame History

when:
- branch:
- main
- dev
- ci
event: push
steps:
# Etape 1 : Validation syntaxique du docker-compose.yml
- name: validate
image: docker:27-cli
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
APP_DOMAIN: validate.example.com
commands:
- |
export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
docker compose config --quiet
- echo "docker-compose.yml valide"
# Etape 2 : Verifications de securite
- name: security-check
image: alpine:3.20
commands:
- |
if [ -f .env ]; then
echo "ERREUR: .env ne doit pas etre commite dans le depot"
exit 1
fi
- 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
- echo "Verifications de securite OK"
# Etape 3 : Build de l'image Docker en local sur sonic
# VITE_USE_LIVE_API=true est bake dans l'image au moment du build (Vite)
# NOTE: volumes + pas de from_secret : compatible
- name: build-image
image: docker:27-cli
volumes:
- /var/run/docker.sock:/var/run/docker.sock
commands:
- docker build -t g1flux:latest .
- echo "Image g1flux:latest construite"
# Etape 4a : Generation SBOM (Syft) depuis l'image locale
# NOTE: volumes + pas de from_secret : compatible
# Utilise l'image officielle anchore/syft pour eviter le bug d'auto-detection
# de container (signal Go imprime en adresse memoire sur alpine + curl install)
- name: sbom-generate
image: alpine:3.20
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
SYFT_VERSION: "1.42.3"
commands:
- apk add --no-cache curl tar
- curl -sSfL "https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz" | tar xz -C /usr/local/bin syft
- mkdir -p .reports
- syft packages docker:g1flux:latest -o cyclonedx-json=.reports/sbom-app.cyclonedx.json
- echo "SBOM genere"
# Etape 4b : Scan CVE (Trivy) depuis le SBOM
- name: sbom-scan
image: aquasec/trivy:0.69.3
volumes:
- /home/syoul/trivy-cache:/root/.cache/trivy
commands:
- trivy sbom --format json --output .reports/trivy-app.json .reports/sbom-app.cyclonedx.json
- echo "Scan CVE termine"
# Etape 4c : Publication SBOM vers Dependency-Track
# NOTE: from_secret + pas de volumes : compatible
- name: sbom-publish
image: alpine/curl:latest
environment:
DTRACK_TOKEN:
from_secret: dependency_track_token
DTRACK_DOMAIN:
from_secret: dtrack_domain
commands:
- |
VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \
-H "X-Api-Key: $DTRACK_TOKEN" \
-F "autoCreate=true" \
-F "projectName=g1flux-app" \
-F "projectVersion=$VERSION" \
-F "bom=@.reports/sbom-app.cyclonedx.json")
echo "HTTP $HTTP : $(cat /tmp/dtrack-resp.txt)"
[ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
# Etape 5a : Ecriture du .env.deploy depuis les secrets
# NOTE: from_secret + pas de volumes : compatible
- name: write-env
image: alpine:3.20
environment:
APP_DOMAIN_BASE:
from_secret: app_domain
commands:
- |
BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
if [ "$CI_COMMIT_BRANCH" = "main" ]; then
EFFECTIVE_DOMAIN="$APP_DOMAIN_BASE"
else
EFFECTIVE_DOMAIN="$BRANCH.$APP_DOMAIN_BASE"
fi
OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z')
REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z')
echo "APP_DOMAIN=$EFFECTIVE_DOMAIN" > .env.deploy
echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
- echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"
# Etape 5b : Validation du .env.deploy
- name: test-env
image: alpine:3.20
commands:
- |
[ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; }
echo "PASS: .env.deploy present"
- |
VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
[ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1
echo "PASS: COMPOSE_PROJECT_NAME = $VAL"
- |
VAL=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
[ -z "$VAL" ] && echo "FAIL: APP_DOMAIN vide" && exit 1
echo "PASS: APP_DOMAIN = $VAL"
# Etape 6 : Deploiement sur sonic via Docker socket
# Fabio routing gere automatiquement par Registrator via les labels SERVICE_* du compose
# NOTE: volumes + pas de from_secret : compatible
- name: deploy
image: docker:27-cli
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/g1flux:/opt/g1flux
commands:
- |
BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
DEPLOY_DIR="/opt/g1flux/$BRANCH"
mkdir -p "$DEPLOY_DIR"
cp .env.deploy "$DEPLOY_DIR/.env"
chmod 600 "$DEPLOY_DIR/.env"
cp docker-compose.yml "$DEPLOY_DIR/docker-compose.yml"
cd "$DEPLOY_DIR" && docker compose stop
- |
BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
DEPLOY_DIR="/opt/g1flux/$BRANCH"
DOMAIN=$(grep '^APP_DOMAIN=' "$DEPLOY_DIR/.env" | cut -d= -f2)
# Certificat TLS (acme.sh, idempotent)
# Exit 0 = emis/renouvele, exit 2 = skip (cert valide), autres = erreur
ACME_EXIT=0
docker exec sonic-acme-1 /app/acme.sh \
--home /etc/acme.sh \
--issue -d "$DOMAIN" \
--webroot /usr/share/nginx/html \
--server letsencrypt \
--accountemail support+acme@asycn.io || ACME_EXIT=$?
if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
exit 1
fi
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
echo "Cert TLS OK (acme exit $ACME_EXIT)"
- |
BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
DEPLOY_DIR="/opt/g1flux/$BRANCH"
cd "$DEPLOY_DIR" && docker compose up -d --remove-orphans
docker compose ps
# Etape 7 : Verification que le container est running
- name: test-deploy
image: docker:27-cli
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /opt/g1flux:/opt/g1flux
commands:
- |
BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
DEPLOY_DIR="/opt/g1flux/$BRANCH"
PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' "$DEPLOY_DIR/.env" | cut -d= -f2)
STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-app" 2>/dev/null || echo "absent")
echo "$PROJECT-app : $STATUS"
[ "$STATUS" = "running" ] || { echo "FAIL: container non running"; exit 1; }
echo "PASS: container running"
# Etape 8 : Healthcheck HTTP public
- name: healthcheck
image: alpine:3.20
commands:
- apk add --no-cache --quiet curl
- |
SITE=$(grep '^APP_DOMAIN=' .env.deploy | cut -d= -f2)
TARGET="https://$SITE"
echo "Healthcheck $TARGET..."
MAX=18
i=0
until [ $i -ge $MAX ]; do
CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
echo "Tentative $((i+1))/$MAX - HTTP $CODE"
if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
echo "PASS: app repond sur $TARGET"
exit 0
fi
i=$((i+1))
sleep 10
done
echo "FAIL: app ne repond pas apres 3 minutes"
exit 1
# Notification en cas d'echec
- name: notify-failure
image: alpine:3.20
commands:
- 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"'
when:
- status: failure
Reference in New Issue View Git Blame Copy Permalink