prestashop-test/.woodpecker.yml

when:
  - branch: main
    event: push

steps:

  # Etape 1 : Validation syntaxique du docker-compose.yml
  # Les vars CI (CI_REPO_OWNER, CI_COMMIT_BRANCH) sont injectees automatiquement par Woodpecker
  - name: validate
    image: docker:27-cli
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      DB_PASSWORD: placeholder
      DB_ROOT_PASSWORD: placeholder
      PRESTASHOP_ADMIN_EMAIL: placeholder
      PRESTASHOP_ADMIN_PASSWORD: placeholder
    commands:
      - |
        export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
        export PS_DOMAIN="validate.example.com"
        export PS_ADMIN_FOLDER="admin-secure"
        docker compose config --quiet
      - echo "docker-compose.yml valide"

  # Etape 2 : Verifications de securite
  - name: security-check
    image: alpine:3.20
    commands:
      - |
        if [ -f .env ]; then
          echo "ERREUR: .env ne doit pas etre commite dans le depot !"
          exit 1
        fi
      - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
      - echo "Verifications de securite OK"

  # Etape 2b : Generation SBOM (Syft) — inventaire des composants des images Docker
  # NOTE: volumes: et from_secret incompatibles dans le meme step — pas de secrets ici
  - name: sbom-generate
    image: alpine:3.20
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    commands:
      - apk add --no-cache curl
      - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
      - mkdir -p .reports
      - syft prestashop/prestashop:9.0.3-3.0-classic-8.3-apache -o cyclonedx-json --file .reports/sbom-prestashop.cyclonedx.json
      - syft mariadb:10.11 -o cyclonedx-json --file .reports/sbom-mariadb.cyclonedx.json
      - echo "SBOM generes $(ls .reports/sbom-*.json | wc -l) fichiers"

  # Etape 2c : Scan CVE (Trivy) depuis les SBOM Syft
  # Cache /opt/trivy-cache evite ~200Mo de telechargement des DB CVE a chaque build
  # Prerequis sur sonic : mkdir -p /opt/trivy-cache
  - name: sbom-scan
    image: aquasec/trivy:latest
    volumes:
      - /home/syoul/trivy-cache:/root/.cache/trivy
    commands:
      - trivy sbom --format json --output .reports/trivy-prestashop.json .reports/sbom-prestashop.cyclonedx.json
      - trivy sbom --format json --output .reports/trivy-mariadb.json .reports/sbom-mariadb.cyclonedx.json
      - echo "Scan CVE termine"

  # Etape 2d : Publication SBOM vers Dependency-Track (dtrack.syoul.fr)
  # NOTE: from_secret et volumes: incompatibles — pas de volumes ici
  - name: sbom-publish
    image: alpine/curl:latest
    environment:
      DTRACK_TOKEN:
        from_secret: dependency_track_token
    commands:
      - |
        VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
        HTTP=$(curl -s -o /tmp/dtrack-response.txt -w "%{http_code}" -X POST "https://dtrack.syoul.fr/api/v1/bom" \
          -H "X-Api-Key: $DTRACK_TOKEN" \
          -F "autoCreate=true" \
          -F "projectName=prestashop-test-app" \
          -F "projectVersion=$VERSION" \
          -F "bom=@.reports/sbom-prestashop.cyclonedx.json")
        echo "HTTP $HTTP : $(cat /tmp/dtrack-response.txt)"
        [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1
      - |
        VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
        HTTP=$(curl -s -o /tmp/dtrack-response.txt -w "%{http_code}" -X POST "https://dtrack.syoul.fr/api/v1/bom" \
          -H "X-Api-Key: $DTRACK_TOKEN" \
          -F "autoCreate=true" \
          -F "projectName=prestashop-test-db" \
          -F "projectVersion=$VERSION" \
          -F "bom=@.reports/sbom-mariadb.cyclonedx.json")
        echo "HTTP $HTTP : $(cat /tmp/dtrack-response.txt)"
        [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1

  # Etape 3a : Ecriture du .env depuis les secrets
  # NOTE: ne pas utiliser ${VAR} dans commands (bug Woodpecker next), utiliser env | grep
  # NOTE: from_secret et volumes: incompatibles dans le meme step (bug Woodpecker next)
  - name: write-env
    image: alpine:3.20
    environment:
      PS_DOMAIN:
        from_secret: ps_domain
      PS_ADMIN_FOLDER:
        from_secret: ps_admin_folder
      PRESTASHOP_ADMIN_EMAIL:
        from_secret: prestashop_admin_email
      PRESTASHOP_ADMIN_PASSWORD:
        from_secret: prestashop_admin_password
      DB_ROOT_PASSWORD:
        from_secret: db_root_password
      DB_PASSWORD:
        from_secret: db_password
    commands:
      - env | grep -E "^(PS_DOMAIN|PS_ADMIN_FOLDER|PRESTASHOP_ADMIN_EMAIL|PRESTASHOP_ADMIN_PASSWORD|DB_ROOT_PASSWORD|DB_PASSWORD)=" > .env.deploy
      # COMPOSE_PROJECT_NAME : convention user-project-branch, genere depuis les vars CI
      - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
      - echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"

  # Etape 3b : Deploiement sur sonic via Docker socket
  # Modele pipeline sonic : deploy Docker Compose + cert TLS (acme.sh)
  # Registrator enregistre automatiquement le container dans Consul via les labels SERVICE_*
  # et publie les routes dans Fabio sans intervention manuelle
  - name: deploy
    image: docker:27-cli
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /opt/prestashop:/opt/prestashop
    commands:
      - cp .env.deploy /opt/prestashop/.env
      - chmod 600 /opt/prestashop/.env
      - cp docker-compose.yml /opt/prestashop/docker-compose.yml
      - cd /opt/prestashop && docker compose pull
      - cd /opt/prestashop && docker compose up -d --remove-orphans
      - cd /opt/prestashop && docker compose ps
      - |
        DOMAIN=$(grep '^PS_DOMAIN=' /opt/prestashop/.env | cut -d= -f2)

        # --- Certificat TLS (acme.sh via sonic-acme-1) ---
        # acme.sh est idempotent : skip si cert valide, renouvelle si proche expiration
        # Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur
        # --home /etc/acme.sh = volume persistant sonic_acme (sinon /root/.acme.sh non persiste)
        # || ACME_EXIT=$? capture le code sans declencher set -e (contrairement a ; ACME_EXIT=$?)
        ACME_EXIT=0
        docker exec sonic-acme-1 /app/acme.sh \
          --home /etc/acme.sh \
          --issue -d "$DOMAIN" \
          --webroot /usr/share/nginx/html \
          --server letsencrypt \
          --accountemail support+acme@asycn.io || ACME_EXIT=$?
        if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
          echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
          exit 1
        fi
        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
        echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"

  # Etape 4 : Configuration post-deploiement (SSL, cache)
  # Attend la fin de l'installation PrestaShop (ps_configuration initialisee),
  # puis active SSL dans la DB (PrestaShop genere des URLs https:// grace a X-Forwarded-Proto:https de Fabio)
  - name: configure
    image: docker:27-cli
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    commands:
      - |
        PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
        DB_PASS=$(grep '^DB_PASSWORD=' .env.deploy | cut -d= -f2)
        echo "Attente fin installation PrestaShop (ps_configuration)..."
        MAX=60
        i=0
        until [ $i -ge $MAX ]; do
          READY=$(docker exec "$PROJECT-db" mysql -uprestashop -p"$DB_PASS" -se \
            "SELECT COUNT(*) FROM prestashop.ps_configuration WHERE name='PS_SSL_ENABLED';" 2>/dev/null || echo 0)
          if [ "$READY" -gt "0" ] 2>/dev/null; then
            echo "Base prete, activation SSL..."
            docker exec "$PROJECT-db" mysql -uprestashop -p"$DB_PASS" prestashop -e \
              "UPDATE ps_configuration SET value='1' WHERE name IN ('PS_SSL_ENABLED','PS_SSL_ENABLED_EVERYWHERE');"
            docker exec "$PROJECT-app" rm -rf /var/www/html/var/cache/prod/ 2>/dev/null || true
            echo "SSL active dans DB, cache efface"
            break
          fi
          i=$((i+1))
          echo "Tentative $i/$MAX - installation en cours..."
          sleep 10
        done
        [ $i -ge $MAX ] && echo "AVERTISSEMENT: timeout configure SSL" || true

  # Etape 5 : Healthcheck post-deploiement
  - name: healthcheck
    image: alpine:3.20
    commands:
      - apk add --no-cache --quiet curl
      - |
        SITE=$(grep '^PS_DOMAIN=' .env.deploy | cut -d= -f2)
        if [ -z "$SITE" ]; then
          echo "ERREUR: PS_DOMAIN non defini dans .env.deploy"
          exit 1
        fi
        TARGET="http://$SITE"
        echo "Healthcheck sur $TARGET (max 10 minutes)..."
        MAX=60
        i=0
        until [ $i -ge $MAX ]; do
          CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
          echo "Tentative $((i+1))/$MAX - HTTP $CODE"
          if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
            echo "PrestaShop repond correctement sur $TARGET"
            exit 0
          fi
          i=$((i+1))
          sleep 10
        done
        echo "ERREUR: PrestaShop ne repond pas apres 10 minutes"
        exit 1

  # Notification en cas d'echec
  - name: notify-failure
    image: alpine:3.20
    commands:
      - 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur commit $CI_COMMIT_SHA"'
      - 'echo "Branche: $CI_COMMIT_BRANCH"'
    when:
      - status: failure