66a843d502
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
- sbom-generate : inventaire CycloneDX des images prestashop:8-apache et mariadb:10.11 via Syft - sbom-scan : scan CVE depuis les SBOM via Trivy (cache /home/syoul/trivy-cache) - sbom-publish : envoi vers dtrack.syoul.fr avec versioning date+commit SHA - .gitignore : ajout /.reports/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
219 lines
9.2 KiB
YAML
219 lines
9.2 KiB
YAML
when:
|
|
- branch: main
|
|
event: push
|
|
|
|
steps:
|
|
|
|
# Etape 1 : Validation syntaxique du docker-compose.yml
|
|
# Les vars CI (CI_REPO_OWNER, CI_COMMIT_BRANCH) sont injectees automatiquement par Woodpecker
|
|
- name: validate
|
|
image: docker:27-cli
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
environment:
|
|
DB_PASSWORD: placeholder
|
|
DB_ROOT_PASSWORD: placeholder
|
|
PRESTASHOP_ADMIN_EMAIL: placeholder
|
|
PRESTASHOP_ADMIN_PASSWORD: placeholder
|
|
commands:
|
|
- |
|
|
export COMPOSE_PROJECT_NAME=$(printf '%s-%s-%s' "$CI_REPO_OWNER" "$CI_REPO_NAME" "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-')
|
|
export PS_DOMAIN="validate.example.com"
|
|
export PS_ADMIN_FOLDER="admin-secure"
|
|
docker compose config --quiet
|
|
- echo "docker-compose.yml valide"
|
|
|
|
# Etape 2 : Verifications de securite
|
|
- name: security-check
|
|
image: alpine:3.20
|
|
commands:
|
|
- |
|
|
if [ -f .env ]; then
|
|
echo "ERREUR: .env ne doit pas etre commite dans le depot !"
|
|
exit 1
|
|
fi
|
|
- 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)'
|
|
- echo "Verifications de securite OK"
|
|
|
|
# Etape 2b : Generation SBOM (Syft) — inventaire des composants des images Docker
|
|
# NOTE: volumes: et from_secret incompatibles dans le meme step — pas de secrets ici
|
|
- name: sbom-generate
|
|
image: anchore/syft:latest
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
commands:
|
|
- mkdir -p .reports
|
|
- syft prestashop/prestashop:8-apache -o cyclonedx-json --file .reports/sbom-prestashop.cyclonedx.json
|
|
- syft mariadb:10.11 -o cyclonedx-json --file .reports/sbom-mariadb.cyclonedx.json
|
|
- echo "SBOM generes $(ls .reports/sbom-*.json | wc -l) fichiers"
|
|
|
|
# Etape 2c : Scan CVE (Trivy) depuis les SBOM Syft
|
|
# Cache /opt/trivy-cache evite ~200Mo de telechargement des DB CVE a chaque build
|
|
# Prerequis sur sonic : mkdir -p /opt/trivy-cache
|
|
- name: sbom-scan
|
|
image: aquasec/trivy:latest
|
|
volumes:
|
|
- /home/syoul/trivy-cache:/root/.cache/trivy
|
|
commands:
|
|
- trivy sbom --format json --output .reports/trivy-prestashop.json .reports/sbom-prestashop.cyclonedx.json
|
|
- trivy sbom --format json --output .reports/trivy-mariadb.json .reports/sbom-mariadb.cyclonedx.json
|
|
- echo "Scan CVE termine"
|
|
|
|
# Etape 2d : Publication SBOM vers Dependency-Track (dtrack.syoul.fr)
|
|
# NOTE: from_secret et volumes: incompatibles — pas de volumes ici
|
|
- name: sbom-publish
|
|
image: alpine/curl:latest
|
|
environment:
|
|
DTRACK_TOKEN:
|
|
from_secret: dependency_track_token
|
|
commands:
|
|
- |
|
|
VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
|
|
curl -sf -X POST "https://dtrack.syoul.fr/api/v1/bom" \
|
|
-H "X-Api-Key: $DTRACK_TOKEN" \
|
|
-F "autoCreate=true" \
|
|
-F "projectName=prestashop-test-app" \
|
|
-F "projectVersion=$VERSION" \
|
|
-F "bom=@.reports/sbom-prestashop.cyclonedx.json"
|
|
echo "SBOM prestashop publie (version $VERSION)"
|
|
- |
|
|
VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8)
|
|
curl -sf -X POST "https://dtrack.syoul.fr/api/v1/bom" \
|
|
-H "X-Api-Key: $DTRACK_TOKEN" \
|
|
-F "autoCreate=true" \
|
|
-F "projectName=prestashop-test-db" \
|
|
-F "projectVersion=$VERSION" \
|
|
-F "bom=@.reports/sbom-mariadb.cyclonedx.json"
|
|
echo "SBOM mariadb publie (version $VERSION)"
|
|
|
|
# Etape 3a : Ecriture du .env depuis les secrets
|
|
# NOTE: ne pas utiliser ${VAR} dans commands (bug Woodpecker next), utiliser env | grep
|
|
# NOTE: from_secret et volumes: incompatibles dans le meme step (bug Woodpecker next)
|
|
- name: write-env
|
|
image: alpine:3.20
|
|
environment:
|
|
PS_DOMAIN:
|
|
from_secret: ps_domain
|
|
PS_ADMIN_FOLDER:
|
|
from_secret: ps_admin_folder
|
|
PRESTASHOP_ADMIN_EMAIL:
|
|
from_secret: prestashop_admin_email
|
|
PRESTASHOP_ADMIN_PASSWORD:
|
|
from_secret: prestashop_admin_password
|
|
DB_ROOT_PASSWORD:
|
|
from_secret: db_root_password
|
|
DB_PASSWORD:
|
|
from_secret: db_password
|
|
commands:
|
|
- env | grep -E "^(PS_DOMAIN|PS_ADMIN_FOLDER|PRESTASHOP_ADMIN_EMAIL|PRESTASHOP_ADMIN_PASSWORD|DB_ROOT_PASSWORD|DB_PASSWORD)=" > .env.deploy
|
|
# COMPOSE_PROJECT_NAME : convention user-project-branch, genere depuis les vars CI
|
|
- OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy
|
|
- echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"
|
|
|
|
# Etape 3b : Deploiement sur sonic via Docker socket
|
|
# Modele pipeline sonic : deploy Docker Compose + cert TLS (acme.sh)
|
|
# Registrator enregistre automatiquement le container dans Consul via les labels SERVICE_*
|
|
# et publie les routes dans Fabio sans intervention manuelle
|
|
- name: deploy
|
|
image: docker:27-cli
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- /opt/prestashop:/opt/prestashop
|
|
commands:
|
|
- cp .env.deploy /opt/prestashop/.env
|
|
- chmod 600 /opt/prestashop/.env
|
|
- cp docker-compose.yml /opt/prestashop/docker-compose.yml
|
|
- cd /opt/prestashop && docker compose pull
|
|
- cd /opt/prestashop && docker compose up -d --remove-orphans
|
|
- cd /opt/prestashop && docker compose ps
|
|
- |
|
|
DOMAIN=$(grep '^PS_DOMAIN=' /opt/prestashop/.env | cut -d= -f2)
|
|
|
|
# --- Certificat TLS (acme.sh via sonic-acme-1) ---
|
|
# acme.sh est idempotent : skip si cert valide, renouvelle si proche expiration
|
|
# Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur
|
|
# --home /etc/acme.sh = volume persistant sonic_acme (sinon /root/.acme.sh non persiste)
|
|
# || ACME_EXIT=$? capture le code sans declencher set -e (contrairement a ; ACME_EXIT=$?)
|
|
ACME_EXIT=0
|
|
docker exec sonic-acme-1 /app/acme.sh \
|
|
--home /etc/acme.sh \
|
|
--issue -d "$DOMAIN" \
|
|
--webroot /usr/share/nginx/html \
|
|
--server letsencrypt \
|
|
--accountemail support+acme@asycn.io || ACME_EXIT=$?
|
|
if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
|
|
echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
|
|
exit 1
|
|
fi
|
|
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
|
|
docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
|
|
echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
|
|
|
|
# Etape 4 : Configuration post-deploiement (SSL, cache)
|
|
# Attend la fin de l'installation PrestaShop (ps_configuration initialisee),
|
|
# puis active SSL dans la DB (PrestaShop genere des URLs https:// grace a X-Forwarded-Proto:https de Fabio)
|
|
- name: configure
|
|
image: docker:27-cli
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
commands:
|
|
- |
|
|
PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2)
|
|
DB_PASS=$(grep '^DB_PASSWORD=' .env.deploy | cut -d= -f2)
|
|
echo "Attente fin installation PrestaShop (ps_configuration)..."
|
|
MAX=60
|
|
i=0
|
|
until [ $i -ge $MAX ]; do
|
|
READY=$(docker exec "$PROJECT-db" mysql -uprestashop -p"$DB_PASS" -se \
|
|
"SELECT COUNT(*) FROM prestashop.ps_configuration WHERE name='PS_SSL_ENABLED';" 2>/dev/null || echo 0)
|
|
if [ "$READY" -gt "0" ] 2>/dev/null; then
|
|
echo "Base prete, activation SSL..."
|
|
docker exec "$PROJECT-db" mysql -uprestashop -p"$DB_PASS" prestashop -e \
|
|
"UPDATE ps_configuration SET value='1' WHERE name IN ('PS_SSL_ENABLED','PS_SSL_ENABLED_EVERYWHERE');"
|
|
docker exec "$PROJECT-app" rm -rf /var/www/html/var/cache/prod/ 2>/dev/null || true
|
|
echo "SSL active dans DB, cache efface"
|
|
break
|
|
fi
|
|
i=$((i+1))
|
|
echo "Tentative $i/$MAX - installation en cours..."
|
|
sleep 10
|
|
done
|
|
[ $i -ge $MAX ] && echo "AVERTISSEMENT: timeout configure SSL" || true
|
|
|
|
# Etape 5 : Healthcheck post-deploiement
|
|
- name: healthcheck
|
|
image: alpine:3.20
|
|
commands:
|
|
- apk add --no-cache --quiet curl
|
|
- |
|
|
SITE=$(grep '^PS_DOMAIN=' .env.deploy | cut -d= -f2)
|
|
if [ -z "$SITE" ]; then
|
|
echo "ERREUR: PS_DOMAIN non defini dans .env.deploy"
|
|
exit 1
|
|
fi
|
|
TARGET="http://$SITE"
|
|
echo "Healthcheck sur $TARGET (max 10 minutes)..."
|
|
MAX=60
|
|
i=0
|
|
until [ $i -ge $MAX ]; do
|
|
CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null)
|
|
echo "Tentative $((i+1))/$MAX - HTTP $CODE"
|
|
if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then
|
|
echo "PrestaShop repond correctement sur $TARGET"
|
|
exit 0
|
|
fi
|
|
i=$((i+1))
|
|
sleep 10
|
|
done
|
|
echo "ERREUR: PrestaShop ne repond pas apres 10 minutes"
|
|
exit 1
|
|
|
|
# Notification en cas d'echec
|
|
- name: notify-failure
|
|
image: alpine:3.20
|
|
commands:
|
|
- 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur commit $CI_COMMIT_SHA"'
|
|
- 'echo "Branche: $CI_COMMIT_BRANCH"'
|
|
when:
|
|
- status: failure
|