ci: build local sans registry, pattern sejeteralo

- Suppression write-docker-creds et secrets docker_registry/username/password
- build-backend/frontend : docker build local sur sonic (docker.sock)
- sbom-generate : scan des images locales via docker.sock
- docker-compose.yml : ajout image: libredecision-{backend,frontend}:latest
- deploy : suppression docker compose pull (images locales)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.woodpecker.yml

@@ -29,88 +29,43 @@ steps:
       - npm ci
       - npm run build
 
-  # NOTE: from_secret + pas de volumes : compatible
-  - name: write-docker-creds
-    image: alpine:3.20
+  # NOTE: volumes + pas de from_secret : compatible
+  - name: build-backend
+    image: docker:27-cli
     depends_on:
       - test-backend
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - docker build -t libredecision-backend:latest -f docker/backend.Dockerfile --target production .
+      - echo "Image backend construite"
+
+  # NOTE: volumes + pas de from_secret : compatible
+  - name: build-frontend
+    image: docker:27-cli
+    depends_on:
       - test-frontend
-    environment:
-      REGISTRY:
-        from_secret: docker_registry
-      REGISTRY_USER:
-        from_secret: docker_username
-      REGISTRY_PASS:
-        from_secret: docker_password
-    commands:
-      - echo "REGISTRY=$REGISTRY" > .docker-creds
-      - echo "REGISTRY_USER=$REGISTRY_USER" >> .docker-creds
-      - echo "REGISTRY_PASS=$REGISTRY_PASS" >> .docker-creds
-      - echo "Docker creds ecrites"
-
-  # NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis.
-  - name: docker-backend
-    image: docker:27-cli
-    depends_on:
-      - write-docker-creds
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     commands:
-      - |
-        REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
-        REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2)
-        REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2)
-        docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS"
-      - |
-        REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
-        SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
-        REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z')
-        IMAGE="$REGISTRY/$REPO/backend"
-        docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \
-          -f docker/backend.Dockerfile \
-          --target production \
-          .
-        docker push "$IMAGE:latest"
-        docker push "$IMAGE:$SHA"
+      - docker build -t libredecision-frontend:latest -f docker/frontend.Dockerfile --target production .
+      - echo "Image frontend construite"
 
-  # NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis.
-  - name: docker-frontend
-    image: docker:27-cli
-    depends_on:
-      - write-docker-creds
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    commands:
-      - |
-        REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
-        REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2)
-        REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2)
-        docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS"
-      - |
-        REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2)
-        SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8)
-        REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z')
-        IMAGE="$REGISTRY/$REPO/frontend"
-        docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \
-          -f docker/frontend.Dockerfile \
-          --target production \
-          .
-        docker push "$IMAGE:latest"
-        docker push "$IMAGE:$SHA"
-
-  # SBOM — inventaire des dépendances (filesystem scan, pas de registry auth requis)
+  # NOTE: volumes + pas de from_secret : compatible
   - name: sbom-generate
     image: alpine:3.20
     depends_on:
-      - docker-backend
-      - docker-frontend
+      - build-backend
+      - build-frontend
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
     commands:
       - apk add --no-cache curl
       - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest
       - mkdir -p .reports
-      - syft dir:backend -o cyclonedx-json --file .reports/sbom-backend.cyclonedx.json
-      - syft dir:frontend -o cyclonedx-json --file .reports/sbom-frontend.cyclonedx.json
-      - echo "SBOM genere"
+      - syft libredecision-backend:latest -o cyclonedx-json --file .reports/sbom-backend.cyclonedx.json
+      - syft libredecision-frontend:latest -o cyclonedx-json --file .reports/sbom-frontend.cyclonedx.json
+      - echo "SBOM generes"
 
   # NOTE: volumes + pas de from_secret : compatible
   - name: sbom-scan
@@ -197,7 +152,7 @@ steps:
       - cp .env.deploy /opt/libredecision/.env
       - chmod 600 /opt/libredecision/.env
       - cp docker/docker-compose.yml /opt/libredecision/docker-compose.yml
-      - cd /opt/libredecision && docker compose pull
+      # Images construites localement dans la pipeline : pas de docker compose pull
       - cd /opt/libredecision && docker compose up -d --remove-orphans
       - cd /opt/libredecision && docker compose ps
 

docker/docker-compose.yml

@@ -20,6 +20,7 @@ services:
       - libredecision
 
   backend:
+    image: libredecision-backend:latest
     build:
       context: ../
       dockerfile: docker/backend.Dockerfile
@@ -47,6 +48,7 @@ services:
       - traefik
 
   frontend:
+    image: libredecision-frontend:latest
     build:
       context: ../
       dockerfile: docker/frontend.Dockerfile