when: - branch: main event: push steps: - name: security-check image: alpine:3.20 commands: - | if [ -f .env ]; then echo "ERREUR: .env ne doit pas etre commite dans le depot" exit 1 fi - 'grep -q "^\.env$" .gitignore || (echo "ERREUR: .env manquant dans .gitignore" && exit 1)' - echo "Security check OK" - name: test-backend image: python:3.11-slim commands: - cd backend - pip install --no-cache-dir -r requirements.txt - pytest app/tests/ -v --tb=short - name: test-frontend image: node:20-slim commands: - cd frontend - npm ci - npm run build # NOTE: from_secret + pas de volumes : compatible - name: write-docker-creds image: alpine:3.20 depends_on: - test-backend - test-frontend environment: REGISTRY: from_secret: docker_registry REGISTRY_USER: from_secret: docker_username REGISTRY_PASS: from_secret: docker_password commands: - echo "REGISTRY=$REGISTRY" > .docker-creds - echo "REGISTRY_USER=$REGISTRY_USER" >> .docker-creds - echo "REGISTRY_PASS=$REGISTRY_PASS" >> .docker-creds - echo "Docker creds ecrites" # NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis. - name: docker-backend image: docker:27-cli depends_on: - write-docker-creds volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - | REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2) REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2) REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2) docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS" - | REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2) SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8) REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z') IMAGE="$REGISTRY/$REPO/backend" docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \ -f docker/backend.Dockerfile \ --target production \ . docker push "$IMAGE:latest" docker push "$IMAGE:$SHA" # NOTE: volumes + pas de from_secret : compatible. Pas de privileged requis. - name: docker-frontend image: docker:27-cli depends_on: - write-docker-creds volumes: - /var/run/docker.sock:/var/run/docker.sock commands: - | REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2) REGISTRY_USER=$(grep '^REGISTRY_USER=' .docker-creds | cut -d= -f2) REGISTRY_PASS=$(grep '^REGISTRY_PASS=' .docker-creds | cut -d= -f2) docker login "$REGISTRY" -u "$REGISTRY_USER" -p "$REGISTRY_PASS" - | REGISTRY=$(grep '^REGISTRY=' .docker-creds | cut -d= -f2) SHA=$(echo "$CI_COMMIT_SHA" | cut -c1-8) REPO=$(echo "$CI_REPO" | tr 'A-Z' 'a-z') IMAGE="$REGISTRY/$REPO/frontend" docker build -t "$IMAGE:latest" -t "$IMAGE:$SHA" \ -f docker/frontend.Dockerfile \ --target production \ . docker push "$IMAGE:latest" docker push "$IMAGE:$SHA" # SBOM — inventaire des dépendances (filesystem scan, pas de registry auth requis) - name: sbom-generate image: alpine:3.20 depends_on: - docker-backend - docker-frontend commands: - apk add --no-cache curl - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin latest - mkdir -p .reports - syft dir:backend -o cyclonedx-json --file .reports/sbom-backend.cyclonedx.json - syft dir:frontend -o cyclonedx-json --file .reports/sbom-frontend.cyclonedx.json - echo "SBOM genere" # NOTE: volumes + pas de from_secret : compatible - name: sbom-scan image: aquasec/trivy:latest depends_on: - sbom-generate volumes: - /home/syoul/trivy-cache:/root/.cache/trivy commands: - trivy sbom --format json --output .reports/trivy-backend.json .reports/sbom-backend.cyclonedx.json - trivy sbom --format json --output .reports/trivy-frontend.json .reports/sbom-frontend.cyclonedx.json - echo "Scan CVE termine" # NOTE: from_secret + pas de volumes : compatible - name: sbom-publish image: alpine/curl:latest depends_on: - sbom-scan environment: DTRACK_TOKEN: from_secret: dependency_track_token DTRACK_DOMAIN: from_secret: dtrack_domain commands: - | VERSION=$(date +%Y-%m-%d)-$(echo "$CI_COMMIT_SHA" | cut -c1-8) for COMPONENT in backend frontend; do HTTP=$(curl -s -o /tmp/dtrack-resp.txt -w "%{http_code}" -X POST "https://$DTRACK_DOMAIN/api/v1/bom" \ -H "X-Api-Key: $DTRACK_TOKEN" \ -F "autoCreate=true" \ -F "projectName=libredecision-$COMPONENT" \ -F "projectVersion=$VERSION" \ -F "bom=@.reports/sbom-$COMPONENT.cyclonedx.json") echo "HTTP $HTTP ($COMPONENT) : $(cat /tmp/dtrack-resp.txt)" [ "$HTTP" -ge 200 ] && [ "$HTTP" -lt 300 ] || exit 1 done # NOTE: from_secret + pas de volumes : compatible - name: write-env image: alpine:3.20 depends_on: - sbom-publish environment: APP_DOMAIN: from_secret: app_domain POSTGRES_PASSWORD: from_secret: postgres_password SECRET_KEY: from_secret: secret_key commands: - echo "DOMAIN=$APP_DOMAIN" > .env.deploy - echo "POSTGRES_PASSWORD=$POSTGRES_PASSWORD" >> .env.deploy - echo "SECRET_KEY=$SECRET_KEY" >> .env.deploy - OWNER=$(echo "$CI_REPO_OWNER" | tr 'A-Z' 'a-z') && REPO=$(echo "$CI_REPO_NAME" | tr 'A-Z' 'a-z') && BRANCH=$(echo "$CI_COMMIT_BRANCH" | tr 'A-Z/' 'a-z-') && echo "COMPOSE_PROJECT_NAME=$OWNER-$REPO-$BRANCH" >> .env.deploy - echo ".env.deploy cree ($(wc -c < .env.deploy) octets)" - name: test-env image: alpine:3.20 depends_on: - write-env commands: - | [ -f .env.deploy ] || { echo "FAIL: .env.deploy introuvable"; exit 1; } echo "PASS: .env.deploy present" - | VAL=$(grep '^COMPOSE_PROJECT_NAME=' .env.deploy | cut -d= -f2) [ -z "$VAL" ] && echo "FAIL: COMPOSE_PROJECT_NAME vide" && exit 1 echo "PASS: COMPOSE_PROJECT_NAME = $VAL" - | VAL=$(grep '^DOMAIN=' .env.deploy | cut -d= -f2) [ -z "$VAL" ] && echo "FAIL: DOMAIN vide" && exit 1 echo "PASS: DOMAIN = $VAL" # NOTE: volumes + pas de from_secret : compatible # Fabio/Traefik routing géré via labels du docker-compose.yml - name: deploy image: docker:27-cli depends_on: - test-env volumes: - /var/run/docker.sock:/var/run/docker.sock - /opt/libredecision:/opt/libredecision commands: - cp .env.deploy /opt/libredecision/.env - chmod 600 /opt/libredecision/.env - cp docker/docker-compose.yml /opt/libredecision/docker-compose.yml - cd /opt/libredecision && docker compose pull - cd /opt/libredecision && docker compose up -d --remove-orphans - cd /opt/libredecision && docker compose ps # Vérification que les containers sont running - name: test-deploy image: docker:27-cli depends_on: - deploy volumes: - /var/run/docker.sock:/var/run/docker.sock - /opt/libredecision:/opt/libredecision commands: - | PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/libredecision/.env | cut -d= -f2) for SVC in backend frontend; do STATUS=$(docker inspect --format '{{.State.Status}}' "$PROJECT-$SVC-1" 2>/dev/null || echo "absent") echo "$PROJECT-$SVC-1 : $STATUS" [ "$STATUS" = "running" ] || { echo "FAIL: $PROJECT-$SVC-1 non running"; exit 1; } done echo "PASS: tous les containers running" - name: healthcheck image: alpine:3.20 depends_on: - test-deploy commands: - apk add --no-cache --quiet curl - | SITE=$(grep '^DOMAIN=' .env.deploy | cut -d= -f2) TARGET="https://$SITE" echo "Healthcheck $TARGET..." MAX=60 i=0 until [ $i -ge $MAX ]; do CODE=$(curl -sSo /dev/null -w "%{http_code}" "$TARGET" 2>/dev/null) echo "Tentative $((i+1))/$MAX - HTTP $CODE" if [ "$CODE" = "200" ] || [ "$CODE" = "301" ] || [ "$CODE" = "302" ]; then echo "PASS: app repond sur $TARGET" exit 0 fi i=$((i+1)) sleep 10 done echo "FAIL: app ne repond pas apres 10 minutes" exit 1 - name: notify-failure image: alpine:3.20 commands: - 'echo "ECHEC pipeline #$CI_BUILD_NUMBER sur $CI_COMMIT_BRANCH ($CI_COMMIT_SHA)"' when: - status: failure