PROD.2026/RekomenciBackend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: added dangerous tagging after all validation steps pass

Browse Source
This commit is contained in:
ITQ
2025-11-20 20:32:05 +03:00
parent c010984d64
commit 0ae844f10c
2 changed files with 80 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitlab-ci.yml
+77 -32
View File
@@ -2,6 +2,7 @@ stages:
- build - build
- test - test
- security - security
- tag
- deploy - deploy
variables: variables:
@@ -102,11 +103,10 @@ cache:
when: never when: never
.webhook-template: &webhook-config .webhook-template: &webhook-config
stage: deploy
image: curlimages/curl:latest image: curlimages/curl:latest
script: script:
- | - |
curl -s -X POST \ curl -sf -X POST \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \ -H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \
-H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \ -H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \
@@ -125,8 +125,6 @@ cache:
- | - |
docker buildx create --use docker buildx create --use
docker buildx build . \ docker buildx build . \
-t $IMAGE_NAME:latest \
-t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \
-t $IMAGE_NAME:$CI_COMMIT_SHA \ -t $IMAGE_NAME:$CI_COMMIT_SHA \
-f $CONTAINERFILE --target $BUILDTARGET --push \ -f $CONTAINERFILE --target $BUILDTARGET --push \
--cache-from type=registry,ref=$IMAGE_NAME-cache \ --cache-from type=registry,ref=$IMAGE_NAME-cache \
@@ -141,6 +139,36 @@ cache:
when: manual when: manual
allow_failure: true allow_failure: true
.tag-template: &tag-config
<<: *docker-job
stage: tag
script:
- |
set -euo pipefail
IMAGE="$IMAGE_NAME:$CI_COMMIT_SHA"
docker pull "$IMAGE"
if [ -n "${CI_COMMIT_TAG:-}" ]; then
docker tag "$IMAGE" "$IMAGE_NAME:$CI_COMMIT_TAG"
docker push "$IMAGE_NAME:$CI_COMMIT_TAG"
fi
if [ -n "${CI_COMMIT_BRANCH:-}" ]; then
docker tag "$IMAGE" "$IMAGE_NAME:$CI_COMMIT_REF_SLUG"
docker push "$IMAGE_NAME:$CI_COMMIT_REF_SLUG"
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
docker tag "$IMAGE" "$IMAGE_NAME:latest"
docker push "$IMAGE_NAME:latest"
fi
fi
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
- if: $CI_COMMIT_TAG
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
when: manual
allow_failure: true
.uv-job: &uv-job .uv-job: &uv-job
image: debian:trixie-slim image: debian:trixie-slim
cache: cache:
@@ -156,33 +184,6 @@ cache:
- curl -LsSf https://astral.sh/uv/install.sh | sh - curl -LsSf https://astral.sh/uv/install.sh | sh
- export PATH="$HOME/.local/bin:$PATH" - export PATH="$HOME/.local/bin:$PATH"
sast-filesystem:
<<: *trivy-fs-scan
sast-image-runtime:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend
IMAGE_TYPE: runtime
dependencies:
- build-runtime
sast-image-tests:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
IMAGE_TYPE: tests
dependencies:
- build-tests
sast-image-migrations:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
IMAGE_TYPE: migrations
dependencies:
- build-migrations
build-runtime: build-runtime:
<<: *build-config <<: *build-config
variables: variables:
@@ -236,7 +237,7 @@ test:
) | tee -a compose.log & ) | tee -a compose.log &
- LOGS_PID=$! - LOGS_PID=$!
- | - |
REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \ REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \
docker compose -f compose.yaml -f compose.prod.yaml \ docker compose -f compose.yaml -f compose.prod.yaml \
$PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log $PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log
- | - |
@@ -272,8 +273,51 @@ test:
- build-tests - build-tests
- build-migrations - build-migrations
sast-filesystem:
<<: *trivy-fs-scan
sast-image-runtime:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend
IMAGE_TYPE: runtime
dependencies:
- build-runtime
sast-image-tests:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
IMAGE_TYPE: tests
dependencies:
- build-tests
sast-image-migrations:
<<: *trivy-image-scan
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
IMAGE_TYPE: migrations
dependencies:
- build-migrations
tag-runtime:
<<: *tag-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend
tag-tests:
<<: *tag-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
tag-migrations:
<<: *tag-config
variables:
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
webhook-migrations-deploy: webhook-migrations-deploy:
<<: *webhook-config <<: *webhook-config
stage: deploy
variables: variables:
WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS
resource_group: staging resource_group: staging
@@ -283,6 +327,7 @@ webhook-migrations-deploy:
webhook-backend-deploy: webhook-backend-deploy:
<<: *webhook-config <<: *webhook-config
stage: deploy
variables: variables:
WEBHOOK_URL: $WEBHOOK_URL_BACKEND WEBHOOK_URL: $WEBHOOK_URL_BACKEND
environment: environment:
compose.prod.yaml
+3 -3
View File
@@ -1,9 +1,9 @@
services: services:
backend: backend:
image: "${REGISTRY_PREFIX}/backend" image: "${REGISTRY_PREFIX}/backend:${IMAGE_TAG}"
tests: tests:
image: "${REGISTRY_PREFIX}/backend-tests" image: "${REGISTRY_PREFIX}/backend-tests:${IMAGE_TAG}"
migrations: migrations:
image: "${REGISTRY_PREFIX}/backend-migrations" image: "${REGISTRY_PREFIX}/backend-migrations:${IMAGE_TAG}"