You've already forked RekomenciBackend
feat: added dangerous tagging after all validation steps pass
This commit is contained in:
+92
-33
@@ -2,6 +2,7 @@ stages:
|
||||
- build
|
||||
- test
|
||||
- security
|
||||
- tag
|
||||
- deploy
|
||||
|
||||
variables:
|
||||
@@ -102,15 +103,22 @@ cache:
|
||||
when: never
|
||||
|
||||
.webhook-template: &webhook-config
|
||||
stage: deploy
|
||||
image: curlimages/curl:latest
|
||||
script:
|
||||
- |
|
||||
curl -s -X POST \
|
||||
response=$(curl -s -w "\n%{http_code}" -X POST \
|
||||
-H "Content-Type: application/json" \
|
||||
-H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \
|
||||
-H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \
|
||||
"$WEBHOOK_URL"
|
||||
"$WEBHOOK_URL")
|
||||
|
||||
body=$(echo "$response" | sed '$d')
|
||||
status=$(echo "$response" | tail -n1)
|
||||
|
||||
echo "$body"
|
||||
|
||||
[ $? -ne 0 ] && echo "curl failed" && exit 1
|
||||
[ "$status" -lt 200 ] || [ "$status" -ge 300 ] && echo "HTTP $status" && exit 1
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
when: on_success
|
||||
@@ -125,8 +133,6 @@ cache:
|
||||
- |
|
||||
docker buildx create --use
|
||||
docker buildx build . \
|
||||
-t $IMAGE_NAME:latest \
|
||||
-t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \
|
||||
-t $IMAGE_NAME:$CI_COMMIT_SHA \
|
||||
-f $CONTAINERFILE --target $BUILDTARGET --push \
|
||||
--cache-from type=registry,ref=$IMAGE_NAME-cache \
|
||||
@@ -141,6 +147,42 @@ cache:
|
||||
when: manual
|
||||
allow_failure: true
|
||||
|
||||
.tag-template: &tag-config
|
||||
<<: *docker-job
|
||||
stage: tag
|
||||
script:
|
||||
- |
|
||||
set -euo pipefail
|
||||
SOURCE_IMAGE="$IMAGE_NAME:$CI_COMMIT_SHA"
|
||||
docker pull "$SOURCE_IMAGE"
|
||||
DANGEROUS_TAGS=""
|
||||
if [ -n "$CI_COMMIT_TAG" ]; then
|
||||
DANGEROUS_TAGS="$DANGEROUS_TAGS $CI_COMMIT_TAG"
|
||||
fi
|
||||
if [ -n "$CI_COMMIT_BRANCH" ]; then
|
||||
if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
|
||||
DANGEROUS_TAGS="$DANGEROUS_TAGS latest $CI_COMMIT_REF_SLUG"
|
||||
else
|
||||
DANGEROUS_TAGS="$DANGEROUS_TAGS $CI_COMMIT_REF_SLUG"
|
||||
fi
|
||||
fi
|
||||
if [ -z "$DANGEROUS_TAGS" ]; then
|
||||
echo "No tags to publish."
|
||||
exit 0
|
||||
fi
|
||||
for TAG in $DANGEROUS_TAGS; do
|
||||
[ -z "$TAG" ] && continue
|
||||
TARGET_IMAGE="$IMAGE_NAME:$TAG"
|
||||
docker tag "$SOURCE_IMAGE" "$TARGET_IMAGE"
|
||||
docker push "$TARGET_IMAGE"
|
||||
done
|
||||
rules:
|
||||
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
|
||||
- if: $CI_COMMIT_TAG
|
||||
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
|
||||
when: manual
|
||||
allow_failure: true
|
||||
|
||||
.uv-job: &uv-job
|
||||
image: debian:trixie-slim
|
||||
cache:
|
||||
@@ -156,33 +198,6 @@ cache:
|
||||
- curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||
- export PATH="$HOME/.local/bin:$PATH"
|
||||
|
||||
sast-filesystem:
|
||||
<<: *trivy-fs-scan
|
||||
|
||||
sast-image-runtime:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend
|
||||
IMAGE_TYPE: runtime
|
||||
dependencies:
|
||||
- build-runtime
|
||||
|
||||
sast-image-tests:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
|
||||
IMAGE_TYPE: tests
|
||||
dependencies:
|
||||
- build-tests
|
||||
|
||||
sast-image-migrations:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
|
||||
IMAGE_TYPE: migrations
|
||||
dependencies:
|
||||
- build-migrations
|
||||
|
||||
build-runtime:
|
||||
<<: *build-config
|
||||
variables:
|
||||
@@ -236,7 +251,7 @@ test:
|
||||
) | tee -a compose.log &
|
||||
- LOGS_PID=$!
|
||||
- |
|
||||
REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \
|
||||
REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \
|
||||
docker compose -f compose.yaml -f compose.prod.yaml \
|
||||
$PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log
|
||||
- |
|
||||
@@ -272,8 +287,51 @@ test:
|
||||
- build-tests
|
||||
- build-migrations
|
||||
|
||||
sast-filesystem:
|
||||
<<: *trivy-fs-scan
|
||||
|
||||
sast-image-runtime:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend
|
||||
IMAGE_TYPE: runtime
|
||||
dependencies:
|
||||
- build-runtime
|
||||
|
||||
sast-image-tests:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
|
||||
IMAGE_TYPE: tests
|
||||
dependencies:
|
||||
- build-tests
|
||||
|
||||
sast-image-migrations:
|
||||
<<: *trivy-image-scan
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
|
||||
IMAGE_TYPE: migrations
|
||||
dependencies:
|
||||
- build-migrations
|
||||
|
||||
tag-runtime:
|
||||
<<: *tag-config
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend
|
||||
|
||||
tag-tests:
|
||||
<<: *tag-config
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
|
||||
|
||||
tag-migrations:
|
||||
<<: *tag-config
|
||||
variables:
|
||||
IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
|
||||
|
||||
webhook-migrations-deploy:
|
||||
<<: *webhook-config
|
||||
stage: deploy
|
||||
variables:
|
||||
WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS
|
||||
resource_group: staging
|
||||
@@ -283,6 +341,7 @@ webhook-migrations-deploy:
|
||||
|
||||
webhook-backend-deploy:
|
||||
<<: *webhook-config
|
||||
stage: deploy
|
||||
variables:
|
||||
WEBHOOK_URL: $WEBHOOK_URL_BACKEND
|
||||
environment:
|
||||
|
||||
+3
-3
@@ -1,9 +1,9 @@
|
||||
services:
|
||||
backend:
|
||||
image: "${REGISTRY_PREFIX}/backend"
|
||||
image: "${REGISTRY_PREFIX}/backend:${IMAGE_TAG}"
|
||||
|
||||
tests:
|
||||
image: "${REGISTRY_PREFIX}/backend-tests"
|
||||
image: "${REGISTRY_PREFIX}/backend-tests:${IMAGE_TAG}"
|
||||
|
||||
migrations:
|
||||
image: "${REGISTRY_PREFIX}/backend-migrations"
|
||||
image: "${REGISTRY_PREFIX}/backend-migrations:${IMAGE_TAG}"
|
||||
|
||||
Reference in New Issue
Block a user