From 0ae844f10c59fe1ca619d8d85e266ff8e900d2fb Mon Sep 17 00:00:00 2001
From: ITQ <itq.dev@ya.ru>
Date: Thu, 20 Nov 2025 20:32:05 +0300
Subject: [PATCH] feat: added dangerous tagging after all validation steps pass

---
 .gitlab-ci.yml    | 109 ++++++++++++++++++++++++++++++++--------------
 compose.prod.yaml |   6 +--
 2 files changed, 80 insertions(+), 35 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 55ba470..06a4499 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -2,6 +2,7 @@ stages:
   - build
   - test
   - security
+  - tag
   - deploy
 
 variables:
@@ -102,11 +103,10 @@ cache:
       when: never
 
 .webhook-template: &webhook-config
-  stage: deploy
   image: curlimages/curl:latest
   script:
     - |
-      curl -s -X POST \
+      curl -sf -X POST \
         -H "Content-Type: application/json" \
         -H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \
         -H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \
@@ -125,8 +125,6 @@ cache:
     - |
       docker buildx create --use
       docker buildx build . \
-        -t $IMAGE_NAME:latest \
-        -t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \
         -t $IMAGE_NAME:$CI_COMMIT_SHA \
         -f $CONTAINERFILE --target $BUILDTARGET --push \
         --cache-from type=registry,ref=$IMAGE_NAME-cache \
@@ -141,6 +139,36 @@ cache:
       when: manual
       allow_failure: true
 
+.tag-template: &tag-config
+  <<: *docker-job
+  stage: tag
+  script:
+    - |
+      set -euo pipefail
+      IMAGE="$IMAGE_NAME:$CI_COMMIT_SHA"
+      docker pull "$IMAGE"
+
+      if [ -n "${CI_COMMIT_TAG:-}" ]; then
+        docker tag "$IMAGE" "$IMAGE_NAME:$CI_COMMIT_TAG"
+        docker push "$IMAGE_NAME:$CI_COMMIT_TAG"
+      fi
+
+      if [ -n "${CI_COMMIT_BRANCH:-}" ]; then
+        docker tag "$IMAGE" "$IMAGE_NAME:$CI_COMMIT_REF_SLUG"
+        docker push "$IMAGE_NAME:$CI_COMMIT_REF_SLUG"
+
+        if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
+          docker tag "$IMAGE" "$IMAGE_NAME:latest"
+          docker push "$IMAGE_NAME:latest"
+        fi
+      fi
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_COMMIT_TAG
+    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
+      when: manual
+      allow_failure: true
+
 .uv-job: &uv-job
   image: debian:trixie-slim
   cache:
@@ -156,33 +184,6 @@ cache:
     - curl -LsSf https://astral.sh/uv/install.sh | sh
     - export PATH="$HOME/.local/bin:$PATH"
 
-sast-filesystem:
-  <<: *trivy-fs-scan
-
-sast-image-runtime:
-  <<: *trivy-image-scan
-  variables:
-    IMAGE_NAME: $BASE_IMAGE_NAME/backend
-    IMAGE_TYPE: runtime
-  dependencies:
-    - build-runtime
-
-sast-image-tests:
-  <<: *trivy-image-scan
-  variables:
-    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
-    IMAGE_TYPE: tests
-  dependencies:
-    - build-tests
-
-sast-image-migrations:
-  <<: *trivy-image-scan
-  variables:
-    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
-    IMAGE_TYPE: migrations
-  dependencies:
-    - build-migrations
-
 build-runtime:
   <<: *build-config
   variables:
@@ -236,7 +237,7 @@ test:
       ) | tee -a compose.log &
     - LOGS_PID=$!
     - |
-      REGISTRY_PREFIX=$CI_REGISTRY_IMAGE \
+      REGISTRY_PREFIX=$CI_REGISTRY_IMAGE IMAGE_TAG=$CI_COMMIT_SHA \
       docker compose -f compose.yaml -f compose.prod.yaml \
       $PROFILES up -d --quiet-pull --quiet-build 2>&1 | tee compose.log
     - |
@@ -272,8 +273,51 @@ test:
     - build-tests
     - build-migrations
 
+sast-filesystem:
+  <<: *trivy-fs-scan
+
+sast-image-runtime:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend
+    IMAGE_TYPE: runtime
+  dependencies:
+    - build-runtime
+
+sast-image-tests:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
+    IMAGE_TYPE: tests
+  dependencies:
+    - build-tests
+
+sast-image-migrations:
+  <<: *trivy-image-scan
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
+    IMAGE_TYPE: migrations
+  dependencies:
+    - build-migrations
+
+tag-runtime:
+  <<: *tag-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend
+
+tag-tests:
+  <<: *tag-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
+
+tag-migrations:
+  <<: *tag-config
+  variables:
+    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
+
 webhook-migrations-deploy:
   <<: *webhook-config
+  stage: deploy
   variables:
     WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS
   resource_group: staging
@@ -283,6 +327,7 @@ webhook-migrations-deploy:
 
 webhook-backend-deploy:
   <<: *webhook-config
+  stage: deploy
   variables:
     WEBHOOK_URL: $WEBHOOK_URL_BACKEND
   environment:
diff --git a/compose.prod.yaml b/compose.prod.yaml
index c4ec125..f53322a 100644
--- a/compose.prod.yaml
+++ b/compose.prod.yaml
@@ -1,9 +1,9 @@
 services:
   backend:
-    image: "${REGISTRY_PREFIX}/backend"
+    image: "${REGISTRY_PREFIX}/backend:${IMAGE_TAG}"
 
   tests:
-    image: "${REGISTRY_PREFIX}/backend-tests"
+    image: "${REGISTRY_PREFIX}/backend-tests:${IMAGE_TAG}"
 
   migrations:
-    image: "${REGISTRY_PREFIX}/backend-migrations"
+    image: "${REGISTRY_PREFIX}/backend-migrations:${IMAGE_TAG}"