jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

variable name fixes
Some checks failed
ci/woodpecker/manual/woodpecker Pipeline failed
Details

Browse Source
This commit is contained in:
Josh 2025-09-12 15:38:11 +00:00
parent bb14ea74f3
commit d5848a6494
1 changed files with 33 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
.woodpecker.yml
View File

@ -6,86 +6,76 @@ name: prod-promotion
steps: steps:
- name: promote-tag-and-mirror - name: promote-tag-and-mirror
image: google/cloud-sdk:latest image: google/cloud-sdk:latest
entrypoint: entrypoint: [bash, -c]
- bash commands:
- -c
- | - |
set -euo pipefail set -euo pipefail
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; } if [ "x$PROMOTE" != "xprod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
# Dev is the single source of truth for IMG_TAG # Dev is the single source of truth for IMG_TAG
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo" SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
# Hard guards so we fail *before* skopeo if anything is empty
[ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG is empty"; exit 2; } [ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG is empty"; exit 2; }
[ -n "$SRC" ] || { echo "❌ SRC is empty"; exit 2; }
[ -n "$DST" ] || { echo "❌ DST is empty"; exit 2; }
apt-get update -qq apt-get update -qq
apt-get install -y -qq skopeo apt-get install -y -qq skopeo
TOKEN="$(gcloud auth print-access-token)" TOKEN="$(gcloud auth print-access-token)"
for s in server1 server2 server3 nginx; do for s in server1 server2 server3 nginx; do
SRC_REF="docker://$SRC/$s:$IMG_TAG"
DST_REF="docker://$DST/$s:$IMG_TAG"
echo "🔁 copy $SRC_REF → $DST_REF"
skopeo copy --insecure-policy \ skopeo copy --insecure-policy \
--src-creds "oauth2accesstoken:${TOKEN}" \ --src-creds "oauth2accesstoken:$TOKEN" \
--dest-creds "oauth2accesstoken:${TOKEN}" \ --dest-creds "oauth2accesstoken:$TOKEN" \
"docker://${SRC}/${s}:${IMG_TAG}" \ "$SRC_REF" "$DST_REF"
"docker://${DST}/${s}:${IMG_TAG}"
done done
for svc in server1 server2 server3 nginx; do printf "%s" "$IMG_TAG" | gcloud secrets versions add IMG_TAG --data-file=- --project=aptivaai-prod >/dev/null
docker pull "$SRC/$svc:$IMG_TAG" echo "🏷 Promoted IMG_TAG=$IMG_TAG → aptivaai-prod"
docker tag "$SRC/$svc:$IMG_TAG" "$DST/$svc:$IMG_TAG"
docker push "$DST/$svc:$IMG_TAG"
done
# Publish the exact tag to prod SM so deploy & scan read the same value
printf "%s" "${IMG_TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="aptivaai-prod" >/dev/null
echo "🏷 Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
- name: verify-sync - name: verify-sync
depends_on: [promote-tag-and-mirror] depends_on: [promote-tag-and-mirror]
image: google/cloud-sdk:latest image: google/cloud-sdk:latest
entrypoint: entrypoint: [bash, -c]
- bash commands:
- -c
- | - |
set -euo pipefail set -euo pipefail
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; } if [ "x$PROMOTE" != "xprod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)" PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
[[ "$IMG_TAG" == "$prod_val" ]] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$prod_val"; exit 1; } [ "$IMG_TAG" = "$PROD_TAG" ] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$PROD_TAG"; exit 1; }
echo "✅ Tag parity confirmed: $IMG_TAG" echo "✅ Tag parity confirmed: $IMG_TAG"
# Ensure images truly exist in PROD AR
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
apt-get update -qq && apt-get install -y -qq skopeo apt-get update -qq && apt-get install -y -qq skopeo
TOKEN="$(gcloud auth print-access-token)" TOKEN="$(gcloud auth print-access-token)"
for s in server1 server2 server3 nginx; do for s in server1 server2 server3 nginx; do
REF="docker://${DST}/${s}:${IMG_TAG}" REF="docker://$DST/$s:$IMG_TAG"
echo "🔎 verify ${REF}" echo "🔎 verify $REF"
skopeo inspect --creds "oauth2accesstoken:${TOKEN}" "$REF" >/dev/null skopeo inspect --creds "oauth2accesstoken:$TOKEN" "$REF" >/dev/null
done done
echo "✅ Prod AR has all images at :$IMG_TAG" echo "✅ Prod AR has all images at :$IMG_TAG"
- name: security-scan - name: security-scan
depends_on: [verify-sync] depends_on: [verify-sync]
image: google/cloud-sdk:latest image: google/cloud-sdk:latest
entrypoint: entrypoint: [bash, -c]
- bash commands:
- -c
- | - |
set -euo pipefail set -euo pipefail
# Guard so this file doesn't run unless you explicitly set PROMOTE=prod in the UI if [ "x$PROMOTE" != "xprod" ]; then echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
# Scan the images that WILL be deployed: pull IMG_TAG from PROD
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)" IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
apt-get update -qq apt-get update -qq
apt-get install -y -qq gnupg apt-transport-https curl ca-certificates apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
export PATH="$PATH:$(pwd)/bin" export PATH="$PATH:$(pwd)/bin"
@ -98,6 +88,7 @@ steps:
--exit-code 1 --severity CRITICAL "$REF" --exit-code 1 --severity CRITICAL "$REF"
done done
- name: prod-deploy - name: prod-deploy
depends_on: [security-scan] depends_on: [security-scan]
image: google/cloud-sdk:latest image: google/cloud-sdk:latest