jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: jcoakley:3007f15a0c83c11b9a3eb00fe02d92f6f25767a0
Branches Tags
jcoakley:master
..
compare: jcoakley:666427a7c958d986ef4a1c8cea336101749f4fd9
Branches Tags
jcoakley:master

No commits in common. "3007f15a0c83c11b9a3eb00fe02d92f6f25767a0" and "666427a7c958d986ef4a1c8cea336101749f4fd9" have entirely different histories.
3007f15a0c ... 666427a7c9

1 changed files with 12 additions and 67 deletions
Show Stats Expand all files Collapse all files

79
.woodpecker.yml
View File

@ -114,25 +114,25 @@ steps:
GOOGLE_MAPS_API_KEY=$(gcloud secrets versions access latest --secret=GOOGLE_MAPS_API_KEY_$ENV --project=$PROJECT); \
export GOOGLE_MAPS_API_KEY; \
SERVER1_PORT=$(gcloud secrets versions access latest --secret=SERVER1_PORT_$ENV --project=$PROJECT); \
export SERVER1_PORT; \
export SERVER1_PORT
SERVER2_PORT=$(gcloud secrets versions access latest --secret=SERVER2_PORT_$ENV --project=$PROJECT); \
export SERVER2_PORT; \
export SERVER2_PORT
SERVER3_PORT=$(gcloud secrets versions access latest --secret=SERVER3_PORT_$ENV --project=$PROJECT); \
export SERVER3_PORT; \
export SERVER3_PORT
ENV_NAME=$(gcloud secrets versions access latest --secret=ENV_NAME_$ENV --project=$PROJECT); \
export ENV_NAME; \
export ENV_NAME
CORS_ALLOWED_ORIGINS=$(gcloud secrets versions access latest --secret=CORS_ALLOWED_ORIGINS_$ENV --project=$PROJECT); \
export CORS_ALLOWED_ORIGINS; \
export CORS_ALLOWED_ORIGINS
APTIVA_API_BASE=$(gcloud secrets versions access latest --secret=APTIVA_API_BASE_$ENV --project=$PROJECT); \
export APTIVA_API_BASE; \
export APTIVA_API_BASE
TOKEN_MAX_AGE_MS=$(gcloud secrets versions access latest --secret=TOKEN_MAX_AGE_MS_$ENV --project=$PROJECT); \
export TOKEN_MAX_AGE_MS; \
export TOKEN_MAX_AGE_MS
COOKIE_SECURE=$(gcloud secrets versions access latest --secret=COOKIE_SECURE_$ENV --project=$PROJECT); \
export COOKIE_SECURE; \
export COOKIE_SECURE
COOKIE_SAMESITE=$(gcloud secrets versions access latest --secret=COOKIE_SAMESITE_$ENV --project=$PROJECT); \
export COOKIE_SAMESITE; \
export COOKIE_SAMESITE
ACCESS_COOKIE_NAME=$(gcloud secrets versions access latest --secret=ACCESS_COOKIE_NAME_$ENV --project=$PROJECT); \
export ACCESS_COOKIE_NAME; \
export ACCESS_COOKIE_NAME
export FROM_SECRETS_MANAGER=true; \
\
@ -175,58 +175,7 @@ type: docker
name: prod-promotion
steps:
- name: promote-tag-and-mirror
image: google/cloud-sdk:latest
entrypoint:
- bash
- -c
- |
set -euo pipefail
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
# Dev is the single source of truth for IMG_TAG
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
apt-get update -qq
apt-get install -y -qq docker.io
gcloud auth configure-docker us-central1-docker.pkg.dev -q
for svc in server1 server2 server3 nginx; do
docker pull "$SRC/$svc:$IMG_TAG"
docker tag "$SRC/$svc:$IMG_TAG" "$DST/$svc:$IMG_TAG"
docker push "$DST/$svc:$IMG_TAG"
done
# Publish the exact tag to prod SM so deploy & scan read the same value
printf "%s" "${IMG_TAG}" | gcloud secrets versions add IMG_TAG --data-file=- --project="aptivaai-prod" >/dev/null
echo "🏷 Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
- name: verify-sync
depends_on: [promote-tag-and-mirror]
image: google/cloud-sdk:latest
entrypoint:
- bash
- -c
- |
set -euo pipefail
[[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
prod_val="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
[[ "$IMG_TAG" == "$prod_val" ]] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$prod_val"; exit 1; }
echo "✅ Tag parity confirmed: $IMG_TAG"
# Ensure images truly exist in PROD AR
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
apt-get update -qq && apt-get install -y -qq docker.io
gcloud auth configure-docker us-central1-docker.pkg.dev -q
for svc in server1 server2 server3 nginx; do
docker pull "$DST/$svc:$IMG_TAG" >/dev/null
done
echo "✅ Prod AR has all images at :$IMG_TAG"
- name: security-scan
depends_on: [verify-sync]
image: google/cloud-sdk:latest
entrypoint:
- bash
@ -274,9 +223,8 @@ steps:
PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)"
# single source of truth for deploy as well
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
# Use the IMG_TAG stored in PROD (the exact one mirrored there)
IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
echo "🔑 SSH prerequisites installed"
@ -290,9 +238,6 @@ steps:
PROJECT=aptivaai-prod; \
ENV=prod; \
export IMG_TAG='"$IMG_TAG"'; \
# sanity: ensure prod SM matches the single source (dev) before pull
prod_val=$(gcloud secrets versions access latest --secret=IMG_TAG --project=$PROJECT); \
[ "$prod_val" = "$IMG_TAG" ] || { echo "❌ Prod SM IMG_TAG ($prod_val) != dev IMG_TAG ($IMG_TAG)"; exit 1; }; \
\
# Pull all runtime secrets from aptivaai-prod
JWT_SECRET=$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project=$PROJECT); export JWT_SECRET; \