7745d205cb
Align Woodpecker CI pipeline with team standard (cast-backend pattern): - Replace plugins/docker with woodpeckerci/plugin-docker-buildx - Use git.sds.dev registry; tag with CI_COMMIT_SHA short + latest - Use team secret names: registry_user/password, deploy_ssh_key - Add golangci-lint, semgrep, gosec, trivy-fs, trivy-secrets security gates - Deploy on push to main (not on tag): build-and-push then deploy step calls bash /opt/cast-ghl-provider/deploy/deploy.sh on server - Add Telegram notification on success/failure docker-compose.yaml: add image: git.sds.dev/cast/cast-ghl-provider:latest (server pulls from registry; build: kept for local dev only) deploy/deploy.sh: simplified to docker compose pull + up (build now happens in CI, not on the server) Co-Authored-By: Paperclip <noreply@paperclip.ing>
97 lines
2.4 KiB
YAML
97 lines
2.4 KiB
YAML
steps:
|
|
- name: lint
|
|
image: golangci/golangci-lint:latest
|
|
commands:
|
|
- golangci-lint run ./...
|
|
|
|
- name: test
|
|
image: golang:1.22-alpine
|
|
commands:
|
|
- go test ./...
|
|
|
|
- name: semgrep
|
|
image: semgrep/semgrep:latest
|
|
commands:
|
|
- >
|
|
semgrep scan --config auto --error
|
|
--exclude-rule go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure
|
|
--exclude-rule go.lang.security.audit.net.unescaped-data-in-url.unescaped-data-in-url
|
|
--exclude-rule go.lang.security.audit.xss.template-html-does-not-escape.unsafe-template-type
|
|
--exclude-rule html.security.audit.missing-integrity.missing-integrity
|
|
.
|
|
when:
|
|
- event: [push, pull_request]
|
|
|
|
- name: gosec
|
|
image: golang:1.22-bookworm
|
|
commands:
|
|
- go install github.com/securego/gosec/v2/cmd/gosec@latest
|
|
- gosec -exclude=G120,G706,G101,G115,G203,G124 ./...
|
|
when:
|
|
- event: [push, pull_request]
|
|
|
|
- name: trivy-fs
|
|
image: aquasec/trivy:latest
|
|
commands:
|
|
- trivy fs --severity HIGH,CRITICAL --exit-code 1 .
|
|
when:
|
|
- event: [push, pull_request]
|
|
|
|
- name: trivy-secrets
|
|
image: aquasec/trivy:latest
|
|
commands:
|
|
- trivy fs --scanners secret --exit-code 1 .
|
|
when:
|
|
- event: [push, pull_request]
|
|
|
|
- name: build-and-push
|
|
image: woodpeckerci/plugin-docker-buildx
|
|
settings:
|
|
repo: git.sds.dev/cast/cast-ghl-provider
|
|
registry: git.sds.dev
|
|
tag:
|
|
- ${CI_COMMIT_SHA:0:8}
|
|
- latest
|
|
username:
|
|
from_secret: registry_user
|
|
password:
|
|
from_secret: registry_password
|
|
when:
|
|
- branch: main
|
|
event: push
|
|
|
|
- name: deploy
|
|
image: appleboy/drone-ssh
|
|
settings:
|
|
host:
|
|
from_secret: deploy_host
|
|
username:
|
|
from_secret: deploy_user
|
|
key:
|
|
from_secret: deploy_ssh_key
|
|
script:
|
|
- bash /opt/cast-ghl-provider/deploy/deploy.sh
|
|
when:
|
|
- branch: main
|
|
event: push
|
|
|
|
- name: notify-telegram
|
|
image: appleboy/drone-telegram
|
|
settings:
|
|
token:
|
|
from_secret: telegram_bot_token
|
|
to:
|
|
from_secret: telegram_chat_id
|
|
message: >
|
|
{{#success build.status}}✅{{else}}❌{{/success}} **{{repo.name}}**
|
|
|
|
Branch: `{{commit.branch}}`
|
|
|
|
Status: **{{build.status}}**
|
|
|
|
Commit: `{{commit.message}}`
|
|
|
|
{{build.link}}
|
|
when:
|
|
- status: [success, failure]
|