# ============================================================ # Velocity-OS — GitLab CI/CD Pipeline # Build → Sign → Push to ECR → Notify Ingress Box # ============================================================ stages: - lint - build - sign - notify variables: DOCKER_DRIVER: overlay2 DOCKER_BUILDKIT: "1" AWS_REGION: "ap-south-1" ECR_REGISTRY: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com" IMAGE_TAG: "${CI_COMMIT_SHORT_SHA}" # ── Lint + Type Check ───────────────────────────────────────── lint:webos: stage: lint image: node:20-alpine cache: key: "${CI_COMMIT_REF_SLUG}-node" paths: [webos/node_modules/] script: - cd webos && npm ci && npm run type-check && npm run lint rules: - changes: [webos/**/*] lint:core: stage: lint image: python:3.11-slim script: - pip install ruff mypy -q - cd core && ruff check . && mypy . --ignore-missing-imports rules: - changes: [core/**/*] # ── Build + Push Images ─────────────────────────────────────── .build_template: &build_template stage: build image: docker:24-dind services: [docker:24-dind] before_script: - aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $ECR_REGISTRY script: - | docker build \ --cache-from ${ECR_REGISTRY}/velocity-os/${SERVICE}:latest \ --build-arg BUILDKIT_INLINE_CACHE=1 \ --label git.sha=${CI_COMMIT_SHA} \ --label git.ref=${CI_COMMIT_REF_NAME} \ -t ${ECR_REGISTRY}/velocity-os/${SERVICE}:${IMAGE_TAG} \ -t ${ECR_REGISTRY}/velocity-os/${SERVICE}:latest \ ./${SERVICE} docker push ${ECR_REGISTRY}/velocity-os/${SERVICE}:${IMAGE_TAG} docker push ${ECR_REGISTRY}/velocity-os/${SERVICE}:latest build:core: <<: *build_template variables: SERVICE: core rules: - changes: [core/**/*] build:webos: <<: *build_template variables: SERVICE: webos rules: - changes: [webos/**/*] build:media-engine: <<: *build_template variables: SERVICE: media-engine rules: - changes: [media-engine/**/*] build:agents: <<: *build_template variables: SERVICE: agents rules: - changes: [agents/**/*] # ── Sign Images with cosign ─────────────────────────────────── .sign_template: &sign_template stage: sign image: ghcr.io/sigstore/cosign:v2.4.0 script: - | IMAGE="${ECR_REGISTRY}/velocity-os/${SERVICE}:${IMAGE_TAG}" DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE || \ aws ecr describe-images \ --repository-name velocity-os/${SERVICE} \ --image-ids imageTag=${IMAGE_TAG} \ --region ${AWS_REGION} \ --query 'imageDetails[0].imageDigest' --output text) cosign sign --yes "${ECR_REGISTRY}/velocity-os/${SERVICE}@${DIGEST}" sign:core: <<: *sign_template variables: SERVICE: core needs: [build:core] sign:webos: <<: *sign_template variables: SERVICE: webos needs: [build:webos] sign:media-engine: <<: *sign_template variables: SERVICE: media-engine needs: [build:media-engine] sign:agents: <<: *sign_template variables: SERVICE: agents needs: [build:agents] # ── Notify Ingress Box ──────────────────────────────────────── notify:ingress-box: stage: notify image: alpine:latest before_script: - apk add --no-cache curl openssh-client script: # Trigger the poll_and_transfer.sh on the ingress box via SSH # INGRESS_BOX_IP and SSH key set in GitLab CI/CD variables - | ssh -i "${INGRESS_SSH_KEY_FILE}" \ -o StrictHostKeyChecking=no \ ubuntu@${INGRESS_BOX_IP} \ "sudo systemctl start velocity-ingress-poll.service" needs: - sign:core - sign:webos - sign:media-engine - sign:agents rules: - if: '$CI_COMMIT_BRANCH == "main"'