sagnik/Velocity-OS
1
2
Fork 1
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
407af828d4e811f5187252e5df3c25d146d4bdbd
Velocity-OS/infrastructure/ci/.gitlab-ci.yml

148 lines
4.1 KiB
YAML
Raw Blame History

# ============================================================
# Velocity-OS — GitLab CI/CD Pipeline
# Build → Sign → Push to ECR → Notify Ingress Box
# ============================================================
stages:
- lint
- build
- sign
- notify
variables:
DOCKER_DRIVER: overlay2
DOCKER_BUILDKIT: "1"
AWS_REGION: "ap-south-1"
ECR_REGISTRY: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
IMAGE_TAG: "${CI_COMMIT_SHORT_SHA}"
# ── Lint + Type Check ─────────────────────────────────────────
lint:webos:
stage: lint
image: node:20-alpine
cache:
key: "${CI_COMMIT_REF_SLUG}-node"
paths: [webos/node_modules/]
script:
- cd webos && npm ci && npm run type-check && npm run lint
rules:
- changes: [webos/**/*]
lint:core:
stage: lint
image: python:3.11-slim
script:
- pip install ruff mypy -q
- cd core && ruff check . && mypy . --ignore-missing-imports
rules:
- changes: [core/**/*]
# ── Build + Push Images ───────────────────────────────────────
.build_template: &build_template
stage: build
image: docker:24-dind
services: [docker:24-dind]
before_script:
- aws ecr get-login-password --region $AWS_REGION |
docker login --username AWS --password-stdin $ECR_REGISTRY
script:
- |
docker build \
--cache-from ${ECR_REGISTRY}/velocity-os/${SERVICE}:latest \
--build-arg BUILDKIT_INLINE_CACHE=1 \
--label git.sha=${CI_COMMIT_SHA} \
--label git.ref=${CI_COMMIT_REF_NAME} \
-t ${ECR_REGISTRY}/velocity-os/${SERVICE}:${IMAGE_TAG} \
-t ${ECR_REGISTRY}/velocity-os/${SERVICE}:latest \
./${SERVICE}
docker push ${ECR_REGISTRY}/velocity-os/${SERVICE}:${IMAGE_TAG}
docker push ${ECR_REGISTRY}/velocity-os/${SERVICE}:latest
build:core:
<<: *build_template
variables:
SERVICE: core
rules:
- changes: [core/**/*]
build:webos:
<<: *build_template
variables:
SERVICE: webos
rules:
- changes: [webos/**/*]
build:media-engine:
<<: *build_template
variables:
SERVICE: media-engine
rules:
- changes: [media-engine/**/*]
build:agents:
<<: *build_template
variables:
SERVICE: agents
rules:
- changes: [agents/**/*]
# ── Sign Images with cosign ───────────────────────────────────
.sign_template: &sign_template
stage: sign
image: ghcr.io/sigstore/cosign:v2.4.0
script:
- |
IMAGE="${ECR_REGISTRY}/velocity-os/${SERVICE}:${IMAGE_TAG}"
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE || \
aws ecr describe-images \
--repository-name velocity-os/${SERVICE} \
--image-ids imageTag=${IMAGE_TAG} \
--region ${AWS_REGION} \
--query 'imageDetails[0].imageDigest' --output text)
cosign sign --yes "${ECR_REGISTRY}/velocity-os/${SERVICE}@${DIGEST}"
sign:core:
<<: *sign_template
variables:
SERVICE: core
needs: [build:core]
sign:webos:
<<: *sign_template
variables:
SERVICE: webos
needs: [build:webos]
sign:media-engine:
<<: *sign_template
variables:
SERVICE: media-engine
needs: [build:media-engine]
sign:agents:
<<: *sign_template
variables:
SERVICE: agents
needs: [build:agents]
# ── Notify Ingress Box ────────────────────────────────────────
notify:ingress-box:
stage: notify
image: alpine:latest
before_script:
- apk add --no-cache curl openssh-client
script:
# Trigger the poll_and_transfer.sh on the ingress box via SSH
# INGRESS_BOX_IP and SSH key set in GitLab CI/CD variables
- |
ssh -i "${INGRESS_SSH_KEY_FILE}" \
-o StrictHostKeyChecking=no \
ubuntu@${INGRESS_BOX_IP} \
"sudo systemctl start velocity-ingress-poll.service"
needs:
- sign:core
- sign:webos
- sign:media-engine
- sign:agents
rules:
- if: '$CI_COMMIT_BRANCH == "main"'
Reference in New Issue View Git Blame Copy Permalink