# Peikarband Platform - Woodpecker CI/CD Pipeline # Complete production-ready pipeline with Harbor registry integration variables: - &harbor_registry 'harbor.peikarband.ir' - &image_name 'peikarband/landing' - &python_version '3.11' # Global configuration when: - evaluate: 'CI_PIPELINE_EVENT != "cron"' # ============================================ # STAGE 1: Code Quality & Linting # ============================================ steps: lint-python: image: python:${python_version}-slim environment: - PYTHONPATH=/woodpecker/src/workspace commands: - pip install --no-cache-dir flake8 black isort mypy - echo "๐Ÿ” Running flake8..." - flake8 src/ --max-line-length=120 --exclude=__pycache__,migrations --statistics - echo "โœ… Flake8 passed" - echo "๐Ÿ” Running black check..." - black --check src/ --line-length=120 - echo "โœ… Black check passed" - echo "๐Ÿ” Running isort check..." - isort --check-only src/ - echo "โœ… Isort check passed" when: branch: include: - main - develop - staging - feature/* - hotfix/* lint-yaml: image: cytopia/yamllint:latest commands: - echo "๐Ÿ” Validating YAML files..." - yamllint -c .yamllint.yml helm/ || true - yamllint woodpecker.yml - echo "โœ… YAML validation completed" when: branch: include: - main - develop - staging # # ============================================ # # STAGE 2: Unit Tests & Coverage # # ============================================ # test-unit: # image: python:${python_version}-slim # environment: # - PYTHONPATH=/woodpecker/src/workspace # - ENVIRONMENT=test # - DATABASE_URL=postgresql://test:test@postgres:5432/test_db # - REDIS_URL=redis://redis:6379/0 # commands: # - apt-get update && apt-get install -y --no-install-recommends postgresql-client # - pip install --no-cache-dir -r requirements.txt -r requirements-dev.txt # - echo "๐Ÿงช Running unit tests..." # - pytest tests/unit/ -v --cov=src --cov-report=term --cov-report=xml --cov-report=html # - echo "โœ… Unit tests passed" # - echo "๐Ÿ“Š Coverage report generated" # when: # branch: # include: # - main # - develop # - staging # - feature/* # test-integration: # image: python:${python_version}-slim # environment: # - PYTHONPATH=/woodpecker/src/workspace # - ENVIRONMENT=test # - DATABASE_URL=postgresql://test:test@postgres:5432/test_db # - REDIS_URL=redis://redis:6379/0 # commands: # - apt-get update && apt-get install -y --no-install-recommends postgresql-client # - pip install --no-cache-dir -r requirements.txt -r requirements-dev.txt # - echo "๐Ÿงช Running integration tests..." # - pytest tests/integration/ -v --maxfail=3 # - echo "โœ… Integration tests passed" # when: # branch: # include: # - main # - develop # - staging # # ============================================ # # STAGE 3: Security Scanning # # ============================================ # security-python-deps: # image: python:${python_version}-slim # commands: # - pip install --no-cache-dir safety bandit # - echo "๐Ÿ”’ Checking Python dependencies for vulnerabilities..." # - safety check --json || true # - echo "๐Ÿ”’ Running Bandit security linter..." # - bandit -r src/ -f json -o bandit-report.json || true # - echo "โœ… Security scan completed" # when: # branch: # include: # - main # - develop # - staging # security-secrets: # image: trufflesecurity/trufflehog:latest # commands: # - echo "๐Ÿ” Scanning for secrets and credentials..." # - trufflehog filesystem . --json --no-update || true # - echo "โœ… Secret scan completed" # when: # branch: # include: # - main # - develop # - staging # ============================================ # STAGE 4: Docker Build # ============================================ docker-build: image: plugins/docker settings: registry: *harbor_registry repo: ${harbor_registry}/${image_name} tags: - ${CI_COMMIT_SHA:0:8} - ${CI_COMMIT_BRANCH} - latest username: from_secret: harbor_username password: from_secret: harbor_password build_args: - ENVIRONMENT=production - VERSION=${CI_COMMIT_SHA:0:8} cache_from: - ${harbor_registry}/${image_name}:latest dockerfile: Dockerfile dry_run: false when: branch: include: - main - develop - staging event: - push - tag # # ============================================ # # STAGE 5: Container Security Scan # # ============================================ # security-trivy: # image: aquasec/trivy:latest # commands: # - echo "๐Ÿ”’ Scanning Docker image for vulnerabilities..." # - trivy image # --severity HIGH,CRITICAL # --exit-code 0 # --format json # --output trivy-report.json # ${harbor_registry}/${image_name}:${CI_COMMIT_SHA:0:8} # - echo "โœ… Trivy scan completed" # - trivy image # --severity HIGH,CRITICAL # --format table # ${harbor_registry}/${image_name}:${CI_COMMIT_SHA:0:8} # when: # branch: # include: # - main # - develop # - staging # event: # - push # ============================================ # STAGE 6: Helm Validation # ============================================ helm-lint: image: alpine/helm:latest commands: - echo "๐Ÿ“ฆ Linting Helm chart..." - helm lint helm/peikarband --strict - echo "โœ… Helm lint passed" - echo "๐Ÿ“ฆ Validating Helm template..." - helm template peikarband helm/peikarband --set image.repository=${harbor_registry}/${image_name} --set image.tag=${CI_COMMIT_SHA:0:8} --debug > /dev/null - echo "โœ… Helm template validation passed" when: branch: include: - main - develop - staging # ============================================ # STAGE 7: Database Migration Check # ============================================ migration-check: image: python:${python_version}-slim environment: - PYTHONPATH=/woodpecker/src/workspace commands: - pip install --no-cache-dir alembic sqlalchemy psycopg2-binary - echo "๐Ÿ—„๏ธ Checking database migrations..." - alembic check || echo "โš ๏ธ Migration check completed with warnings" - alembic history - echo "โœ… Migration check completed" when: branch: include: - main - develop - staging # ============================================ # STAGE 8: Deploy to Staging # ============================================ deploy-staging: image: argoproj/argocd:latest environment: ARGOCD_SERVER: from_secret: argocd_server ARGOCD_AUTH_TOKEN: from_secret: argocd_token commands: - echo "๐Ÿš€ Deploying to Staging via ArgoCD..." - argocd app set peikarband-staging --helm-set image.tag=${CI_COMMIT_SHA:0:8} - argocd app sync peikarband-staging --prune - argocd app wait peikarband-staging --timeout 600 - echo "โœ… Staging deployment completed" when: branch: - develop - staging event: - push # ============================================ # STAGE 9: Deploy to Production # ============================================ deploy-production: image: argoproj/argocd:latest environment: ARGOCD_SERVER: from_secret: argocd_server ARGOCD_AUTH_TOKEN: from_secret: argocd_token commands: - echo "๐Ÿš€ Deploying to Production via ArgoCD..." - argocd app set peikarband --helm-set image.tag=${CI_COMMIT_SHA:0:8} - argocd app sync peikarband --prune - argocd app wait peikarband --timeout 600 - echo "โœ… Production deployment completed" - echo "๐ŸŽ‰ Version ${CI_COMMIT_SHA:0:8} is now live!" when: branch: - main event: - push - tag # ============================================ # STAGE 10: Post-Deployment Verification # ============================================ verify-deployment: image: curlimages/curl:latest commands: - echo "๐Ÿ” Verifying deployment..." - sleep 30 - | if [ "${CI_COMMIT_BRANCH}" = "main" ]; then ENDPOINT="https://peikarband.ir/ping" else ENDPOINT="https://staging.peikarband.ir/ping" fi - echo "Testing endpoint: $ENDPOINT" - curl -f -s -o /dev/null -w "HTTP Status: %{http_code}\n" $ENDPOINT || echo "โš ๏ธ Health check warning" - echo "โœ… Deployment verification completed" when: branch: include: - main - develop - staging event: - push # ============================================ # STAGE 11: Notifications # ============================================ notify-telegram: image: appleboy/drone-telegram:latest settings: token: from_secret: telegram_bot_token to: from_secret: telegram_chat_id format: markdown message: > {{#success build.status}} โœ… **Build Success** {{else}} โŒ **Build Failed** {{/success}} **Project:** Peikarband Landing **Branch:** ${CI_COMMIT_BRANCH} **Commit:** `${CI_COMMIT_SHA:0:8}` **Author:** ${CI_COMMIT_AUTHOR} **Message:** ${CI_COMMIT_MESSAGE} **Build:** [#${CI_BUILD_NUMBER}](${CI_BUILD_LINK}) **Duration:** ${CI_BUILD_FINISHED} when: status: - success - failure branch: - main - develop - staging notify-slack: image: plugins/slack:latest settings: webhook: from_secret: slack_webhook channel: deployments username: Woodpecker CI template: > {{#success build.status}} :white_check_mark: Build #{{build.number}} succeeded {{else}} :x: Build #{{build.number}} failed {{/success}} *Repository:* {{repo.name}} *Branch:* {{build.branch}} *Commit:* {{build.commit}} *Author:* {{build.author}} *Message:* {{build.message}} *Link:* {{build.link}} when: status: - success - failure branch: - main # ============================================ # Services (for testing) # ============================================ services: postgres: image: postgres:14-alpine environment: POSTGRES_USER: test POSTGRES_PASSWORD: test POSTGRES_DB: test_db when: branch: include: - main - develop - staging - feature/* redis: image: redis:7-alpine when: branch: include: - main - develop - staging - feature/* # ============================================ # Matrix Build (Optional - Multi-arch support) # ============================================ matrix: include: - PLATFORM: linux/amd64 ENVIRONMENT: production - PLATFORM: linux/arm64 ENVIRONMENT: production # ============================================ # Pipeline Configuration # ============================================ labels: platform: linux/amd64 backend: docker depends_on: [] skip_clone: false # Workspace configuration workspace: base: /woodpecker/src path: workspace # Clone settings clone: git: image: woodpeckerci/plugin-git:latest settings: depth: 50 lfs: false recursive: true tags: true