update deploy
This commit is contained in:
+84
-26
@@ -1,6 +1,4 @@
|
||||
# GitLab CI for Laravel 12
|
||||
# Save this file as: .gitlab-ci.yml
|
||||
|
||||
# GitLab CI for Laravel 12 API
|
||||
workflow:
|
||||
rules:
|
||||
- if: '$CI_PIPELINE_SOURCE == "push"'
|
||||
@@ -12,6 +10,7 @@ stages:
|
||||
- test
|
||||
- build
|
||||
- security
|
||||
- deploy
|
||||
|
||||
variables:
|
||||
APP_ENV: testing
|
||||
@@ -41,16 +40,19 @@ cache:
|
||||
before_script:
|
||||
- apt-get update
|
||||
- apt-get install -y --no-install-recommends git unzip curl libzip-dev libpng-dev libonig-dev libxml2-dev libsqlite3-dev
|
||||
- docker-php-ext-install mbstring zip gd
|
||||
- docker-php-ext-install mbstring zip gd pdo_sqlite
|
||||
- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
|
||||
- php composer-setup.php --install-dir=/usr/local/bin --filename=composer
|
||||
- rm composer-setup.php
|
||||
- composer install --prefer-dist --no-interaction --no-progress
|
||||
# Install Pint if not present
|
||||
- composer require --dev laravel/pint --ignore-platform-reqs || true
|
||||
# Generate .env with real keys
|
||||
- |
|
||||
cat > .env <<EOF
|
||||
APP_NAME=school_api
|
||||
APP_ENV=testing
|
||||
APP_KEY=
|
||||
APP_KEY=base64:$(openssl rand -base64 32)
|
||||
APP_DEBUG=false
|
||||
APP_URL=http://localhost
|
||||
|
||||
@@ -67,87 +69,106 @@ cache:
|
||||
BROADCAST_CONNECTION=log
|
||||
FILESYSTEM_DISK=local
|
||||
|
||||
JWT_SECRET=ci_dummy_secret_not_for_production
|
||||
JWT_SECRET=$(openssl rand -base64 32)
|
||||
EOF
|
||||
- mkdir -p database storage/framework/cache storage/framework/sessions storage/framework/views storage/logs bootstrap/cache reports
|
||||
- touch database/database.sqlite
|
||||
- php artisan key:generate --force
|
||||
- php artisan jwt:secret --force || true # If JWT package installed
|
||||
- php artisan config:clear
|
||||
- php artisan view:clear
|
||||
|
||||
composer_validate:
|
||||
extends: .php_laravel_job
|
||||
stage: validate
|
||||
script:
|
||||
- mkdir -p reports
|
||||
- bash -o pipefail -c 'composer validate --strict 2>&1 | tee reports/composer-validate.log'
|
||||
- bash -o pipefail -c 'php -v 2>&1 | tee reports/php-version.log'
|
||||
- bash -o pipefail -c 'php artisan --version 2>&1 | tee reports/artisan-version.log'
|
||||
- composer validate --strict | tee reports/composer-validate.log
|
||||
- php -v | tee reports/php-version.log
|
||||
- php artisan --version | tee reports/artisan-version.log
|
||||
artifacts:
|
||||
when: always
|
||||
expire_in: 7 days
|
||||
paths:
|
||||
- reports/
|
||||
- storage/logs/
|
||||
reports:
|
||||
dotenv: .env
|
||||
|
||||
laravel_pint:
|
||||
extends: .php_laravel_job
|
||||
stage: validate
|
||||
script:
|
||||
- mkdir -p reports
|
||||
- bash -o pipefail -c 'vendor/bin/pint --test 2>&1 | tee reports/pint.log'
|
||||
- vendor/bin/pint --test --format=json | tee reports/pint.json
|
||||
artifacts:
|
||||
when: always
|
||||
expire_in: 7 days
|
||||
paths:
|
||||
- reports/
|
||||
- storage/logs/
|
||||
allow_failure: true
|
||||
|
||||
phpunit:
|
||||
extends: .php_laravel_job
|
||||
stage: test
|
||||
parallel:
|
||||
matrix:
|
||||
- TEST_SUITE: [Unit, Feature]
|
||||
script:
|
||||
- mkdir -p reports
|
||||
- bash -o pipefail -c 'php artisan migrate --force 2>&1 | tee reports/migrate.log'
|
||||
- bash -o pipefail -c 'php artisan test --testsuite=Feature --log-junit reports/phpunit-feature.xml 2>&1 | tee reports/phpunit-feature.log'
|
||||
- bash -o pipefail -c 'php artisan test --testsuite=Unit --log-junit reports/phpunit-unit.xml 2>&1 | tee reports/phpunit-unit.log'
|
||||
- php artisan migrate --force | tee reports/migrate.log
|
||||
- php artisan test --testsuite=$TEST_SUITE --coverage-text --log-junit reports/phpunit.xml | tee reports/phpunit.log
|
||||
artifacts:
|
||||
when: always
|
||||
expire_in: 7 days
|
||||
reports:
|
||||
junit:
|
||||
- reports/phpunit-feature.xml
|
||||
- reports/phpunit-unit.xml
|
||||
junit: reports/phpunit.xml
|
||||
coverage_report:
|
||||
coverage_format: cobertura
|
||||
path: reports/coverage.xml
|
||||
paths:
|
||||
- reports/
|
||||
- storage/logs/
|
||||
coverage: '/^\s*Lines:\s*\d+\.\d+%/'
|
||||
cache:
|
||||
paths:
|
||||
- vendor/
|
||||
key: ${CI_COMMIT_REF_SLUG}
|
||||
|
||||
build_frontend:
|
||||
image: node:22-alpine
|
||||
stage: build
|
||||
before_script:
|
||||
- npm ci
|
||||
- npm ci --cache .npm --prefer-offline
|
||||
script:
|
||||
- mkdir -p reports
|
||||
- sh -c 'npm run build 2>&1 | tee reports/npm-build.log'
|
||||
- npm run build 2>&1 | tee reports/npm-build.log
|
||||
artifacts:
|
||||
when: always
|
||||
expire_in: 7 days
|
||||
paths:
|
||||
- public/build/
|
||||
- public/css/
|
||||
- public/js/
|
||||
- reports/
|
||||
cache:
|
||||
paths:
|
||||
- .npm/
|
||||
|
||||
composer_audit:
|
||||
extends: .php_laravel_job
|
||||
stage: security
|
||||
script:
|
||||
- mkdir -p reports
|
||||
- bash -o pipefail -c 'composer audit --locked --no-interaction 2>&1 | tee reports/composer-audit.log'
|
||||
- composer audit --locked --no-interaction --format=json | tee reports/composer-audit.json
|
||||
artifacts:
|
||||
when: always
|
||||
expire_in: 7 days
|
||||
paths:
|
||||
- reports/
|
||||
- storage/logs/
|
||||
allow_failure: true
|
||||
|
||||
npm_audit:
|
||||
image: node:22-alpine
|
||||
@@ -156,7 +177,7 @@ npm_audit:
|
||||
- npm ci
|
||||
script:
|
||||
- mkdir -p reports
|
||||
- sh -c 'npm audit --audit-level=high 2>&1 | tee reports/npm-audit.log'
|
||||
- npm audit --json --audit-level=high | tee reports/npm-audit.json || true
|
||||
artifacts:
|
||||
when: always
|
||||
expire_in: 7 days
|
||||
@@ -172,14 +193,20 @@ secret_detection_basic:
|
||||
script:
|
||||
- mkdir -p reports
|
||||
- |
|
||||
echo "Scanning for obvious committed secrets..." | tee reports/secret-detection-basic.log
|
||||
! grep -RInE "(APP_KEY=base64:|DB_PASSWORD=.+|JWT_SECRET=.+|MAIL_PASSWORD=.+|PAYPAL_(CLIENT|SECRET|MODE)|AKIA[0-9A-Z]{16}|-----BEGIN (RSA|OPENSSH|PRIVATE) KEY-----)" \
|
||||
echo "Scanning for committed secrets..." | tee reports/secret-detection.log
|
||||
if grep -RInE "(APP_KEY=base64:[A-Za-z0-9+/=]{44}|DB_PASSWORD=.+|JWT_SECRET=.+|MAIL_PASSWORD=.+|PAYPAL_(CLIENT|SECRET|MODE)|AKIA[0-9A-Z]{16}|-----BEGIN (RSA|OPENSSH|PRIVATE) KEY-----)" \
|
||||
--exclude-dir=.git \
|
||||
--exclude-dir=vendor \
|
||||
--exclude-dir=node_modules \
|
||||
--exclude=.env.example \
|
||||
--exclude=.env.prod.example \
|
||||
. 2>&1 | tee -a reports/secret-detection-basic.log
|
||||
--exclude=reports \
|
||||
. 2>&1 | tee -a reports/secret-detection.log; then
|
||||
echo "❌ Secrets detected! Check reports/secret-detection.log"
|
||||
exit 1
|
||||
else
|
||||
echo "✅ No secrets found"
|
||||
fi
|
||||
artifacts:
|
||||
when: always
|
||||
expire_in: 7 days
|
||||
@@ -187,9 +214,40 @@ secret_detection_basic:
|
||||
- reports/
|
||||
allow_failure: false
|
||||
|
||||
# Optional GitLab-native security scanners.
|
||||
# These run only if your GitLab tier/project supports the templates.
|
||||
# Deploy to shared hosting (optional - add if needed)
|
||||
deploy:
|
||||
stage: deploy
|
||||
image: alpine:latest
|
||||
before_script:
|
||||
- apk add --no-cache openssh-client sshpass rsync
|
||||
script:
|
||||
- echo "Deploying to production..."
|
||||
- sshpass -p "$SSH_PASSWORD" rsync -avz --delete \
|
||||
-e "ssh -p $SSH_PORT -o StrictHostKeyChecking=no" \
|
||||
--exclude='.env' \
|
||||
--exclude='storage/logs/*' \
|
||||
--exclude='.git' \
|
||||
--exclude='tests' \
|
||||
--exclude='database/sqlite' \
|
||||
./ $SSH_USER@$SSH_HOST:$SSH_TARGET_DIR/
|
||||
environment:
|
||||
name: production
|
||||
url: $PRODUCTION_URL
|
||||
only:
|
||||
- main
|
||||
- master
|
||||
when: manual
|
||||
needs:
|
||||
- phpunit
|
||||
- composer_audit
|
||||
|
||||
# Include GitLab native templates (ensure you have license)
|
||||
include:
|
||||
- template: Jobs/SAST.gitlab-ci.yml
|
||||
- template: Jobs/Secret-Detection.gitlab-ci.yml
|
||||
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
|
||||
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
|
||||
|
||||
# Optional: Run SAST only on main branch
|
||||
sast:
|
||||
rules:
|
||||
- if: '$CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "master"'
|
||||
+1
-1
@@ -19,7 +19,7 @@
|
||||
"require-dev": {
|
||||
"fakerphp/faker": "^1.23",
|
||||
"laravel/pail": "^1.2.2",
|
||||
"laravel/pint": "^1.24",
|
||||
"laravel/pint": "^1.29",
|
||||
"laravel/sail": "^1.41",
|
||||
"mockery/mockery": "^1.6",
|
||||
"nunomaduro/collision": "^8.6",
|
||||
|
||||
Generated
+11
-11
@@ -4,7 +4,7 @@
|
||||
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
|
||||
"This file is @generated automatically"
|
||||
],
|
||||
"content-hash": "3d7a72ac245744048dc5e6ac1e7e527a",
|
||||
"content-hash": "152ee31a828b6d41d8908890302ff4bd",
|
||||
"packages": [
|
||||
{
|
||||
"name": "brick/math",
|
||||
@@ -7375,16 +7375,16 @@
|
||||
},
|
||||
{
|
||||
"name": "laravel/pint",
|
||||
"version": "v1.29.0",
|
||||
"version": "v1.29.1",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/laravel/pint.git",
|
||||
"reference": "bdec963f53172c5e36330f3a400604c69bf02d39"
|
||||
"reference": "0770e9b7fafd50d4586881d456d6eb41c9247a80"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/laravel/pint/zipball/bdec963f53172c5e36330f3a400604c69bf02d39",
|
||||
"reference": "bdec963f53172c5e36330f3a400604c69bf02d39",
|
||||
"url": "https://api.github.com/repos/laravel/pint/zipball/0770e9b7fafd50d4586881d456d6eb41c9247a80",
|
||||
"reference": "0770e9b7fafd50d4586881d456d6eb41c9247a80",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
@@ -7395,14 +7395,14 @@
|
||||
"php": "^8.2.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"friendsofphp/php-cs-fixer": "^3.94.2",
|
||||
"illuminate/view": "^12.54.1",
|
||||
"larastan/larastan": "^3.9.3",
|
||||
"laravel-zero/framework": "^12.0.5",
|
||||
"friendsofphp/php-cs-fixer": "^3.95.1",
|
||||
"illuminate/view": "^12.56.0",
|
||||
"larastan/larastan": "^3.9.6",
|
||||
"laravel-zero/framework": "^12.1.0",
|
||||
"mockery/mockery": "^1.6.12",
|
||||
"nunomaduro/termwind": "^2.4.0",
|
||||
"pestphp/pest": "^3.8.6",
|
||||
"shipfastlabs/agent-detector": "^1.1.0"
|
||||
"shipfastlabs/agent-detector": "^1.1.3"
|
||||
},
|
||||
"bin": [
|
||||
"builds/pint"
|
||||
@@ -7439,7 +7439,7 @@
|
||||
"issues": "https://github.com/laravel/pint/issues",
|
||||
"source": "https://github.com/laravel/pint"
|
||||
},
|
||||
"time": "2026-03-12T15:51:39+00:00"
|
||||
"time": "2026-04-20T15:26:14+00:00"
|
||||
},
|
||||
{
|
||||
"name": "laravel/sail",
|
||||
|
||||
Reference in New Issue
Block a user