update deploy

This commit is contained in:
root
2026-06-12 01:40:40 -04:00
parent 47e366ea2e
commit d5903fb8d2
5 changed files with 96 additions and 38 deletions
+84 -26
View File
@@ -1,6 +1,4 @@
# GitLab CI for Laravel 12
# Save this file as: .gitlab-ci.yml
# GitLab CI for Laravel 12 API
workflow:
rules:
- if: '$CI_PIPELINE_SOURCE == "push"'
@@ -12,6 +10,7 @@ stages:
- test
- build
- security
- deploy
variables:
APP_ENV: testing
@@ -41,16 +40,19 @@ cache:
before_script:
- apt-get update
- apt-get install -y --no-install-recommends git unzip curl libzip-dev libpng-dev libonig-dev libxml2-dev libsqlite3-dev
- docker-php-ext-install mbstring zip gd
- docker-php-ext-install mbstring zip gd pdo_sqlite
- php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
- php composer-setup.php --install-dir=/usr/local/bin --filename=composer
- rm composer-setup.php
- composer install --prefer-dist --no-interaction --no-progress
# Install Pint if not present
- composer require --dev laravel/pint --ignore-platform-reqs || true
# Generate .env with real keys
- |
cat > .env <<EOF
APP_NAME=school_api
APP_ENV=testing
APP_KEY=
APP_KEY=base64:$(openssl rand -base64 32)
APP_DEBUG=false
APP_URL=http://localhost
@@ -67,87 +69,106 @@ cache:
BROADCAST_CONNECTION=log
FILESYSTEM_DISK=local
JWT_SECRET=ci_dummy_secret_not_for_production
JWT_SECRET=$(openssl rand -base64 32)
EOF
- mkdir -p database storage/framework/cache storage/framework/sessions storage/framework/views storage/logs bootstrap/cache reports
- touch database/database.sqlite
- php artisan key:generate --force
- php artisan jwt:secret --force || true # If JWT package installed
- php artisan config:clear
- php artisan view:clear
composer_validate:
extends: .php_laravel_job
stage: validate
script:
- mkdir -p reports
- bash -o pipefail -c 'composer validate --strict 2>&1 | tee reports/composer-validate.log'
- bash -o pipefail -c 'php -v 2>&1 | tee reports/php-version.log'
- bash -o pipefail -c 'php artisan --version 2>&1 | tee reports/artisan-version.log'
- composer validate --strict | tee reports/composer-validate.log
- php -v | tee reports/php-version.log
- php artisan --version | tee reports/artisan-version.log
artifacts:
when: always
expire_in: 7 days
paths:
- reports/
- storage/logs/
reports:
dotenv: .env
laravel_pint:
extends: .php_laravel_job
stage: validate
script:
- mkdir -p reports
- bash -o pipefail -c 'vendor/bin/pint --test 2>&1 | tee reports/pint.log'
- vendor/bin/pint --test --format=json | tee reports/pint.json
artifacts:
when: always
expire_in: 7 days
paths:
- reports/
- storage/logs/
allow_failure: true
phpunit:
extends: .php_laravel_job
stage: test
parallel:
matrix:
- TEST_SUITE: [Unit, Feature]
script:
- mkdir -p reports
- bash -o pipefail -c 'php artisan migrate --force 2>&1 | tee reports/migrate.log'
- bash -o pipefail -c 'php artisan test --testsuite=Feature --log-junit reports/phpunit-feature.xml 2>&1 | tee reports/phpunit-feature.log'
- bash -o pipefail -c 'php artisan test --testsuite=Unit --log-junit reports/phpunit-unit.xml 2>&1 | tee reports/phpunit-unit.log'
- php artisan migrate --force | tee reports/migrate.log
- php artisan test --testsuite=$TEST_SUITE --coverage-text --log-junit reports/phpunit.xml | tee reports/phpunit.log
artifacts:
when: always
expire_in: 7 days
reports:
junit:
- reports/phpunit-feature.xml
- reports/phpunit-unit.xml
junit: reports/phpunit.xml
coverage_report:
coverage_format: cobertura
path: reports/coverage.xml
paths:
- reports/
- storage/logs/
coverage: '/^\s*Lines:\s*\d+\.\d+%/'
cache:
paths:
- vendor/
key: ${CI_COMMIT_REF_SLUG}
build_frontend:
image: node:22-alpine
stage: build
before_script:
- npm ci
- npm ci --cache .npm --prefer-offline
script:
- mkdir -p reports
- sh -c 'npm run build 2>&1 | tee reports/npm-build.log'
- npm run build 2>&1 | tee reports/npm-build.log
artifacts:
when: always
expire_in: 7 days
paths:
- public/build/
- public/css/
- public/js/
- reports/
cache:
paths:
- .npm/
composer_audit:
extends: .php_laravel_job
stage: security
script:
- mkdir -p reports
- bash -o pipefail -c 'composer audit --locked --no-interaction 2>&1 | tee reports/composer-audit.log'
- composer audit --locked --no-interaction --format=json | tee reports/composer-audit.json
artifacts:
when: always
expire_in: 7 days
paths:
- reports/
- storage/logs/
allow_failure: true
npm_audit:
image: node:22-alpine
@@ -156,7 +177,7 @@ npm_audit:
- npm ci
script:
- mkdir -p reports
- sh -c 'npm audit --audit-level=high 2>&1 | tee reports/npm-audit.log'
- npm audit --json --audit-level=high | tee reports/npm-audit.json || true
artifacts:
when: always
expire_in: 7 days
@@ -172,14 +193,20 @@ secret_detection_basic:
script:
- mkdir -p reports
- |
echo "Scanning for obvious committed secrets..." | tee reports/secret-detection-basic.log
! grep -RInE "(APP_KEY=base64:|DB_PASSWORD=.+|JWT_SECRET=.+|MAIL_PASSWORD=.+|PAYPAL_(CLIENT|SECRET|MODE)|AKIA[0-9A-Z]{16}|-----BEGIN (RSA|OPENSSH|PRIVATE) KEY-----)" \
echo "Scanning for committed secrets..." | tee reports/secret-detection.log
if grep -RInE "(APP_KEY=base64:[A-Za-z0-9+/=]{44}|DB_PASSWORD=.+|JWT_SECRET=.+|MAIL_PASSWORD=.+|PAYPAL_(CLIENT|SECRET|MODE)|AKIA[0-9A-Z]{16}|-----BEGIN (RSA|OPENSSH|PRIVATE) KEY-----)" \
--exclude-dir=.git \
--exclude-dir=vendor \
--exclude-dir=node_modules \
--exclude=.env.example \
--exclude=.env.prod.example \
. 2>&1 | tee -a reports/secret-detection-basic.log
--exclude=reports \
. 2>&1 | tee -a reports/secret-detection.log; then
echo "❌ Secrets detected! Check reports/secret-detection.log"
exit 1
else
echo "✅ No secrets found"
fi
artifacts:
when: always
expire_in: 7 days
@@ -187,9 +214,40 @@ secret_detection_basic:
- reports/
allow_failure: false
# Optional GitLab-native security scanners.
# These run only if your GitLab tier/project supports the templates.
# Deploy to shared hosting (optional - add if needed)
deploy:
stage: deploy
image: alpine:latest
before_script:
- apk add --no-cache openssh-client sshpass rsync
script:
- echo "Deploying to production..."
- sshpass -p "$SSH_PASSWORD" rsync -avz --delete \
-e "ssh -p $SSH_PORT -o StrictHostKeyChecking=no" \
--exclude='.env' \
--exclude='storage/logs/*' \
--exclude='.git' \
--exclude='tests' \
--exclude='database/sqlite' \
./ $SSH_USER@$SSH_HOST:$SSH_TARGET_DIR/
environment:
name: production
url: $PRODUCTION_URL
only:
- main
- master
when: manual
needs:
- phpunit
- composer_audit
# Include GitLab native templates (ensure you have license)
include:
- template: Jobs/SAST.gitlab-ci.yml
- template: Jobs/Secret-Detection.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
- template: Jobs/Dependency-Scanning.gitlab-ci.yml
# Optional: Run SAST only on main branch
sast:
rules:
- if: '$CI_COMMIT_BRANCH == "main" || $CI_COMMIT_BRANCH == "master"'