Fix deploy job dependencies and add production deployment (#63)

.gitlab-ci.yml

@@ -124,8 +124,8 @@ python_tests:
       - .pip-cache/
     policy: pull-push
   before_script:
-    - pip install -r backend/requirements.txt
-    - pip install pytest pytest-asyncio pytest-cov httpx
+    - pip install --index-url "$PIP_INDEX_URL" -r backend/requirements.txt
+    - pip install --index-url "$PIP_INDEX_URL" pytest pytest-asyncio pytest-cov httpx
   script:
     - cd backend
     # Only run unit tests - integration tests require Docker Compose services
@@ -175,7 +175,7 @@ frontend_tests:
 # Shared deploy configuration
 .deploy_template: &deploy_template
   stage: deploy
-  needs: [build_image, kics, hadolint, python_tests, frontend_tests, secrets]
+  needs: [build_image, test_image, kics, hadolint, python_tests, frontend_tests, secrets, app_deps_scan, cve_scan, cve_sbom_analysis, app_sbom_analysis]
   image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
 
 .helm_setup: &helm_setup
@@ -246,8 +246,8 @@ deploy_stage:
         --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
         --wait \
         --atomic \
-        --timeout 5m
-    - kubectl rollout status deployment/orchard-stage-server -n $NAMESPACE --timeout=5m
+        --timeout 10m
+    - kubectl rollout status deployment/orchard-stage-server -n $NAMESPACE --timeout=10m
     - *verify_deployment
   environment:
     name: stage
@@ -256,7 +256,7 @@ deploy_stage:
       agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-stage
   rules:
     - if: '$CI_COMMIT_BRANCH == "main"'
-      when: always
+      when: on_success
 
 # Deploy feature branch to dev namespace
 deploy_feature:
@@ -282,8 +282,8 @@ deploy_feature:
         --set minioIngress.tls.secretName=minio-$CI_COMMIT_REF_SLUG-tls \
         --wait \
         --atomic \
-        --timeout 5m
-    - kubectl rollout status deployment/orchard-$CI_COMMIT_REF_SLUG-server -n $NAMESPACE --timeout=5m
+        --timeout 10m
+    - kubectl rollout status deployment/orchard-$CI_COMMIT_REF_SLUG-server -n $NAMESPACE --timeout=10m
     - export BASE_URL="https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools"
     - *verify_deployment
   environment:
@@ -295,7 +295,7 @@ deploy_feature:
       agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard
   rules:
     - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
-      when: always
+      when: on_success
 
 # Cleanup feature branch deployment
 cleanup_feature:
@@ -318,3 +318,51 @@ cleanup_feature:
     - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
       when: manual
   allow_failure: true
+
+# Deploy to production (version tags only, manual approval required)
+deploy_prod:
+  stage: deploy
+  # For tag pipelines, most jobs don't run (trusting main was tested)
+  # We only need build_image to have the image available
+  needs: [build_image]
+  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
+  variables:
+    NAMESPACE: orch-prod-namespace
+    VALUES_FILE: helm/orchard/values-prod.yaml
+    BASE_URL: https://orchard.common.global.bsf.tools
+  before_script:
+    - kubectl config use-context esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-prod
+    - *helm_setup
+  script:
+    - echo "Deploying to PRODUCTION - version $CI_COMMIT_TAG"
+    - cd $CI_PROJECT_DIR
+    - |
+      helm upgrade --install orchard-prod ./helm/orchard \
+        --namespace $NAMESPACE \
+        -f $VALUES_FILE \
+        --set image.tag=git.linux-amd64-$CI_COMMIT_SHA \
+        --wait \
+        --atomic \
+        --timeout 10m
+    - kubectl rollout status deployment/orchard-prod-server -n $NAMESPACE --timeout=10m
+    - *verify_deployment
+  environment:
+    name: production
+    url: https://orchard.common.global.bsf.tools
+    kubernetes:
+      agent: esv/bsf/bsf-integration/orchard/orchard-mvp:orchard-prod
+  rules:
+    # Only run on semantic version tags (v1.0.0, v1.2.3, etc.)
+    - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
+      when: manual  # Require manual approval for prod
+  allow_failure: false
+
+# Integration tests for production deployment
+integration_test_prod:
+  <<: *integration_test_template
+  needs: [deploy_prod]
+  variables:
+    BASE_URL: https://orchard.common.global.bsf.tools
+  rules:
+    - if: '$CI_COMMIT_TAG =~ /^v\d+\.\d+\.\d+$/'
+      when: on_success