Fix production CI deployment and simplify tag pipeline

- Change prod namespace from orch-prod-namespace to orch-namespace - Skip all build/test/scan jobs on tag pipelines (image already built on main) - Tag pipelines now only run deploy_prod and smoke_test_prod
2026-01-23 13:25:56 -06:00
parent 133d9cbfd6
commit a01c45cb64
2 changed files with 70 additions and 4 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -36,9 +36,63 @@ stages:
  - analyze
  - deploy

+# Override Prosper template jobs to exclude tag pipelines
+# Tags only run deploy_prod and smoke_test_prod (image already built on main)
+build_image:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+test_image:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+hadolint:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
 kics:
  variables:
    KICS_CONFIG: kics.config
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+secrets:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+app_deps_scan:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+cve_scan:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+app_sbom_analysis:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+cve_sbom_analysis:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success

 # Full integration test suite template (for feature/stage deployments)
 # Runs the complete pytest integration test suite against the deployed environment
@@ -269,6 +323,10 @@ python_unit_tests:
        coverage_format: cobertura
        path: backend/coverage.xml
  coverage: '/TOTAL.*\s+(\d+%)/'
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success

 # Run frontend tests
 frontend_tests:
@@ -298,6 +356,10 @@ frontend_tests:
        coverage_format: cobertura
        path: frontend/coverage/cobertura-coverage.xml
  coverage: '/All files[^|]*\|[^|]*\s+([\d\.]+)/'
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success

 # Shared deploy configuration
 .deploy_template: &deploy_template
@@ -425,12 +487,11 @@ cleanup_feature:
 # Deploy to production (version tags only)
 deploy_prod:
  stage: deploy
-  # For tag pipelines, most jobs don't run (trusting main was tested)
-  # We only need build_image to have the image available
-  needs: [build_image]
+  # For tag pipelines, no other jobs run - image was already built when commit was on main
+  needs: []
  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
  variables:
-    NAMESPACE: orch-prod-namespace
+    NAMESPACE: orch-namespace
    VALUES_FILE: helm/orchard/values-prod.yaml
    BASE_URL: $PROD_URL
  before_script:
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

 ## [Unreleased]
+### Changed
+- Simplified tag pipeline to only run deploy and smoke tests (image already built on main) (#54)
+
+### Fixed
+- Fixed production CI deployment namespace to use correct `orch-namespace` (#54)

 ## [0.5.0] - 2026-01-23
 ### Added