bitforge/orchard
3
0
Fork 0
Code Projects Wiki Activity
125 Commits 19 Branches 0 Tags
5ecbd71c187d4005aea3badd4d02b6cbbcf24ae8
Commit Graph

125 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mondo Diaz
5ecbd71c18 Add KICS config to document accepted security exceptions 
Excludes the following queries with documented reasons:
- Shared volumes: Required for database persistence
- Passwords in config: Local dev only, prod uses K8s secrets
- Healthcheck on init container: Not applicable, exits after setup
- Apt pin version: Intentional for security updates
 2026-01-14 16:28:09 +00:00
Mondo Diaz
ed928cc275 Harden docker-compose security per KICS findings 
- Bind all ports to 127.0.0.1 (local dev only)
- Add cap_drop: ALL to drop unnecessary Linux capabilities

Remaining KICS findings are acceptable for local dev:
- Shared volumes: Expected for database persistence
- Passwords in env: Local dev only, not real secrets
- minio-init healthcheck: Init container exits after setup
 2026-01-14 16:05:30 +00:00
Mondo Diaz
5a5d773999 Add gitleaks fingerprints for historical commits 2026-01-14 16:00:41 +00:00
Mondo Diaz
5497ea908c Fix CI pipeline issues 
- Add gitleaks:allow inline comments to prevent false positives on s3_key
- Clean up .gitleaksignore (no longer need commit-specific fingerprints)
- Simplify integration tests to read-only operations (write ops require auth)
 2026-01-14 15:32:55 +00:00
Mondo Diaz
f5b35a225f Update package-lock.json with coverage dependencies 2026-01-14 15:04:12 +00:00
Mondo Diaz
156dac8d0a Fix npm registry URL to use correct artifactory path 2026-01-14 14:57:43 +00:00
Mondo Diaz
bdf84812d0 Revert npm registry config from Dockerfile.local (local dev uses public registry) 2026-01-13 23:17:03 +00:00
Mondo Diaz
08bc7f9618 Update npm registry URL in Dockerfiles 2026-01-13 23:16:45 +00:00
Mondo Diaz
eca4f3a350 Configure npm registry and add verbose output for debugging 2026-01-13 23:15:37 +00:00
Mondo Diaz
c816286394 Add analyze stage and workflow rules to prevent duplicate pipelines 2026-01-13 23:09:51 +00:00
Mondo Diaz
1af5190d85 Fix invalid rules syntax in test jobs 2026-01-13 23:07:50 +00:00
Mondo Diaz
424ffc058d Add explicit rules to test jobs to ensure they always run 2026-01-13 23:06:20 +00:00
Mondo Diaz
d36476c4f6 Add stages definition including Prosper and custom stages 2026-01-13 23:05:30 +00:00
Mondo Diaz
f0b36a4d2e Fix stages: remove explicit definition to preserve Prosper template stages 2026-01-13 23:04:26 +00:00
Mondo Diaz
8833d4bcb7 Add gitleaks ignore for new commit SHA 2026-01-13 23:03:08 +00:00
Mondo Diaz
06c9038858 Add post-deployment integration tests 
Adds integration test jobs that run after deployment to verify the
deployed application is functioning correctly. Tests cover:
- Health endpoint
- Project creation
- Package creation
- Artifact upload
- Artifact download (with content verification)
- Artifact listing

Each test run creates isolated resources (using unique IDs) and
cleans up after itself. Tests run against the deployed URL for
both stage (main branch) and feature branch deployments.
 2026-01-13 23:02:47 +00:00
Mondo Diaz
b90e478f4b Run only unit tests in CI test stage 
Integration tests require Docker Compose services (PostgreSQL, MinIO, Redis)
which aren't available in the CI container. Unit tests run independently.
 2026-01-13 23:01:08 +00:00
Mondo Diaz
b6e5a0fa4d Remove exists rule from frontend_tests for consistent behavior 2026-01-13 22:53:32 +00:00
Mondo Diaz
22c173ec37 Enhance test jobs with caching, coverage, and parallel execution 
CI improvements:
- Add needs: [] to run tests parallel with build (faster pipeline)
- Add pip/npm caching (faster subsequent runs)
- Add 15m timeout to prevent hung jobs
- Add pytest coverage with cobertura report for GitLab
- Add pytest JUnit report for test tab in MR
- Add vitest coverage with cobertura report for GitLab
- Add coverage regex for badge display

Frontend:
- Add @vitest/coverage-v8 dependency
- Configure vitest coverage reporter (text, cobertura, html)
 2026-01-13 22:50:50 +00:00
Mondo Diaz
acd31129e9 Use deps.global.bsf.tools registry for frontend_tests image 2026-01-13 22:45:12 +00:00
Mondo Diaz
b74276ba70 Fix frontend_tests to use correct container registry 2026-01-13 22:44:27 +00:00
Mondo Diaz
085ed898e2 Refactor CI pipeline with templates and add frontend tests 
- Add frontend_tests job (npm run test with Vitest)
- Add verification checks to deploy_stage (health, API, frontend)
- Extract shared YAML anchors: deploy_template, helm_setup, verify_deployment
- Reduce code duplication across deploy jobs
 2026-01-13 22:43:21 +00:00
Mondo Diaz
4ec91b46ed Fix security scan issues and harden docker-compose 
Hadolint fixes:
- Use printf instead of echo for escape sequences
- Add hadolint ignore for apt pin version (DL3008)

KICS fixes (docker-compose):
- Add security_opt: no-new-privileges to all services
- Add mem_limit and cpus to prevent resource exhaustion
- Add healthcheck to orchard-server in docker-compose.yml

Gitleaks:
- Add .gitleaksignore for false positive (s3_key attribute name)
- Remove allow_failure from secrets job (now blocking)

Also:
- Remove || echo fallback from python_tests (tests should fail pipeline)
 2026-01-13 22:40:51 +00:00
Mondo Diaz
d6644e9039 Add comprehensive deployment verification 
- Health endpoint polling with retry loop
- API check (GET /api/v1/projects returns 200)
- Frontend check (HTML is served)
- Clear output with section headers
 2026-01-13 22:28:48 +00:00
Mondo Diaz
f1b0c93f30 Add deployment verification with health check polling 
- Add --wait --timeout 5m to helm upgrade
- Add kubectl rollout status check
- Poll health endpoint for up to 5 minutes (for cert provisioning)
 2026-01-13 22:28:30 +00:00
Mondo Diaz
69180dd9eb Add PROSPER-NOTES.md to gitignore 2026-01-13 22:20:45 +00:00
Mondo Diaz
b07b6a8f8f Add build_image dependency to deploy jobs 2026-01-13 22:14:31 +00:00
Mondo Diaz
ace643bb2e Fix image tag format to match Prosper output (git.linux-amd64-SHA) 2026-01-13 22:06:02 +00:00
Mondo Diaz
f1aae057ed Clean up CI pipeline and remove unused values files 
- Use branch name (CI_COMMIT_REF_SLUG) instead of commit SHA for feature IDs
- Remove commented-out code and unused deploy template
- Fix deploy_stage to use kubectl config use-context
- Remove values-production.yaml and values-external.yaml
 2026-01-13 21:51:50 +00:00
Mondo Diaz
66515f24d4 Add kubectl context to cleanup_feature job 2026-01-13 21:49:28 +00:00
Mondo Diaz
892f63e685 Fix helm path by returning to project root before deploy 2026-01-13 21:37:37 +00:00
Mondo Diaz
cd7c930176 Use kubectl config use-context for agent authentication 2026-01-13 21:28:10 +00:00
Mondo Diaz
0bbfe38293 Test: hardcode agent path to rule out variable interpolation 2026-01-13 21:12:08 +00:00
Mondo Diaz
86567b4ae1 Add GitLab Agent configs with CI/CD access for deployments 2026-01-13 20:08:29 +00:00
Mondo Diaz
d3a47f6167 Fix GitLab Agent paths to use full project:agent format 2026-01-13 19:32:09 +00:00
Armando Diaz
089d4a50df update jobs to use correct image and agents. 2026-01-13 12:05:16 -06:00
Mondo Diaz
f6b79a7af0 Add feature branch deployment pipeline 
- Add deploy_feature job for ephemeral dev environments
- Use unique identifier (feat-{short_sha}) for K8s resource isolation
- Dynamic hostnames for ingress (orchard-{sha}.common.global.bsf.tools)
- Add cleanup_feature job with on_stop for automatic cleanup on merge
- Add values-dev.yaml with lighter resources for ephemeral deployments
- Refactor deploy_stage to use dynamic image tag from CI
 2026-01-13 16:45:48 +00:00
Dane Moss
deda96795b comment out rule block for now 2026-01-13 16:43:49 +00:00
Dane Moss
f555dd6bde try another rule 2026-01-13 16:43:49 +00:00
Dane Moss
36b79485ba update job name 2026-01-13 16:43:49 +00:00
Dane Moss
b58deb4a60 Update .gitlab-ci.yml file 2026-01-13 16:43:49 +00:00
Dane Moss
d3bacfe6b6 Update 2 files 
- /helm/orchard/values-stage.yaml
- /.gitlab-ci.yml
 2026-01-13 16:43:49 +00:00
Dane Moss
0cc4f25362 Merge branch 'update_changelog' into 'main' 
add changelog entry

See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!25
 2026-01-12 10:11:50 -07:00
Dane Moss
5c9da9003b add changelog entry 2026-01-12 10:11:50 -07:00
Dane Moss
90bb2a3a39 Merge branch 'feature/auth-system' into 'main' 
Implement authentication system with access control UI

Closes #50 and #18

See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!24
 2026-01-12 09:52:35 -07:00
Mondo Diaz
617bcbe89c Implement authentication system with access control UI 2026-01-12 09:52:35 -07:00
Mondo Diaz
1cbd335443 Merge branch 'feature/drag-drop-upload' into 'main' 
Add drag-and-drop upload component with chunked uploads and offline support

See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!23
 2026-01-08 11:59:33 -06:00
Mondo Diaz
10d3694794 Add drag-and-drop upload component with chunked uploads and offline support 2026-01-08 11:59:32 -06:00
Mondo Diaz
bccbc71c13 Merge branch 'feature/download-verification' into 'main' 
Add download verification with SHA256 checksum support (#26, #27, #28, #29)

See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!22
 2026-01-07 13:36:46 -06:00
Mondo Diaz
35fda65d38 Add download verification with SHA256 checksum support (#26, #27, #28, #29) 2026-01-07 13:36:46 -06:00