- Switch Helm chart dependencies to OCI-based internal registry
(deps.global.bsf.tools/registry-1.docker.io-helmoci/bitnamicharts)
- Remove public helm repo adds (not needed for OCI)
- Add PIP_INDEX_URL to use internal PyPI proxy for all pip installs
This reduces dependencies on public internet during CI builds.
Feature branch environments will automatically stop after 1 week,
triggering the cleanup_feature job. This ensures orphaned deployments
are cleaned up even if the branch deletion doesn't trigger cleanup.
Changed 'when: always' to 'when: on_success' in integration test rules.
This ensures tests only run after successful deployments, not after
failures where they would hit stale environments.
Excludes the following queries with documented reasons:
- Shared volumes: Required for database persistence
- Passwords in config: Local dev only, prod uses K8s secrets
- Healthcheck on init container: Not applicable, exits after setup
- Apt pin version: Intentional for security updates
- Bind all ports to 127.0.0.1 (local dev only)
- Add cap_drop: ALL to drop unnecessary Linux capabilities
Remaining KICS findings are acceptable for local dev:
- Shared volumes: Expected for database persistence
- Passwords in env: Local dev only, not real secrets
- minio-init healthcheck: Init container exits after setup
Adds integration test jobs that run after deployment to verify the
deployed application is functioning correctly. Tests cover:
- Health endpoint
- Project creation
- Package creation
- Artifact upload
- Artifact download (with content verification)
- Artifact listing
Each test run creates isolated resources (using unique IDs) and
cleans up after itself. Tests run against the deployed URL for
both stage (main branch) and feature branch deployments.
- Use branch name (CI_COMMIT_REF_SLUG) instead of commit SHA for feature IDs
- Remove commented-out code and unused deploy template
- Fix deploy_stage to use kubectl config use-context
- Remove values-production.yaml and values-external.yaml
- Add deploy_feature job for ephemeral dev environments
- Use unique identifier (feat-{short_sha}) for K8s resource isolation
- Dynamic hostnames for ingress (orchard-{sha}.common.global.bsf.tools)
- Add cleanup_feature job with on_stop for automatic cleanup on merge
- Add values-dev.yaml with lighter resources for ephemeral deployments
- Refactor deploy_stage to use dynamic image tag from CI
