Require all gates to pass before deployment

Deploy jobs now wait for: - build_image: Container image built - kics: Infrastructure security scan - hadolint: Dockerfile linting - python_tests: Backend unit tests - frontend_tests: Frontend unit tests All gates must pass before deployment proceeds.
Make hadolint job fail on findings (remove allow_failure override)
2026-01-14 20:24:44 +00:00 · 2026-01-14 19:38:32 +00:00 · 2026-01-14 19:37:54 +00:00 · 2026-01-14 19:37:12 +00:00
4 changed files with 51 additions and 35 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -26,13 +26,9 @@ stages:
  - deploy
 kics:
  allow_failure: true
  variables:
    KICS_CONFIG: kics.config
 hadolint:
  allow_failure: true
 # Post-deployment integration tests template
 .integration_test_template: &integration_test_template
  stage: deploy  # Runs in deploy stage, but after deployment due to 'needs'
@@ -179,7 +175,7 @@ frontend_tests:
 # Shared deploy configuration
 .deploy_template: &deploy_template
  stage: deploy
-  needs: [build_image]
+  needs: [build_image, kics, hadolint, python_tests, frontend_tests]
  image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
 .helm_setup: &helm_setup
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -46,8 +46,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 1g
+    deploy:
-    cpus: 1.0
+      resources:
        limits:
          cpus: '1.0'
          memory: 1G
  postgres:
    image: postgres:16-alpine
@@ -72,8 +75,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 512m
+    deploy:
-    cpus: 0.5
+      resources:
        limits:
          cpus: '0.5'
          memory: 512M
  minio:
    image: minio/minio:latest
@@ -98,8 +104,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 512m
+    deploy:
-    cpus: 0.5
+      resources:
        limits:
          cpus: '0.5'
          memory: 512M
  minio-init:
    image: minio/mc:latest
@@ -119,8 +128,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 128m
+    deploy:
-    cpus: 0.25
+      resources:
        limits:
          cpus: '0.25'
          memory: 128M
  redis:
    image: redis:7-alpine
@@ -141,8 +153,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 256m
+    deploy:
-    cpus: 0.25
+      resources:
        limits:
          cpus: '0.25'
          memory: 256M
 volumes:
  postgres-data-local:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,8 +44,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 1g
+    deploy:
-    cpus: 1.0
+      resources:
        limits:
          cpus: '1.0'
          memory: 1G
  postgres:
    image: containers.global.bsf.tools/postgres:16-alpine
@@ -70,8 +73,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 512m
+    deploy:
-    cpus: 0.5
+      resources:
        limits:
          cpus: '0.5'
          memory: 512M
  minio:
    image: containers.global.bsf.tools/minio/minio:latest
@@ -96,8 +102,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 512m
+    deploy:
-    cpus: 0.5
+      resources:
        limits:
          cpus: '0.5'
          memory: 512M
  minio-init:
    image: containers.global.bsf.tools/minio/mc:latest
@@ -117,8 +126,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 128m
+    deploy:
-    cpus: 0.25
+      resources:
        limits:
          cpus: '0.25'
          memory: 128M
  redis:
    image: containers.global.bsf.tools/redis:7-alpine
@@ -139,8 +151,11 @@ services:
      - no-new-privileges:true
    cap_drop:
      - ALL
-    mem_limit: 256m
+    deploy:
-    cpus: 0.25
+      resources:
        limits:
          cpus: '0.25'
          memory: 256M
 volumes:
  postgres-data:
--- a/kics.config
+++ b/kics.config
@@ -23,13 +23,3 @@ exclude-queries:
  # Reason: We intentionally don't pin curl version to get security updates.
  # This is documented with hadolint ignore comment in Dockerfile.
  - 965a08d7-ef86-4f14-8792-4a3b2098937e
  # Cpus Not Limited (LOW)
  # Reason: Local development docker-compose files. Resource limits are set in
  # production Kubernetes deployments via Helm values, not docker-compose.
  - 6b610c50-99fb-4ef0-a5f3-e312fd945bc3
  # Memory Not Limited (MEDIUM)
  # Reason: Local development docker-compose files. Resource limits are set in
  # production Kubernetes deployments via Helm values, not docker-compose.
  - bb9ac4f7-e13b-423d-a010-c74a1bfbe492
Author	SHA1	Message	Date
Mondo Diaz	fadffaf35b	Require all gates to pass before deployment Deploy jobs now wait for: - build_image: Container image built - kics: Infrastructure security scan - hadolint: Dockerfile linting - python_tests: Backend unit tests - frontend_tests: Frontend unit tests All gates must pass before deployment proceeds.	2026-01-14 20:24:44 +00:00
Mondo Diaz	e08c8179cc	Make hadolint job fail on findings (remove allow_failure override)	2026-01-14 19:38:32 +00:00
Mondo Diaz	b43f1fc55b	Make KICS job fail on findings (force documented exceptions)	2026-01-14 19:37:54 +00:00
Mondo Diaz	8065f881f3	Use v3 deploy.resources.limits format for docker-compose - Convert mem_limit/cpus to deploy.resources.limits.memory/cpus - Use proper v3 format that KICS recognizes - Remove KICS exceptions for CPU/Memory limits (no longer needed) - All services now have explicit resource constraints	2026-01-14 19:37:12 +00:00