Merge branch 'fix/reset-stage-before-tests' into 'main'

Add pre-test stage reset to ensure known environment state

See merge request esv/bsf/bsf-integration/orchard/orchard-mvp!44

.gitlab-ci.yml

@@ -36,9 +36,68 @@ stages:
   - analyze
   - deploy
 
+# Override Prosper template jobs to exclude tag pipelines
+# Tags only run deploy_prod and smoke_test_prod (image already built on main)
+build_image:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+test_image:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+hadolint:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
 kics:
   variables:
     KICS_CONFIG: kics.config
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+secrets:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+app_deps_scan:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+cve_scan:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+app_sbom_analysis:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+cve_sbom_analysis:
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
+
+# Override release job to wait for stage integration tests before creating tag
+# This ensures the tag (which triggers prod deploy) is only created after stage passes
+release:
+  needs: [integration_test_stage, changelog]
 
 # Full integration test suite template (for feature/stage deployments)
 # Runs the complete pytest integration test suite against the deployed environment
@@ -138,20 +197,10 @@ kics:
       PYTEST_SCRIPT
 
 # Integration tests for stage deployment (full suite)
-integration_test_stage:
+# Reset stage template - shared by pre and post test reset jobs
-  <<: *integration_test_template
-  needs: [deploy_stage]
-  variables:
-    ORCHARD_TEST_URL: $STAGE_URL
-  rules:
-    - if: '$CI_COMMIT_BRANCH == "main"'
-      when: on_success
-
-# Reset stage environment after integration tests (clean slate for next run)
 # Calls the /api/v1/admin/factory-reset endpoint which handles DB and S3 cleanup
-reset_stage:
+.reset_stage_template: &reset_stage_template
   stage: deploy
-  needs: [integration_test_stage]
   image: deps.global.bsf.tools/docker/python:3.12-slim
   timeout: 5m
   retry: 1  # Retry once on transient failures
@@ -225,6 +274,26 @@ reset_stage:
   rules:
     - if: '$CI_COMMIT_BRANCH == "main"'
       when: on_success
+
+# Reset stage BEFORE integration tests (ensure known state)
+reset_stage_pre:
+  <<: *reset_stage_template
+  needs: [deploy_stage]
+
+# Integration tests for stage deployment (full suite)
+integration_test_stage:
+  <<: *integration_test_template
+  needs: [reset_stage_pre]
+  variables:
+    ORCHARD_TEST_URL: $STAGE_URL
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "main"'
+      when: on_success
+
+# Reset stage AFTER integration tests (clean slate for next run)
+reset_stage:
+  <<: *reset_stage_template
+  needs: [integration_test_stage]
   allow_failure: true  # Don't fail pipeline if reset has issues
 
 # Integration tests for feature deployment (full suite)
@@ -269,6 +338,10 @@ python_unit_tests:
         coverage_format: cobertura
         path: backend/coverage.xml
   coverage: '/TOTAL.*\s+(\d+%)/'
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
 
 # Run frontend tests
 frontend_tests:
@@ -298,6 +371,10 @@ frontend_tests:
         coverage_format: cobertura
         path: frontend/coverage/cobertura-coverage.xml
   coverage: '/All files[^|]*\|[^|]*\s+([\d\.]+)/'
+  rules:
+    - if: '$CI_COMMIT_TAG'
+      when: never
+    - when: on_success
 
 # Shared deploy configuration
 .deploy_template: &deploy_template
@@ -425,12 +502,11 @@ cleanup_feature:
 # Deploy to production (version tags only)
 deploy_prod:
   stage: deploy
-  # For tag pipelines, most jobs don't run (trusting main was tested)
+  # For tag pipelines, no other jobs run - image was already built when commit was on main
-  # We only need build_image to have the image available
+  needs: []
-  needs: [build_image]
   image: deps.global.bsf.tools/registry-1.docker.io/alpine/k8s:1.29.12
   variables:
-    NAMESPACE: orch-prod-namespace
+    NAMESPACE: orch-namespace
     VALUES_FILE: helm/orchard/values-prod.yaml
     BASE_URL: $PROD_URL
   before_script:

.gitleaks.toml

@@ -0,0 +1,8 @@
+# Gitleaks configuration
+# https://github.com/gitleaks/gitleaks#configuration
+
+[allowlist]
+# Test files that contain variable names matching secret patterns (e.g., s3_key)
+paths = [
+  '''backend/tests/.*\.py''',
+]

.gitleaksignore

@@ -16,3 +16,4 @@ bccbc71c13570d14b8b26a11335c45f102fe3072:backend/tests/unit/test_storage.py:gene
 08dce6cbb836b687002751fed4159bfc2da61f8b:backend/tests/unit/test_storage.py:generic-api-key:381
 617bcbe89cff9a009d77e4f1f1864efed1820e63:backend/tests/unit/test_storage.py:generic-api-key:381
 1cbd33544388e0fe6db752fa8886fab33cf9ce7c:backend/tests/unit/test_storage.py:generic-api-key:381
+7cfad28f678f5a5b8b927d694a17b9ba446b7138:backend/tests/unit/test_storage.py:generic-api-key:381

CHANGELOG.md

@@ -6,6 +6,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Changed
+- Added pre-test stage reset to ensure known environment state before integration tests (#54)
+
+## [0.5.1] - 2026-01-23
+### Changed
+- Simplified tag pipeline to only run deploy and smoke tests (image already built on main) (#54)
+
+### Fixed
+- Fixed production CI deployment namespace to use correct `orch-namespace` (#54)
+- Added gitleaks config to allowlist test files from secret scanning (#54)
 
 ## [0.5.0] - 2026-01-23
 ### Added