Template de pipeline CI/CD pour Gitea Actions : build Docker, scan Trivy, push registry privé et déploiement Nomad. Réutilisable en modifiant 5 variables.
Configuration
Seules ces variables changent entre projets :
env:
APP_NAME: dash1 # Nom de l'application
PORT_HOST: 8081 # Port exposé sur l'hôte
PORT_CONTAINER: 80 # Port interne du container
CPU: 100 # CPU shares Nomad
MEMORY: 128 # RAM en MBPipeline complet
name: Build and Deploy
on:
push:
branches:
- main
tags:
- 'v*'
env:
APP_NAME: dash1
PORT_HOST: 8081
PORT_CONTAINER: 80
CPU: 100
MEMORY: 128
REGISTRY: 192.168.1.42:5000
NOMAD_ADDR: http://192.168.1.42:4646
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set version
id: version
run: |
if [[ "$GITHUB_REF" == refs/tags/* ]]; then
VERSION=${GITHUB_REF#refs/tags/}
else
VERSION=$(git rev-parse --short HEAD)
fi
echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
echo "Building version: $VERSION"
- name: Build Docker image
run: |
docker build -t $REGISTRY/$APP_NAME:${{ steps.version.outputs.VERSION }} .
docker tag $REGISTRY/$APP_NAME:${{ steps.version.outputs.VERSION }} $REGISTRY/$APP_NAME:latest
- name: Scan with Trivy
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
aquasec/trivy:latest image \
--severity CRITICAL \
--exit-code 1 \
--format table \
$REGISTRY/$APP_NAME:latest
- name: Push to registry
run: |
docker push $REGISTRY/$APP_NAME:${{ steps.version.outputs.VERSION }}
docker push $REGISTRY/$APP_NAME:latest
echo "Pushed: $REGISTRY/$APP_NAME:${{ steps.version.outputs.VERSION }}"
- name: Deploy to Nomad
run: |
cat <<EOF | curl -s -X POST $NOMAD_ADDR/v1/jobs \
-H "Content-Type: application/json" -d @-
{"Job":{"ID":"$APP_NAME","Name":"$APP_NAME","Type":"service","Datacenters":["dc1"],"TaskGroups":[{"Name":"$APP_NAME","Count":1,"Networks":[{"ReservedPorts":[{"Label":"http","Value":$PORT_HOST,"To":$PORT_CONTAINER}]}],"Tasks":[{"Name":"$APP_NAME","Driver":"docker","Config":{"image":"$REGISTRY/$APP_NAME:latest","ports":["http"],"force_pull":true},"Resources":{"CPU":$CPU,"MemoryMB":$MEMORY}}]}]}}
EOF
echo ""
echo "Deployed: http://192.168.1.42:$PORT_HOST"Étapes du pipeline
| Étape | Description |
|---|---|
| Set version | Tag git ou short SHA du commit |
| Build | Construction image Docker |
| Scan Trivy | Bloque si vulnérabilité CRITICAL |
| Push | Registry privé, tags version + latest |
| Deploy | Job Nomad via API HTTP |
Versioning
- Push sur
main: version = SHA court (a1b2c3d) - Tag
v1.0.0: version = tag (v1.0.0)
Les deux versions sont pushées, plus un tag latest.
Prérequis
- Runner Gitea avec Docker
- Registry Docker accessible (ici
192.168.1.42:5000) - Nomad accessible sans auth (ou ajouter token)
- Dockerfile à la racine du projet
Nouveau projet
- Copier le workflow dans
.gitea/workflows/deploy.yml - Modifier les 5 variables
env - Push