Pipeline Gitea Actions : Build, Scan et Deploy sur Nomad

Template de pipeline CI/CD pour Gitea Actions : build Docker, scan Trivy, push registry privé et déploiement Nomad. Réutilisable en modifiant 5 variables.

Configuration

Seules ces variables changent entre projets :

env:
  APP_NAME: dash1          # Nom de l'application
  PORT_HOST: 8081          # Port exposé sur l'hôte
  PORT_CONTAINER: 80       # Port interne du container
  CPU: 100                 # CPU shares Nomad
  MEMORY: 128              # RAM en MB

Pipeline complet

name: Build and Deploy

on:
  push:
    branches:
      - main
    tags:
      - 'v*'

env:
  APP_NAME: dash1
  PORT_HOST: 8081
  PORT_CONTAINER: 80
  CPU: 100
  MEMORY: 128
  REGISTRY: 192.168.1.42:5000
  NOMAD_ADDR: http://192.168.1.42:4646

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set version
        id: version
        run: |
          if [[ "$GITHUB_REF" == refs/tags/* ]]; then
            VERSION=${GITHUB_REF#refs/tags/}
          else
            VERSION=$(git rev-parse --short HEAD)
          fi
          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
          echo "Building version: $VERSION"

      - name: Build Docker image
        run: |
          docker build -t $REGISTRY/$APP_NAME:${{ steps.version.outputs.VERSION }} .
          docker tag $REGISTRY/$APP_NAME:${{ steps.version.outputs.VERSION }} $REGISTRY/$APP_NAME:latest

      - name: Scan with Trivy
        run: |
          docker run --rm \
            -v /var/run/docker.sock:/var/run/docker.sock \
            aquasec/trivy:latest image \
            --severity CRITICAL \
            --exit-code 1 \
            --format table \
            $REGISTRY/$APP_NAME:latest

      - name: Push to registry
        run: |
          docker push $REGISTRY/$APP_NAME:${{ steps.version.outputs.VERSION }}
          docker push $REGISTRY/$APP_NAME:latest
          echo "Pushed: $REGISTRY/$APP_NAME:${{ steps.version.outputs.VERSION }}"

      - name: Deploy to Nomad
        run: |
          cat <<EOF | curl -s -X POST $NOMAD_ADDR/v1/jobs \
            -H "Content-Type: application/json" -d @-
          {"Job":{"ID":"$APP_NAME","Name":"$APP_NAME","Type":"service","Datacenters":["dc1"],"TaskGroups":[{"Name":"$APP_NAME","Count":1,"Networks":[{"ReservedPorts":[{"Label":"http","Value":$PORT_HOST,"To":$PORT_CONTAINER}]}],"Tasks":[{"Name":"$APP_NAME","Driver":"docker","Config":{"image":"$REGISTRY/$APP_NAME:latest","ports":["http"],"force_pull":true},"Resources":{"CPU":$CPU,"MemoryMB":$MEMORY}}]}]}}
          EOF
          echo ""
          echo "Deployed: http://192.168.1.42:$PORT_HOST"

Étapes du pipeline

Étape	Description
Set version	Tag git ou short SHA du commit
Build	Construction image Docker
Scan Trivy	Bloque si vulnérabilité CRITICAL
Push	Registry privé, tags version + latest
Deploy	Job Nomad via API HTTP

Versioning

• Push sur main : version = SHA court (a1b2c3d)
• Tag v1.0.0 : version = tag (v1.0.0)

Les deux versions sont pushées, plus un tag latest.

Prérequis

• Runner Gitea avec Docker
• Registry Docker accessible (ici 192.168.1.42:5000)
• Nomad accessible sans auth (ou ajouter token)
• Dockerfile à la racine du projet

Nouveau projet

1. Copier le workflow dans .gitea/workflows/deploy.yml
2. Modifier les 5 variables env
3. Push

---

Gitea Actions · Nomad Job API · Trivy