92 lines
2.9 KiB
YAML
92 lines
2.9 KiB
YAML
# ============================================================================
|
|
# VaultMesh GitLab CI/CD Pipeline
|
|
# ============================================================================
|
|
# Governed by: RED-BOOK.md
|
|
# ============================================================================
|
|
|
|
stages:
|
|
- validate
|
|
- test
|
|
|
|
# ============================================================================
|
|
# DOC INVARIANTS
|
|
# ============================================================================
|
|
# Enforces documentation law on every push touching docs/doctrine/playbooks.
|
|
|
|
doc_invariants:
|
|
stage: validate
|
|
image: alpine:latest
|
|
before_script:
|
|
- apk add --no-cache bash grep findutils
|
|
script:
|
|
- bash scripts/doc-invariants.sh
|
|
rules:
|
|
- changes:
|
|
- "*.md"
|
|
- "playbooks/**/*"
|
|
- "scripts/doc-invariants.sh"
|
|
|
|
# ============================================================================
|
|
# INFRA INVARIANTS
|
|
# ============================================================================
|
|
# Validates Terraform formatting + syntax on infrastructure changes.
|
|
|
|
infra_invariants:
|
|
stage: validate
|
|
image: hashicorp/terraform:latest
|
|
script:
|
|
- bash scripts/infra-invariants.sh
|
|
rules:
|
|
- changes:
|
|
- "terraform/**/*"
|
|
- "scripts/infra-invariants.sh"
|
|
|
|
# ============================================================================
|
|
# WAF + PLAN INVARIANTS
|
|
# ============================================================================
|
|
# Enforces WAF Intel regression + deterministic Terraform plan gating.
|
|
|
|
waf_plan_invariants:
|
|
stage: validate
|
|
image: hashicorp/terraform:latest
|
|
before_script:
|
|
- |
|
|
set -euo pipefail
|
|
if command -v apk >/dev/null 2>&1; then
|
|
apk add --no-cache python3 py3-pip
|
|
elif command -v apt-get >/dev/null 2>&1; then
|
|
apt-get update
|
|
apt-get install -y python3 python3-pip
|
|
rm -rf /var/lib/apt/lists/*
|
|
else
|
|
echo "No supported package manager found to install python3/pip." >&2
|
|
exit 1
|
|
fi
|
|
- python3 -m pip install --no-cache-dir -r requirements-dev.txt
|
|
script:
|
|
- bash scripts/waf-and-plan-invariants.sh
|
|
rules:
|
|
- changes:
|
|
- "mcp/waf_intelligence/**/*"
|
|
- "scripts/waf-and-plan-invariants.sh"
|
|
- "tests/test_waf_intelligence_analyzer.py"
|
|
- "requirements-dev.txt"
|
|
- "terraform/**/*"
|
|
|
|
# ============================================================================
|
|
# PYTHON SYNTAX CHECK
|
|
# ============================================================================
|
|
# Basic Python syntax validation for scripts and MCP tools.
|
|
|
|
python_check:
|
|
stage: test
|
|
image: python:3.11-slim
|
|
script:
|
|
- python -m py_compile oracle_runner.py oracle_answer_mcp.py mcp/oracle_answer/tool.py
|
|
- python -c "from mcp.oracle_answer import OracleAnswerTool; print('✓ Import OK')"
|
|
rules:
|
|
- changes:
|
|
- "*.py"
|
|
- "mcp/**/*.py"
|
|
- "scripts/*.py"
|