stack/.woodpecker.yml

# Woodpecker CI Quality Enforcement Pipeline - Monorepo
when:
  - event: [push, pull_request, manual]

variables:
  - &node_image "node:20-alpine"
  - &install_deps |
    corepack enable
    pnpm install --frozen-lockfile
  - &use_deps |
    corepack enable

steps:
  install:
    image: *node_image
    commands:
      - *install_deps

  security-audit:
    image: *node_image
    commands:
      - *use_deps
      - pnpm audit --audit-level=high
    depends_on:
      - install

  lint:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
    commands:
      - *use_deps
      - pnpm lint || true # Non-blocking while fixing legacy code
    depends_on:
      - install
    when:
      - evaluate: 'CI_PIPELINE_EVENT != "pull_request" || CI_COMMIT_BRANCH != "main"'

  prisma-generate:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
    commands:
      - *use_deps
      - pnpm --filter "@mosaic/api" prisma:generate
    depends_on:
      - install

  typecheck:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
    commands:
      - *use_deps
      - pnpm typecheck
    depends_on:
      - prisma-generate

  test:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
    commands:
      - *use_deps
      - pnpm test || true # Non-blocking while fixing legacy tests
    depends_on:
      - prisma-generate

  build:
    image: *node_image
    environment:
      SKIP_ENV_VALIDATION: "true"
      NODE_ENV: "production"
    commands:
      - *use_deps
      - pnpm build
    depends_on:
      - typecheck # Only block on critical checks
      - security-audit
      - prisma-generate

  # ======================
  # Docker Build & Push (main/develop only)
  # ======================
  # Requires secrets: harbor_username, harbor_password

  # Build and push API image
  docker-build-api:
    image: docker:dind
    environment:
      HARBOR_USER:
        from_secret: harbor_username
      HARBOR_PASS:
        from_secret: harbor_password
    commands:
      - echo "$HARBOR_PASS" | docker login reg.mosaicstack.dev -u "$HARBOR_USER" --password-stdin
      - docker build -t reg.mosaicstack.dev/mosaic/api:${CI_COMMIT_SHA:0:8} -t reg.mosaicstack.dev/mosaic/api:latest -f apps/api/Dockerfile .
      - docker push reg.mosaicstack.dev/mosaic/api:${CI_COMMIT_SHA:0:8}
      - docker push reg.mosaicstack.dev/mosaic/api:latest
    when:
      - branch: [main, develop]
        event: [push, manual]
    depends_on:
      - build

  # Build and push Web image
  docker-build-web:
    image: docker:dind
    environment:
      HARBOR_USER:
        from_secret: harbor_username
      HARBOR_PASS:
        from_secret: harbor_password
    commands:
      - echo "$HARBOR_PASS" | docker login reg.mosaicstack.dev -u "$HARBOR_USER" --password-stdin
      - docker build --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev -t reg.mosaicstack.dev/mosaic/web:${CI_COMMIT_SHA:0:8} -t reg.mosaicstack.dev/mosaic/web:latest -f apps/web/Dockerfile .
      - docker push reg.mosaicstack.dev/mosaic/web:${CI_COMMIT_SHA:0:8}
      - docker push reg.mosaicstack.dev/mosaic/web:latest
    when:
      - branch: [main, develop]
        event: [push, manual]
    depends_on:
      - build

  # Build and push Postgres image
  docker-build-postgres:
    image: docker:dind
    environment:
      HARBOR_USER:
        from_secret: harbor_username
      HARBOR_PASS:
        from_secret: harbor_password
    commands:
      - echo "$HARBOR_PASS" | docker login reg.mosaicstack.dev -u "$HARBOR_USER" --password-stdin
      - docker build -t reg.mosaicstack.dev/mosaic/postgres:${CI_COMMIT_SHA:0:8} -t reg.mosaicstack.dev/mosaic/postgres:latest -f docker/postgres/Dockerfile docker/postgres
      - docker push reg.mosaicstack.dev/mosaic/postgres:${CI_COMMIT_SHA:0:8}
      - docker push reg.mosaicstack.dev/mosaic/postgres:latest
    when:
      - branch: [main, develop]
        event: [push, manual]
    depends_on:
      - build