Woodpecker CI pipeline with test gates (supersedes PR #16) #19

New issue

Closed

opened 2026-05-10 16:24:09 +00:00 by ldraney · 0 comments

ldraney commented

2026-05-10 16:24:09 +00:00

Owner

Type

Infra

Lineage

Plan: pal-enterprises infrastructure overhaul (Ticket 5 of 5). Supersedes #7 / PR #16.

Repo

ldraney/pal-enterprises

User Story

As a developer
I want the CI pipeline to run security scans and linting before build/deploy
So that quality gates catch issues before code reaches production

Context

PR #16 created a basic Woodpecker pipeline (clone → build → deploy) but had no test step. QA review requested adding brakeman, rubocop, and bundle-audit. Since the Dockerfile is now Arch-based (Ticket 4), the pipeline needs to be rewritten anyway. This ticket supersedes PR #16.

The app has brakeman, rubocop-rails-omakase, and bundler-audit in its Gemfile but none are exercised in CI.

File Targets

Files the agent should modify:

.woodpecker.yaml — rewrite with test step, Arch-based build

Pipeline Shape

clone → test (bundle-audit + brakeman + rubocop) → build-and-push (main only) → update-kustomize-tag (main only)

Acceptance Criteria

PR pushes trigger clone + test steps
Main pushes trigger full pipeline (test + build + deploy)
bundle audit runs and catches known CVEs
brakeman runs and catches Rails security issues
rubocop runs and enforces code style
Build step uses Arch-based Dockerfile
Path exclusion for ArgoCD source files (k8s/.argocd-source-*)

Dependencies

Ticket 4 (Arch Dockerfile) must be merged first
PR #16 should be closed before this PR is opened

Constraints

Follow existing Woodpecker conventions from sibling repos
Test step must use the Arch base image for consistency
Build step uses Kaniko (same as PR #16)
Do not add fake test steps — only run tools that exist in the Gemfile

ldraney/pal-enterprises#7 — original CI ticket (superseded)
PR #16 — original CI PR (to be closed)
QA review on PR #16 — requested test gates

### Type Infra ### Lineage Plan: pal-enterprises infrastructure overhaul (Ticket 5 of 5). Supersedes #7 / PR #16. ### Repo `ldraney/pal-enterprises` ### User Story As a developer I want the CI pipeline to run security scans and linting before build/deploy So that quality gates catch issues before code reaches production ### Context PR #16 created a basic Woodpecker pipeline (clone → build → deploy) but had no test step. QA review requested adding brakeman, rubocop, and bundle-audit. Since the Dockerfile is now Arch-based (Ticket 4), the pipeline needs to be rewritten anyway. This ticket supersedes PR #16. The app has brakeman, rubocop-rails-omakase, and bundler-audit in its Gemfile but none are exercised in CI. ### File Targets Files the agent should modify: - `.woodpecker.yaml` — rewrite with test step, Arch-based build ### Pipeline Shape ``` clone → test (bundle-audit + brakeman + rubocop) → build-and-push (main only) → update-kustomize-tag (main only) ``` ### Acceptance Criteria - [ ] PR pushes trigger clone + test steps - [ ] Main pushes trigger full pipeline (test + build + deploy) - [ ] `bundle audit` runs and catches known CVEs - [ ] `brakeman` runs and catches Rails security issues - [ ] `rubocop` runs and enforces code style - [ ] Build step uses Arch-based Dockerfile - [ ] Path exclusion for ArgoCD source files (`k8s/.argocd-source-*`) ### Dependencies - Ticket 4 (Arch Dockerfile) must be merged first - PR #16 should be closed before this PR is opened ### Constraints - Follow existing Woodpecker conventions from sibling repos - Test step must use the Arch base image for consistency - Build step uses Kaniko (same as PR #16) - Do not add fake test steps — only run tools that exist in the Gemfile ### Related - `ldraney/pal-enterprises#7` — original CI ticket (superseded) - PR #16 — original CI PR (to be closed) - QA review on PR #16 — requested test gates