Skip to content

Weather App CI/CD

Weather App uses GitLab CI/CD as the main engineering pipeline. The pipeline separates fast feedback, staging validation and production promotion so application changes can be verified without rebuilding artifacts for every environment.

Environment Purpose Security Level Main Evidence
Local test stack Developer feedback and E2E debugging Relaxed edge security, mocked external dependencies Unit, integration and Cypress results
VPS staging Edge and deployment validation HTTPS, Traefik, WAF, registry pull and monitoring Healthcheck, DAST and staging logs
Kubernetes platform GitOps and policy validation NetworkPolicies, Kyverno, External Secrets and RBAC Argo CD sync, policies and dashboards
flowchart LR
commit[Commit or merge request] --> fast[Fast feedback]
fast --> build[Build application images]
build --> evidence[SBOM, PBOM, SCA and image scans]
evidence --> staging[VPS staging deploy]
staging --> dast[DAST and health checks]
dast --> promote[Artifact promotion]
promote --> gitops[GitOps deployment]
fast --> lint[Lint and formatting]
fast --> tests[Unit and integration tests]
fast --> policy[Secrets, SAST and pipeline policy]

Fast Feedback

Independent jobs start immediately with needs: []: linting, formatting, secret scanning, SAST and documentation checks do not wait for build stages.

Tests

Unit tests mock external APIs. Integration and E2E tests run separately so network behavior is explicit instead of hidden inside unit tests.

Supply Chain

SBOMs, PBOMs, image scans and registry digests are stored as evidence. SemVer tags remain readable, while digests provide the immutable deployment reference.

Policy

Plumber checks pipeline security, pinned images and risky shell patterns. GitLab CI lint validates syntax before GitLab attempts to execute the pipeline.

  1. Build backend and frontend images from the repository root so workspace metadata and bun.lock are available.
  2. Tag release images with SemVer from package metadata.
  3. Capture image digests after push to the GitLab registry.
  4. Generate SBOM and PBOM evidence for the source tree, dependencies and pipeline.
  5. Scan images and dependency metadata before promotion.
  6. Promote the digest, not a mutable tag, into staging and platform manifests.

Local execution uses gitlab-ci-local through the Weather App wrapper for fast feedback on jobs that do not require protected variables. The local runner is intentionally restricted:

  • no privileged mode by default;
  • no Docker socket mount by default;
  • pinned helper images;
  • local include resolution for refactors that are not pushed yet.

Plumber remains the policy checker for CI/CD governance. It is run locally before push when the self-managed GitLab context is available, and in CI after the branch is visible to GitLab.