Skip to content

feat(ci): Integrate Secure Docker BuildKit Stage with Dual-Image Build and Migration Validation

Kushal Lagichetty requested to merge chore/docker-stage into develop

Summary

This MR enhances the CI/CD pipeline by adding an automated Docker build and validation stage. It implements a secure, daemonless architecture for building application containers and introduces automated migration testing to ensure that built images are deployment-ready.

Key Changes

  • Pipeline Expansion: Added a new build stage to .gitlab-ci.yml.
  • Secure Build Engine: Configured docker buildx with the docker-container driver, eliminating the need for the legacy, insecure docker:dind (Docker-in-Docker) service on self-hosted runners.
  • Dual-Image Build: Automates the creation and pushing of both the main app and the db-init utility images to the GitLab Container Registry.
  • Automated Migration Testing: The docker-build job now includes a postgis service. After images are built, the pipeline executes init_db.py in a temporary container to verify that migrations run successfully against a live database.
  • Optimized Caching: Implemented inline registry caching (--cache-from and --cache-to) to significantly reduce build times for subsequent runs.
  • Tagging Strategy: Images are tagged with the short commit SHA and branch name. The latest tag is automatically updated upon merges to the default branch.

Security & Architecture

Following mentor guidance, privileged mode has been avoided by utilizing the docker-container driver. This architecture isolates the build engine within its own unprivileged container on the host VM, adhering to modern security standards for self-hosted CI environments.

How to Verify

  1. Monitor the Pipeline: Push this branch and verify that the new docker-build stage appears.
  2. Check Job Logs: Ensure the db-init validation step prints "Database initialization completed successfully.".
  3. Inspect Registry: Verify that the GitLab Container Registry is populated with the new app and db-init images with correct tags.

Checklist

  • No privileged mode or dind service used.
  • Both app and db-init images are built.
  • Migration validation passes against the integrated Postgres service.
  • Caching is correctly configured.
  • Tagging follows the project convention.

Closes #145

Edited by Kushal Lagichetty

Merge request reports