-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathcloudbuild.yaml
More file actions
107 lines (97 loc) · 4.05 KB
/
cloudbuild.yaml
File metadata and controls
107 lines (97 loc) · 4.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# [FACT] Google Cloud Build configuration for Constitutional Guardian
# [HYPOTHESIS] Automated CI/CD improves deployment reliability
# [ASSUMPTION] Cloud Build triggers on push to main branch
steps:
# [FACT] Emit transparency metadata from deploy-time context.
- name: 'gcr.io/cloud-builders/gcloud'
id: 'emit-security-metadata'
entrypoint: 'bash'
args:
- '-c'
- |
set -euo pipefail
date -u +"%Y-%m-%dT%H:%M:%SZ" > /workspace/security_scan_timestamp.txt
echo "CI gated on main" > /workspace/security_test_status.txt
# [FACT] Build container image with a tag that works for trigger and manual builds.
- name: 'gcr.io/cloud-builders/docker'
id: 'build-image'
entrypoint: 'bash'
args:
- '-c'
- |
set -euo pipefail
IMAGE_TAG="$${COMMIT_SHA:-}"
if [[ -z "$$IMAGE_TAG" ]]; then
IMAGE_TAG="$${BUILD_ID:-manual}"
fi
IMAGE_BASE="us-central1-docker.pkg.dev/$PROJECT_ID/helix-repo/constitutional-guardian"
docker build \
-t "$$IMAGE_BASE:$$IMAGE_TAG" \
-t "$$IMAGE_BASE:latest" \
.
# [FACT] Push both immutable and latest tags.
- name: 'gcr.io/cloud-builders/docker'
id: 'push-image'
entrypoint: 'bash'
args:
- '-c'
- |
set -euo pipefail
IMAGE_TAG="$${COMMIT_SHA:-}"
if [[ -z "$$IMAGE_TAG" ]]; then
IMAGE_TAG="$${BUILD_ID:-manual}"
fi
IMAGE_BASE="us-central1-docker.pkg.dev/$PROJECT_ID/helix-repo/constitutional-guardian"
docker push "$$IMAGE_BASE:$$IMAGE_TAG"
docker push "$$IMAGE_BASE:latest"
# [FACT] Deploy to Cloud Run with explicit runtime + transparency env.
- name: 'gcr.io/cloud-builders/gcloud'
id: 'deploy-cloud-run'
entrypoint: 'bash'
args:
- '-c'
- |
set -euo pipefail
IMAGE_TAG="$${COMMIT_SHA:-}"
if [[ -z "$$IMAGE_TAG" ]]; then
IMAGE_TAG="$${BUILD_ID:-manual}"
fi
TEST_STATUS="$(cat /workspace/security_test_status.txt)"
SCAN_TS="$(cat /workspace/security_scan_timestamp.txt)"
IMAGE_BASE="us-central1-docker.pkg.dev/$PROJECT_ID/helix-repo/constitutional-guardian"
RUNTIME_ENV_VARS="^~^HELIX_NODE_ID=GCS-GUARDIAN~HELIX_ENV=production~GOOGLE_CLOUD_PROJECT=$PROJECT_ID~PUBSUB_TOPIC=projects/$PROJECT_ID/topics/helix-events~GEMINI_LIVE_MODEL=gemini-2.5-flash-native-audio-preview-12-2025~GEMINI_TEXT_MODEL=gemini-3.1-pro-preview~GEMINI_API_VERSION=v1beta~SECURITY_SCAN_TIMESTAMP=$$SCAN_TS~SECURITY_TEST_STATUS=$$TEST_STATUS~SECURITY_POSTURE_SCORE=90+~SECURITY_CHECK_BANDIT=passing~SECURITY_CHECK_RUFF=passing~SECURITY_CHECK_MYPY=passing~SECURITY_CHECK_BLACK=passing~SECURITY_CHECK_ISORT=passing~SECURITY_CHECK_PRE_COMMIT=passing"
gcloud run deploy constitutional-guardian \
--image "$$IMAGE_BASE:$$IMAGE_TAG" \
--region us-central1 \
--platform managed \
--allow-unauthenticated \
--memory 1Gi \
--cpu 2 \
--concurrency 50 \
--timeout 300 \
--max-instances 10 \
--update-env-vars "$$RUNTIME_ENV_VARS" \
--update-secrets GEMINI_API_KEY=GEMINI_API_KEY:latest
# [FACT] Reset artifact verification metadata for the newly deployed image digest.
- name: 'gcr.io/cloud-builders/gcloud'
id: 'stamp-artifact-metadata'
entrypoint: 'bash'
args:
- '-c'
- |
set -euo pipefail
IMAGE_DIGEST="$(gcloud run revisions list \
--service constitutional-guardian \
--region us-central1 \
--sort-by='~metadata.creationTimestamp' \
--limit 1 \
--format='value(status.imageDigest)')"
gcloud run services update constitutional-guardian \
--region us-central1 \
--update-env-vars "SECURITY_ARTIFACT_ANALYSIS_STATUS=unverified,SECURITY_ARTIFACT_ANALYSIS_TIMESTAMP=unavailable,SECURITY_ARTIFACT_IMAGE_URI=$$IMAGE_DIGEST" \
--quiet
# [FACT] Cloud Build options
options:
logging: CLOUD_LOGGING_ONLY
substitutionOption: 'ALLOW_LOOSE'
timeout: 1800s