cloudbuild.yaml

steps:
  # Step 1: Build Docker Image
  - name: "gcr.io/cloud-builders/docker"
    args: ["build", "-t", "gcr.io/$PROJECT_ID/my-app:latest", "."]

  # Step 2: Push Docker Image to Container Registry
  - name: "gcr.io/cloud-builders/docker"
    args: ["push", "gcr.io/$PROJECT_ID/my-app:latest"]

  # Step 3: Run Unit Tests
  - name: "python"
    entrypoint: "bash"
    args:
      - "-c"
      - |
        pip install -r requirements.txt
        pytest tests/

  # Step 4: Scan Docker Image with Trivy
  - name: "aquasec/trivy"
    args: ["image", "--exit-code", "0", "gcr.io/$PROJECT_ID/my-app:latest"]

  # Step 5: Snyk Code and Dependency Scanning
  - name: "node"
    entrypoint: "bash"
    secretEnv: ["SNYK_TOKEN"]
    args:
      - "-c"
      - |
        npm install -g snyk
        snyk auth $$SNYK_TOKEN
        snyk test || true
        snyk code test || true

  # Step 6: Deploy to Cloud Run
  - name: "gcr.io/google.com/cloudsdktool/cloud-sdk"
    entrypoint: "bash"
    args:
      - "-c"
      - |
        gcloud run deploy gcp-python-fastapi-service \
        --image gcr.io/$PROJECT_ID/my-app:latest \
        --region us-central1 \
        --platform managed

        gcloud run services add-iam-policy-binding \
        gcp-python-fastapi-service \
        --platform=managed \
        --region=us-central1 \
        --member="allUsers" \
        --role="roles/run.invoker" \

options:
  defaultLogsBucketBehavior: REGIONAL_USER_OWNED_BUCKET
artifacts:
  objects:
    location: "gs://dsb-devsecops-lab-bucket"
    paths: ["*/**"]
availableSecrets:
  secretManager:
    - versionName: projects/724455289756/secrets/cloudbuild-snyk-token/versions/2
      env: "SNYK_TOKEN"