npm - @catladder/pipeline - Versions diffs - 1.163.0 → 1.163.2 - Mend

@catladder/pipeline 1.163.0 → 1.163.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

package/README.md +15 -1
package/dist/bundles/catladder-gitlab/index.js +2 -2
package/dist/constants.js +1 -1
package/dist/pipeline/generatePipelineFiles.d.ts +38 -0
package/dist/pipeline/generatePipelineFiles.js +44 -23
package/dist/tsconfig.tsbuildinfo +1 -1
package/examples/__snapshots__/cloud-run-memory-limit.test.ts.snap +1335 -1952
package/examples/__snapshots__/cloud-run-meteor-with-worker.test.ts.snap +1319 -1928
package/examples/__snapshots__/cloud-run-no-cpu-throttling.test.ts.snap +1335 -1952
package/examples/__snapshots__/cloud-run-no-service.test.ts.snap +1387 -2004
package/examples/__snapshots__/cloud-run-non-public.test.ts.snap +1335 -1952
package/examples/__snapshots__/cloud-run-post-stop-job.test.ts.snap +1346 -1963
package/examples/__snapshots__/cloud-run-service-gen2.test.ts.snap +1335 -1952
package/examples/__snapshots__/cloud-run-service-increase-timout.test.ts.snap +1335 -1952
package/examples/__snapshots__/cloud-run-service-with-volumes.test.ts.snap +1379 -1996
package/examples/__snapshots__/cloud-run-storybook.test.ts.snap +1219 -1668
package/examples/__snapshots__/cloud-run-with-ngnix.test.ts.snap +1335 -1952
package/examples/__snapshots__/cloud-run-with-sql-reuse-db.test.ts.snap +2815 -3924
package/examples/__snapshots__/cloud-run-with-sql.test.ts.snap +2562 -3447
package/examples/__snapshots__/cloud-run-with-worker.test.ts.snap +1343 -1960
package/examples/__snapshots__/custom-build-job-with-tests.test.ts.snap +1190 -1780
package/examples/__snapshots__/custom-build-job.test.ts.snap +1079 -1480
package/examples/__snapshots__/custom-deploy.test.ts.snap +1101 -1718
package/examples/__snapshots__/custom-envs.test.ts.snap +707 -1172
package/examples/__snapshots__/custom-sbom-java.test.ts.snap +1087 -1488
package/examples/__snapshots__/git-submodule.test.ts.snap +1336 -1955
package/examples/__snapshots__/kubernetes-application-customization.test.ts.snap +1772 -2443
package/examples/__snapshots__/kubernetes-with-cloud-sql-legacy.test.ts.snap +1784 -2455
package/examples/__snapshots__/kubernetes-with-cloud-sql.test.ts.snap +1792 -2463
package/examples/__snapshots__/kubernetes-with-jobs.test.ts.snap +3342 -4547
package/examples/__snapshots__/kubernetes-with-mongodb.test.ts.snap +1896 -2567
package/examples/__snapshots__/local-dot-env.test.ts.snap +1335 -1952
package/examples/__snapshots__/meteor-kubernetes.test.ts.snap +1833 -2496
package/examples/__snapshots__/multiline-var.test.ts.snap +3295 -4406
package/examples/__snapshots__/native-app.test.ts.snap +2143 -3160
package/examples/__snapshots__/node-build-with-custom-image.test.ts.snap +1335 -1952
package/examples/__snapshots__/node-build-with-docker-additions.test.ts.snap +1343 -1960
package/examples/__snapshots__/rails-k8s-with-worker-dockerfile.test.ts.snap +1479 -2003
package/examples/__snapshots__/rails-k8s-with-worker.test.ts.snap +1464 -1988
package/examples/__snapshots__/wait-for-other-deploy.test.ts.snap +1273 -2102
package/examples/__utils__/helpers.ts +14 -1
package/examples/cloud-run-memory-limit.test.ts +4 -3
package/examples/cloud-run-meteor-with-worker.test.ts +4 -3
package/examples/cloud-run-no-cpu-throttling.test.ts +4 -3
package/examples/cloud-run-no-service.test.ts +4 -3
package/examples/cloud-run-non-public.test.ts +4 -3
package/examples/cloud-run-post-stop-job.test.ts +4 -3
package/examples/cloud-run-service-gen2.test.ts +4 -3
package/examples/cloud-run-service-increase-timout.test.ts +4 -3
package/examples/cloud-run-service-with-volumes.test.ts +4 -3
package/examples/cloud-run-storybook.test.ts +4 -3
package/examples/cloud-run-with-ngnix.test.ts +4 -3
package/examples/cloud-run-with-sql-reuse-db.test.ts +4 -3
package/examples/cloud-run-with-sql.test.ts +4 -3
package/examples/cloud-run-with-worker.test.ts +4 -3
package/examples/custom-build-job-with-tests.test.ts +4 -3
package/examples/custom-build-job.test.ts +4 -3
package/examples/custom-deploy.test.ts +4 -3
package/examples/custom-envs.test.ts +4 -3
package/examples/custom-sbom-java.test.ts +4 -3
package/examples/git-submodule.test.ts +4 -3
package/examples/kubernetes-application-customization.test.ts +4 -3
package/examples/kubernetes-with-cloud-sql-legacy.test.ts +4 -3
package/examples/kubernetes-with-cloud-sql.test.ts +4 -3
package/examples/kubernetes-with-jobs.test.ts +4 -3
package/examples/kubernetes-with-mongodb.test.ts +4 -3
package/examples/local-dot-env.test.ts +4 -3
package/examples/meteor-kubernetes.test.ts +4 -3
package/examples/multiline-var.test.ts +4 -3
package/examples/native-app.test.ts +4 -3
package/examples/node-build-with-custom-image.test.ts +4 -3
package/examples/node-build-with-docker-additions.test.ts +4 -3
package/examples/rails-k8s-with-worker-dockerfile.test.ts +2 -2
package/examples/rails-k8s-with-worker.test.ts +4 -3
package/examples/wait-for-other-deploy.test.ts +4 -3
package/package.json +4 -3
package/scripts/generate-examples-test.ts +7 -7
package/src/pipeline/generatePipelineFiles.ts +61 -36

package/examples/__snapshots__/rails-k8s-with-worker-dockerfile.test.ts.snap CHANGED Viewed

@@ -1,2011 +1,1487 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 exports[`matches snapshot with a Dockerfile 1`] = `
-{
-  "mainBranch": {
-    "image": "path/to/docker/jobs-default:the-version",
-    "jobs": {
-      "app ↩️ Rollback ⚠️ | dev ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "action": "access",
-          "name": "dev/app",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="dev"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="dev"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.dev.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.dev.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.dev.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.dev.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-dev"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_dev_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_dev_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_dev_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export RELEASE_NAME="pan-test-app-dev-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-dev-app" --server="$CL_dev_app_KUBE_URL" --certificate-authority <(echo $CL_dev_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-dev-app" --token="$CL_dev_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-dev-app" --cluster="kube-pan-test-app-dev-app" --user="kube-pan-test-app-dev-app" --namespace="pan-test-app-dev"",
-          "kubectl config use-context "kube-pan-test-app-dev-app"",
-          "kubernetesRollback",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.dev.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "rollback dev",
-        "variables": {
-          "GIT_STRATEGY": "none",
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 👮 lint": {
-        "cache": {
-          "key": {
-            "files": [
-              "Gemfile.lock",
-            ],
-            "prefix": "$CI_JOB_IMAGE",
-          },
-          "paths": [
-            "tmp/cache",
-          ],
-        },
-        "image": "ruby:3.2.1",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "cd .",
-          "bundle config set path 'tmp/cache'",
-          "bundle install -j $(nproc)",
-          "bundle exec rubocop",
-        ],
-        "stage": "test",
-        "variables": {},
-      },
-      "app 🔨 docker | dev ": {
-        "image": "path/to/docker/docker-build:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export APP_DIR="."",
-          "export DOCKER_BUILD_CONTEXT="."",
-          "export DOCKER_REGISTRY="$CI_REGISTRY"",
-          "export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"",
-          "export DOCKER_IMAGE_NAME="dev/app"",
-          "export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"",
-          "export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"",
-          "docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"",
-          "docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"",
-          "docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG",
-          "docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE",
-          "docker push $DOCKER_CACHE_IMAGE",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"",
-        ],
-        "services": [
-          {
-            "command": [
-              "--tls=false",
-            ],
-            "name": "docker:24.0.6-dind",
-          },
-        ],
-        "stage": "build",
-        "variables": {
-          "DOCKER_BUILDKIT": "1",
-          "DOCKER_DRIVER": "overlay2",
-          "DOCKER_HOST": "tcp://0.0.0.0:2375",
-          "DOCKER_TLS_CERTDIR": "",
-          "KUBERNETES_CPU_REQUEST": "0.45",
-          "KUBERNETES_MEMORY_LIMIT": "2Gi",
-          "KUBERNETES_MEMORY_REQUEST": "1Gi",
-        },
-      },
-      "app 🚀 Deploy | dev ": {
-        "allow_failure": false,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "auto_stop_in": "4 weeks",
-          "name": "dev/app",
-          "on_stop": "app 🛑 Stop ⚠️ | dev ",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [
-          {
-            "artifacts": false,
-            "job": "app 👮 lint",
-          },
-          {
-            "artifacts": false,
-            "job": "app 🔨 docker | dev ",
-          },
-          {
-            "artifacts": false,
-            "job": "app 🧪 test",
-          },
-          {
-            "artifacts": true,
-            "job": "app 🧾 sbom | dev ",
-          },
-          {
-            "artifacts": false,
-            "job": "app 🛡 audit",
-          },
-        ],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "when": "on_success",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="dev"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="dev"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.dev.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.dev.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.dev.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.dev.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-dev"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_dev_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_dev_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_dev_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export DOCKER_REGISTRY="$CI_REGISTRY"",
-          "export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"",
-          "export DOCKER_IMAGE_NAME="dev/app"",
-          "export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"",
-          "export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"",
-          "export RELEASE_NAME="pan-test-app-dev-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-dev-app" --server="$CL_dev_app_KUBE_URL" --certificate-authority <(echo $CL_dev_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-dev-app" --token="$CL_dev_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-dev-app" --cluster="kube-pan-test-app-dev-app" --user="kube-pan-test-app-dev-app" --namespace="pan-test-app-dev"",
-          "kubectl config use-context "kube-pan-test-app-dev-app"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"",
-          "cat > __all_values.yml <<EOF
-env:
-  secret:
-    SECRET_KEY_BASE: |-
-$(printf %s "$CL_dev_app_SECRET_KEY_BASE" | sed 's/^/      /')
-    POSTGRESQL_PASSWORD: |-
-$(printf %s "$CL_dev_app_POSTGRESQL_PASSWORD" | sed 's/^/      /')
-    cloudsqlProxyCredentials: |-
-$(printf %s "$CL_dev_app_cloudsqlProxyCredentials" | sed 's/^/      /')
-  public:
-    ENV_SHORT: |-
-      dev
-    APP_DIR: |-
-      .
-    ENV_TYPE: |-
-      dev
-    BUILD_INFO_BUILD_ID: |-
-$(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
-    BUILD_INFO_BUILD_TIME: |-
-$(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
-    BUILD_INFO_CURRENT_VERSION: |-
-$(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
-    ROOT_URL: |-
-      https://app.dev.test-app.pan.panter.cloud
-    HOST_INTERNAL: |-
-      app.dev.test-app.pan.panter.cloud
-    HOST_CANONICAL: |-
-      app.dev.test-app.pan.panter.cloud
-    ROOT_URL_INTERNAL: |-
-      https://app.dev.test-app.pan.panter.cloud
-    KUBE_NAMESPACE: |-
-      pan-test-app-dev
-    KUBE_APP_NAME: |-
-      app
-    KUBE_APP_NAME_PREFIX: ""
-    RAILS_ENV: |-
-      production
-    _ALL_ENV_VAR_KEYS: |-
-      ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","SECRET_KEY_BASE","POSTGRESQL_PASSWORD","cloudsqlProxyCredentials","RAILS_ENV"]
-application:
-  host: |-
-    app.dev.test-app.pan.panter.cloud
-  command: |-
-    /cnb/process/web
-  livenessProbe:
-    httpGet:
-      path: |-
-        __health
-  readinessProbe:
-    httpGet:
-      path: |-
-        __health
-  startupProbe:
-    httpGet:
-      path: |-
-        __health
-  worker:
-    enabled: true
-    command: |-
-      launcher bundle exec rake jobs:work
-    livenessProbe: false
-cloudsql:
-  enabled: true
-  dbUser: |-
-    postgres
-  instanceConnectionName: |-
-    some-project-id:europe-west6:pan-test-app-dev
-  proxyCredentials: |-
-    $CL_dev_app_cloudsqlProxyCredentials
-  fullDbName: |-
-    app
-  projectId: |-
-    some-project-id
-jobs:
-  db-migrate:
-    hook: |-
-      post-install,post-upgrade
-    command: |-
-      launcher bundle exec rake db:migrate
+"image: path/to/docker/jobs-default:the-version
+stages:
+  - setup
+  - setup dev
+  - setup review
+  - setup stage
+  - setup prod
+  - test
+  - test dev
+  - test review
+  - test stage
+  - test prod
+  - build
+  - build dev
+  - build review
+  - build stage
+  - build prod
+  - deploy
+  - deploy dev
+  - deploy review
+  - deploy stage
+  - deploy prod
+  - verify
+  - verify dev
+  - verify review
+  - verify stage
+  - verify prod
+  - rollback
+  - rollback dev
+  - rollback review
+  - rollback stage
+  - rollback prod
+  - stop
+  - stop dev
+  - stop review
+  - stop stage
+  - stop prod
+  - release
+variables:
+  FF_USE_FASTZIP: 'true'
+  ARTIFACT_COMPRESSION_LEVEL: fast
+  CACHE_COMPRESSION_LEVEL: fast
+  TRANSFER_METER_FREQUENCY: 5s
+  GIT_DEPTH: '1'
+app 🛡 audit:
+  stage: test
+  image: ruby:3.2.1
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - cd .
+    - gem install bundler-audit
+    - bundle audit check
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: &a1
+    max: 2
+    when:
+      - runner_system_failure
+      - stuck_or_timeout_failure
+  interruptible: true
+  allow_failure: true
+app 👮 lint:
+  stage: test
+  image: ruby:3.2.1
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - cd .
+    - bundle config set path 'tmp/cache'
+    - bundle install -j $(nproc)
+    - bundle exec rubocop
+  cache: &a2
+    key:
+      files:
+        - Gemfile.lock
+      prefix: $CI_JOB_IMAGE
+    paths:
+      - tmp/cache
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+app 🧪 test:
+  stage: test
+  image: ruby:3.2.1
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - cd .
+    - bundle config set path 'tmp/cache'
+    - bundle install -j $(nproc)
+    - bundle exec rspec
+  cache: *a2
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'app 🔨 docker | dev ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="."
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"
+    - export DOCKER_IMAGE_NAME="dev/app"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+'app 🧾 sbom | dev ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" .
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app 🚀 Deploy | dev ':
+  stage: deploy dev
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="."
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.dev.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.dev.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.dev.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-dev"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_dev_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_dev_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_dev_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"
+    - export DOCKER_IMAGE_NAME="dev/app"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export RELEASE_NAME="pan-test-app-dev-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-dev-app" --server="$CL_dev_app_KUBE_URL" --certificate-authority <(echo $CL_dev_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-dev-app" --token="$CL_dev_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-dev-app" --cluster="kube-pan-test-app-dev-app" --user="kube-pan-test-app-dev-app" --namespace="pan-test-app-dev"
+    - kubectl config use-context "kube-pan-test-app-dev-app"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"
+    - |
+      cat > __all_values.yml <<EOF
+      env:
+        secret:
+          SECRET_KEY_BASE: |-
+      $(printf %s "$CL_dev_app_SECRET_KEY_BASE" | sed 's/^/      /')
+          POSTGRESQL_PASSWORD: |-
+      $(printf %s "$CL_dev_app_POSTGRESQL_PASSWORD" | sed 's/^/      /')
+          cloudsqlProxyCredentials: |-
+      $(printf %s "$CL_dev_app_cloudsqlProxyCredentials" | sed 's/^/      /')
+        public:
+          ENV_SHORT: |-
+            dev
+          APP_DIR: |-
+            .
+          ENV_TYPE: |-
+            dev
+          BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
+          BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
+          BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
+          ROOT_URL: |-
+            https://app.dev.test-app.pan.panter.cloud
+          HOST_INTERNAL: |-
+            app.dev.test-app.pan.panter.cloud
+          HOST_CANONICAL: |-
+            app.dev.test-app.pan.panter.cloud
+          ROOT_URL_INTERNAL: |-
+            https://app.dev.test-app.pan.panter.cloud
+          KUBE_NAMESPACE: |-
+            pan-test-app-dev
+          KUBE_APP_NAME: |-
+            app
+          KUBE_APP_NAME_PREFIX: ""
+          RAILS_ENV: |-
+            production
+          _ALL_ENV_VAR_KEYS: |-
+            ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","SECRET_KEY_BASE","POSTGRESQL_PASSWORD","cloudsqlProxyCredentials","RAILS_ENV"]
+      application:
+        host: |-
+          app.dev.test-app.pan.panter.cloud
+        command: |-
+          /cnb/process/web
+        livenessProbe:
+          httpGet:
+            path: |-
+              __health
+        readinessProbe:
+          httpGet:
+            path: |-
+              __health
+        startupProbe:
+          httpGet:
+            path: |-
+              __health
+        worker:
+          enabled: true
+          command: |-
+            launcher bundle exec rake jobs:work
+          livenessProbe: false
+      cloudsql:
+        enabled: true
+        dbUser: |-
+          postgres
+        instanceConnectionName: |-
+          some-project-id:europe-west6:pan-test-app-dev
+        proxyCredentials: |-
+          $CL_dev_app_cloudsqlProxyCredentials
+        fullDbName: |-
+          app
+        projectId: |-
+          some-project-id
+      jobs:
+        db-migrate:
+          hook: |-
+            post-install,post-upgrade
+          command: |-
+            launcher bundle exec rake db:migrate
-EOF
-",
-          "echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"",
-          "kubernetesCreateSecret",
-          "kubernetesDeploy",
-          "echo 'Uploading SBOM to Dependency Track'",
-          "/dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app" "https://app.dev.test-app.pan.panter.cloud" "__sbom.json" vex.json || true",
-          "echo deployment successful 😻",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.dev.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "deploy dev",
-        "variables": {
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🛑 Stop ⚠️ | dev ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "action": "stop",
-          "name": "dev/app",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "if": "$CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/",
-            "when": "on_success",
-          },
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="dev"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="dev"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.dev.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.dev.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.dev.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.dev.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-dev"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_dev_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_dev_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_dev_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export RELEASE_NAME="pan-test-app-dev-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-dev-app" --server="$CL_dev_app_KUBE_URL" --certificate-authority <(echo $CL_dev_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-dev-app" --token="$CL_dev_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-dev-app" --cluster="kube-pan-test-app-dev-app" --user="kube-pan-test-app-dev-app" --namespace="pan-test-app-dev"",
-          "kubectl config use-context "kube-pan-test-app-dev-app"",
-          "kubernetesDelete",
-          "echo 'Disabling component in Dependency Track'",
-          "/dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app" "https://app.dev.test-app.pan.panter.cloud" || true",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.dev.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "stop dev",
-        "variables": {
-          "GIT_STRATEGY": "none",
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🛡 audit": {
-        "allow_failure": true,
-        "image": "ruby:3.2.1",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "cd .",
-          "gem install bundler-audit",
-          "bundle audit check",
-        ],
-        "stage": "test",
-        "variables": {},
-      },
-      "app 🧪 test": {
-        "cache": {
-          "key": {
-            "files": [
-              "Gemfile.lock",
-            ],
-            "prefix": "$CI_JOB_IMAGE",
-          },
-          "paths": [
-            "tmp/cache",
-          ],
-        },
-        "image": "ruby:3.2.1",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "cd .",
-          "bundle config set path 'tmp/cache'",
-          "bundle install -j $(nproc)",
-          "bundle exec rspec",
-        ],
-        "stage": "test",
-        "variables": {},
-      },
-      "app 🧾 sbom | dev ": {
-        "allow_failure": true,
-        "artifacts": {
-          "paths": [
-            "__sbom.json",
-          ],
-        },
-        "image": "aquasec/trivy:0.38.3",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "trivy fs --quiet --format cyclonedx --output "__sbom.json" .",
-        ],
-        "stage": "build",
-        "variables": {},
-      },
-    },
-    "stages": [
-      "setup",
-      "setup dev",
-      "setup review",
-      "setup stage",
-      "setup prod",
-      "test",
-      "test dev",
-      "test review",
-      "test stage",
-      "test prod",
-      "build",
-      "build dev",
-      "build review",
-      "build stage",
-      "build prod",
-      "deploy",
-      "deploy dev",
-      "deploy review",
-      "deploy stage",
-      "deploy prod",
-      "verify",
-      "verify dev",
-      "verify review",
-      "verify stage",
-      "verify prod",
-      "rollback",
-      "rollback dev",
-      "rollback review",
-      "rollback stage",
-      "rollback prod",
-      "stop",
-      "stop dev",
-      "stop review",
-      "stop stage",
-      "stop prod",
-    ],
-    "variables": {
-      "ARTIFACT_COMPRESSION_LEVEL": "fast",
-      "CACHE_COMPRESSION_LEVEL": "fast",
-      "FF_USE_FASTZIP": "true",
-      "GIT_DEPTH": "1",
-      "TRANSFER_METER_FREQUENCY": "5s",
-    },
-    "workflow": {
-      "rules": [
-        {
-          "if": "$CI_COMMIT_TAG",
-        },
-        {
-          "if": "$CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/",
-          "when": "never",
-        },
-        {
-          "if": "$CI_PIPELINE_SOURCE  == "schedule"",
-          "when": "never",
-        },
-        {
-          "if": "$CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/",
-        },
-        {
-          "if": "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH",
-        },
-        {
-          "if": "$CI_MERGE_REQUEST_ID",
-        },
-      ],
-    },
-  },
-  "mr": {
-    "image": "path/to/docker/jobs-default:the-version",
-    "jobs": {
-      "app ↩️ Rollback ⚠️ | review ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "action": "access",
-          "name": "review/$CI_COMMIT_REF_NAME/app",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="review"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="review"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-review"",
-          "export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"",
-          "export SECRET_KEY_BASE="$CL_review_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_review_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_review_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --server="$CL_review_app_KUBE_URL" --certificate-authority <(echo $CL_review_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --token="$CL_review_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --namespace="pan-test-app-review"",
-          "kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "kubernetesRollback",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "rollback review",
-        "variables": {
-          "GIT_STRATEGY": "none",
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 👮 lint": {
-        "cache": {
-          "key": {
-            "files": [
-              "Gemfile.lock",
-            ],
-            "prefix": "$CI_JOB_IMAGE",
-          },
-          "paths": [
-            "tmp/cache",
-          ],
-        },
-        "image": "ruby:3.2.1",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "cd .",
-          "bundle config set path 'tmp/cache'",
-          "bundle install -j $(nproc)",
-          "bundle exec rubocop",
-        ],
-        "stage": "test",
-        "variables": {},
-      },
-      "app 🔨 docker | review ": {
-        "image": "path/to/docker/docker-build:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export APP_DIR="."",
-          "export DOCKER_BUILD_CONTEXT="."",
-          "export DOCKER_REGISTRY="$CI_REGISTRY"",
-          "export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"",
-          "export DOCKER_IMAGE_NAME="review/app"",
-          "export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"",
-          "export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"",
-          "docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"",
-          "docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"",
-          "docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG",
-          "docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE",
-          "docker push $DOCKER_CACHE_IMAGE",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"",
-        ],
-        "services": [
-          {
-            "command": [
-              "--tls=false",
-            ],
-            "name": "docker:24.0.6-dind",
-          },
-        ],
-        "stage": "build",
-        "variables": {
-          "DOCKER_BUILDKIT": "1",
-          "DOCKER_DRIVER": "overlay2",
-          "DOCKER_HOST": "tcp://0.0.0.0:2375",
-          "DOCKER_TLS_CERTDIR": "",
-          "KUBERNETES_CPU_REQUEST": "0.45",
-          "KUBERNETES_MEMORY_LIMIT": "2Gi",
-          "KUBERNETES_MEMORY_REQUEST": "1Gi",
-        },
-      },
-      "app 🚀 Deploy | review ": {
-        "allow_failure": false,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "auto_stop_in": "1 week",
-          "name": "review/$CI_COMMIT_REF_NAME/app",
-          "on_stop": "app 🛑 Stop ⚠️ | review ",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [
-          {
-            "artifacts": false,
-            "job": "app 👮 lint",
-          },
-          {
-            "artifacts": false,
-            "job": "app 🔨 docker | review ",
-          },
-          {
-            "artifacts": false,
-            "job": "app 🧪 test",
-          },
-          {
-            "artifacts": true,
-            "job": "app 🧾 sbom | review ",
-          },
-          {
-            "artifacts": false,
-            "job": "app 🛡 audit",
-          },
-        ],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "when": "on_success",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="review"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="review"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-review"",
-          "export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"",
-          "export SECRET_KEY_BASE="$CL_review_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_review_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_review_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export DOCKER_REGISTRY="$CI_REGISTRY"",
-          "export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"",
-          "export DOCKER_IMAGE_NAME="review/app"",
-          "export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"",
-          "export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"",
-          "export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --server="$CL_review_app_KUBE_URL" --certificate-authority <(echo $CL_review_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --token="$CL_review_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --namespace="pan-test-app-review"",
-          "kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"",
-          "cat > __all_values.yml <<EOF
-env:
-  secret:
-    SECRET_KEY_BASE: |-
-$(printf %s "$CL_review_app_SECRET_KEY_BASE" | sed 's/^/      /')
-    POSTGRESQL_PASSWORD: |-
-$(printf %s "$CL_review_app_POSTGRESQL_PASSWORD" | sed 's/^/      /')
-    cloudsqlProxyCredentials: |-
-$(printf %s "$CL_review_app_cloudsqlProxyCredentials" | sed 's/^/      /')
-  public:
-    ENV_SHORT: |-
-      review
-    APP_DIR: |-
-      .
-    ENV_TYPE: |-
-      review
-    BUILD_INFO_BUILD_ID: |-
-$(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
-    BUILD_INFO_BUILD_TIME: |-
-$(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
-    BUILD_INFO_CURRENT_VERSION: |-
-$(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
-    ROOT_URL: |-
-$(printf %s "https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
-    HOST_INTERNAL: |-
-$(printf %s "app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
-    HOST_CANONICAL: |-
-$(printf %s "app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
-    ROOT_URL_INTERNAL: |-
-$(printf %s "https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
-    KUBE_NAMESPACE: |-
-      pan-test-app-review
-    KUBE_APP_NAME: |-
-$(printf %s "$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" | sed 's/^/      /')
-    KUBE_APP_NAME_PREFIX: |-
-$(printf %s "$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-" | sed 's/^/      /')
-    RAILS_ENV: |-
-      production
-    _ALL_ENV_VAR_KEYS: |-
-      ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","SECRET_KEY_BASE","POSTGRESQL_PASSWORD","cloudsqlProxyCredentials","RAILS_ENV"]
-application:
-  host: |-
-$(printf %s "app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/    /')
-  command: |-
-    /cnb/process/web
-  livenessProbe:
-    httpGet:
-      path: |-
-        __health
-  readinessProbe:
-    httpGet:
-      path: |-
-        __health
-  startupProbe:
-    httpGet:
-      path: |-
-        __health
-  worker:
-    enabled: true
-    command: |-
-      launcher bundle exec rake jobs:work
-    livenessProbe: false
-cloudsql:
-  enabled: true
-  dbUser: |-
-    postgres
-  instanceConnectionName: |-
-    some-project-id:europe-west6:pan-test-app-review
-  proxyCredentials: |-
-    $CL_review_app_cloudsqlProxyCredentials
-  fullDbName: |-
-$(printf %s "$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" | sed 's/^/    /')
-  projectId: |-
-    some-project-id
-jobs:
-  db-migrate:
-    hook: |-
-      post-upgrade
-    command: |-
-      launcher bundle exec rake db:migrate
-  db-prepare-seed:
-    hook: |-
-      post-install
-    command: |-
-      launcher bundle exec rake db:prepare db:seed
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"
+    - kubernetesCreateSecret
+    - kubernetesDeploy
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app" "https://app.dev.test-app.pan.panter.cloud" "__sbom.json" vex.json || true
+    - echo deployment successful 😻
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.dev.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: dev/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app 🛑 Stop ⚠️ | dev '
+    auto_stop_in: 4 weeks
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: on_success
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs:
+    - job: app 👮 lint
+      artifacts: false
+    - job: 'app 🔨 docker | dev '
+      artifacts: false
+    - job: app 🧪 test
+      artifacts: false
+    - job: 'app 🧾 sbom | dev '
+      artifacts: true
+    - job: app 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app 🛑 Stop ⚠️ | dev ':
+  stage: stop dev
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="."
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.dev.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.dev.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.dev.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-dev"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_dev_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_dev_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_dev_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export RELEASE_NAME="pan-test-app-dev-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-dev-app" --server="$CL_dev_app_KUBE_URL" --certificate-authority <(echo $CL_dev_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-dev-app" --token="$CL_dev_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-dev-app" --cluster="kube-pan-test-app-dev-app" --user="kube-pan-test-app-dev-app" --namespace="pan-test-app-dev"
+    - kubectl config use-context "kube-pan-test-app-dev-app"
+    - kubernetesDelete
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app" "https://app.dev.test-app.pan.panter.cloud" || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.dev.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: dev/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app ↩️ Rollback ⚠️ | dev ':
+  stage: rollback dev
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="."
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.dev.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.dev.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.dev.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-dev"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_dev_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_dev_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_dev_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export RELEASE_NAME="pan-test-app-dev-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-dev-app" --server="$CL_dev_app_KUBE_URL" --certificate-authority <(echo $CL_dev_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-dev-app" --token="$CL_dev_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-dev-app" --cluster="kube-pan-test-app-dev-app" --user="kube-pan-test-app-dev-app" --namespace="pan-test-app-dev"
+    - kubectl config use-context "kube-pan-test-app-dev-app"
+    - kubernetesRollback
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.dev.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: dev/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: access
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app 🔨 docker | review ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="."
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"
+    - export DOCKER_IMAGE_NAME="review/app"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'app 🧾 sbom | review ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" .
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app 🚀 Deploy | review ':
+  stage: deploy review
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="."
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-review"
+    - export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"
+    - export SECRET_KEY_BASE="$CL_review_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_review_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_review_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"
+    - export DOCKER_IMAGE_NAME="review/app"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --server="$CL_review_app_KUBE_URL" --certificate-authority <(echo $CL_review_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --token="$CL_review_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --namespace="pan-test-app-review"
+    - kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"
+    - |
+      cat > __all_values.yml <<EOF
+      env:
+        secret:
+          SECRET_KEY_BASE: |-
+      $(printf %s "$CL_review_app_SECRET_KEY_BASE" | sed 's/^/      /')
+          POSTGRESQL_PASSWORD: |-
+      $(printf %s "$CL_review_app_POSTGRESQL_PASSWORD" | sed 's/^/      /')
+          cloudsqlProxyCredentials: |-
+      $(printf %s "$CL_review_app_cloudsqlProxyCredentials" | sed 's/^/      /')
+        public:
+          ENV_SHORT: |-
+            review
+          APP_DIR: |-
+            .
+          ENV_TYPE: |-
+            review
+          BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
+          BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
+          BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
+          ROOT_URL: |-
+      $(printf %s "https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          HOST_INTERNAL: |-
+      $(printf %s "app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          HOST_CANONICAL: |-
+      $(printf %s "app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          ROOT_URL_INTERNAL: |-
+      $(printf %s "https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          KUBE_NAMESPACE: |-
+            pan-test-app-review
+          KUBE_APP_NAME: |-
+      $(printf %s "$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" | sed 's/^/      /')
+          KUBE_APP_NAME_PREFIX: |-
+      $(printf %s "$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-" | sed 's/^/      /')
+          RAILS_ENV: |-
+            production
+          _ALL_ENV_VAR_KEYS: |-
+            ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","SECRET_KEY_BASE","POSTGRESQL_PASSWORD","cloudsqlProxyCredentials","RAILS_ENV"]
+      application:
+        host: |-
+      $(printf %s "app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/    /')
+        command: |-
+          /cnb/process/web
+        livenessProbe:
+          httpGet:
+            path: |-
+              __health
+        readinessProbe:
+          httpGet:
+            path: |-
+              __health
+        startupProbe:
+          httpGet:
+            path: |-
+              __health
+        worker:
+          enabled: true
+          command: |-
+            launcher bundle exec rake jobs:work
+          livenessProbe: false
+      cloudsql:
+        enabled: true
+        dbUser: |-
+          postgres
+        instanceConnectionName: |-
+          some-project-id:europe-west6:pan-test-app-review
+        proxyCredentials: |-
+          $CL_review_app_cloudsqlProxyCredentials
+        fullDbName: |-
+      $(printf %s "$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" | sed 's/^/    /')
+        projectId: |-
+          some-project-id
+      jobs:
+        db-migrate:
+          hook: |-
+            post-upgrade
+          command: |-
+            launcher bundle exec rake db:migrate
+        db-prepare-seed:
+          hook: |-
+            post-install
+          command: |-
+            launcher bundle exec rake db:prepare db:seed
-EOF
-",
-          "echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"",
-          "kubernetesCreateSecret",
-          "kubernetesDeploy",
-          "echo 'Uploading SBOM to Dependency Track'",
-          "/dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app" "https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" "__sbom.json" vex.json || true",
-          "echo deployment successful 😻",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "deploy review",
-        "variables": {
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🛑 Stop ⚠️ | review ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "action": "stop",
-          "name": "review/$CI_COMMIT_REF_NAME/app",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "if": "$CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/",
-            "when": "on_success",
-          },
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="review"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="review"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-review"",
-          "export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"",
-          "export SECRET_KEY_BASE="$CL_review_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_review_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_review_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --server="$CL_review_app_KUBE_URL" --certificate-authority <(echo $CL_review_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --token="$CL_review_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --namespace="pan-test-app-review"",
-          "kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"",
-          "kubernetesDelete",
-          "echo 'Disabling component in Dependency Track'",
-          "/dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app" "https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" || true",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "stop review",
-        "variables": {
-          "GIT_STRATEGY": "none",
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🛡 audit": {
-        "allow_failure": true,
-        "image": "ruby:3.2.1",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "cd .",
-          "gem install bundler-audit",
-          "bundle audit check",
-        ],
-        "stage": "test",
-        "variables": {},
-      },
-      "app 🧪 test": {
-        "cache": {
-          "key": {
-            "files": [
-              "Gemfile.lock",
-            ],
-            "prefix": "$CI_JOB_IMAGE",
-          },
-          "paths": [
-            "tmp/cache",
-          ],
-        },
-        "image": "ruby:3.2.1",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "cd .",
-          "bundle config set path 'tmp/cache'",
-          "bundle install -j $(nproc)",
-          "bundle exec rspec",
-        ],
-        "stage": "test",
-        "variables": {},
-      },
-      "app 🧾 sbom | review ": {
-        "allow_failure": true,
-        "artifacts": {
-          "paths": [
-            "__sbom.json",
-          ],
-        },
-        "image": "aquasec/trivy:0.38.3",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "trivy fs --quiet --format cyclonedx --output "__sbom.json" .",
-        ],
-        "stage": "build",
-        "variables": {},
-      },
-    },
-    "stages": [
-      "setup",
-      "setup dev",
-      "setup review",
-      "setup stage",
-      "setup prod",
-      "test",
-      "test dev",
-      "test review",
-      "test stage",
-      "test prod",
-      "build",
-      "build dev",
-      "build review",
-      "build stage",
-      "build prod",
-      "deploy",
-      "deploy dev",
-      "deploy review",
-      "deploy stage",
-      "deploy prod",
-      "verify",
-      "verify dev",
-      "verify review",
-      "verify stage",
-      "verify prod",
-      "rollback",
-      "rollback dev",
-      "rollback review",
-      "rollback stage",
-      "rollback prod",
-      "stop",
-      "stop dev",
-      "stop review",
-      "stop stage",
-      "stop prod",
-    ],
-    "variables": {
-      "ARTIFACT_COMPRESSION_LEVEL": "fast",
-      "CACHE_COMPRESSION_LEVEL": "fast",
-      "FF_USE_FASTZIP": "true",
-      "GIT_DEPTH": "1",
-      "TRANSFER_METER_FREQUENCY": "5s",
-    },
-    "workflow": {
-      "rules": [
-        {
-          "if": "$CI_COMMIT_TAG",
-        },
-        {
-          "if": "$CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/",
-          "when": "never",
-        },
-        {
-          "if": "$CI_PIPELINE_SOURCE  == "schedule"",
-          "when": "never",
-        },
-        {
-          "if": "$CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/",
-        },
-        {
-          "if": "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH",
-        },
-        {
-          "if": "$CI_MERGE_REQUEST_ID",
-        },
-      ],
-    },
-  },
-  "taggedRelease": {
-    "image": "path/to/docker/jobs-default:the-version",
-    "jobs": {
-      "app ↩️ Rollback ⚠️ | prod ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "action": "access",
-          "name": "prod/app",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="prod"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="prod"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://my-fancy-website.com"",
-          "export HOST_INTERNAL="app.prod.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.prod.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.prod.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-prod"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_prod_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_prod_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_prod_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export RELEASE_NAME="pan-test-app-prod-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-prod-app" --server="$CL_prod_app_KUBE_URL" --certificate-authority <(echo $CL_prod_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-prod-app" --token="$CL_prod_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-prod-app" --cluster="kube-pan-test-app-prod-app" --user="kube-pan-test-app-prod-app" --namespace="pan-test-app-prod"",
-          "kubectl config use-context "kube-pan-test-app-prod-app"",
-          "kubernetesRollback",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://my-fancy-website.com" >> gitlab_environment.env",
-        ],
-        "stage": "rollback prod",
-        "variables": {
-          "GIT_STRATEGY": "none",
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app ↩️ Rollback ⚠️ | stage ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "action": "access",
-          "name": "stage/app",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="stage"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="stage"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.stage.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.stage.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.stage.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.stage.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-stage"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_stage_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_stage_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_stage_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export RELEASE_NAME="pan-test-app-stage-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-stage-app" --server="$CL_stage_app_KUBE_URL" --certificate-authority <(echo $CL_stage_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-stage-app" --token="$CL_stage_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-stage-app" --cluster="kube-pan-test-app-stage-app" --user="kube-pan-test-app-stage-app" --namespace="pan-test-app-stage"",
-          "kubectl config use-context "kube-pan-test-app-stage-app"",
-          "kubernetesRollback",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.stage.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "rollback stage",
-        "variables": {
-          "GIT_STRATEGY": "none",
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🔨 docker | prod ": {
-        "image": "path/to/docker/docker-build:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export APP_DIR="."",
-          "export DOCKER_BUILD_CONTEXT="."",
-          "export DOCKER_REGISTRY="$CI_REGISTRY"",
-          "export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"",
-          "export DOCKER_IMAGE_NAME="prod/app"",
-          "export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"",
-          "export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"",
-          "docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"",
-          "docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"",
-          "docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG",
-          "docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE",
-          "docker push $DOCKER_CACHE_IMAGE",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"",
-        ],
-        "services": [
-          {
-            "command": [
-              "--tls=false",
-            ],
-            "name": "docker:24.0.6-dind",
-          },
-        ],
-        "stage": "build",
-        "variables": {
-          "DOCKER_BUILDKIT": "1",
-          "DOCKER_DRIVER": "overlay2",
-          "DOCKER_HOST": "tcp://0.0.0.0:2375",
-          "DOCKER_TLS_CERTDIR": "",
-          "KUBERNETES_CPU_REQUEST": "0.45",
-          "KUBERNETES_MEMORY_LIMIT": "2Gi",
-          "KUBERNETES_MEMORY_REQUEST": "1Gi",
-        },
-      },
-      "app 🔨 docker | stage ": {
-        "image": "path/to/docker/docker-build:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export APP_DIR="."",
-          "export DOCKER_BUILD_CONTEXT="."",
-          "export DOCKER_REGISTRY="$CI_REGISTRY"",
-          "export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"",
-          "export DOCKER_IMAGE_NAME="stage/app"",
-          "export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"",
-          "export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"",
-          "docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"",
-          "docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"",
-          "docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG",
-          "docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE",
-          "docker push $DOCKER_CACHE_IMAGE",
-          "echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"",
-        ],
-        "services": [
-          {
-            "command": [
-              "--tls=false",
-            ],
-            "name": "docker:24.0.6-dind",
-          },
-        ],
-        "stage": "build",
-        "variables": {
-          "DOCKER_BUILDKIT": "1",
-          "DOCKER_DRIVER": "overlay2",
-          "DOCKER_HOST": "tcp://0.0.0.0:2375",
-          "DOCKER_TLS_CERTDIR": "",
-          "KUBERNETES_CPU_REQUEST": "0.45",
-          "KUBERNETES_MEMORY_LIMIT": "2Gi",
-          "KUBERNETES_MEMORY_REQUEST": "1Gi",
-        },
-      },
-      "app 🚀 Deploy | prod ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "auto_stop_in": undefined,
-          "name": "prod/app",
-          "on_stop": "app 🛑 Stop ⚠️ | prod ",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [
-          {
-            "artifacts": false,
-            "job": "app 🔨 docker | prod ",
-          },
-          {
-            "artifacts": true,
-            "job": "app 🧾 sbom | prod ",
-          },
-        ],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="prod"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="prod"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://my-fancy-website.com"",
-          "export HOST_INTERNAL="app.prod.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.prod.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.prod.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-prod"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_prod_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_prod_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_prod_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export DOCKER_REGISTRY="$CI_REGISTRY"",
-          "export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"",
-          "export DOCKER_IMAGE_NAME="prod/app"",
-          "export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"",
-          "export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"",
-          "export RELEASE_NAME="pan-test-app-prod-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-prod-app" --server="$CL_prod_app_KUBE_URL" --certificate-authority <(echo $CL_prod_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-prod-app" --token="$CL_prod_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-prod-app" --cluster="kube-pan-test-app-prod-app" --user="kube-pan-test-app-prod-app" --namespace="pan-test-app-prod"",
-          "kubectl config use-context "kube-pan-test-app-prod-app"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"",
-          "cat > __all_values.yml <<EOF
-env:
-  secret:
-    SECRET_KEY_BASE: |-
-$(printf %s "$CL_prod_app_SECRET_KEY_BASE" | sed 's/^/      /')
-    POSTGRESQL_PASSWORD: |-
-$(printf %s "$CL_prod_app_POSTGRESQL_PASSWORD" | sed 's/^/      /')
-    cloudsqlProxyCredentials: |-
-$(printf %s "$CL_prod_app_cloudsqlProxyCredentials" | sed 's/^/      /')
-  public:
-    ENV_SHORT: |-
-      prod
-    APP_DIR: |-
-      .
-    ENV_TYPE: |-
-      prod
-    BUILD_INFO_BUILD_ID: |-
-$(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
-    BUILD_INFO_BUILD_TIME: |-
-$(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
-    BUILD_INFO_CURRENT_VERSION: |-
-$(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
-    ROOT_URL: |-
-      https://my-fancy-website.com
-    HOST_INTERNAL: |-
-      app.prod.test-app.pan.panter.cloud
-    HOST_CANONICAL: |-
-      app.prod.test-app.pan.panter.cloud
-    ROOT_URL_INTERNAL: |-
-      https://app.prod.test-app.pan.panter.cloud
-    KUBE_NAMESPACE: |-
-      pan-test-app-prod
-    KUBE_APP_NAME: |-
-      app
-    KUBE_APP_NAME_PREFIX: ""
-    RAILS_ENV: |-
-      production
-    _ALL_ENV_VAR_KEYS: |-
-      ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","SECRET_KEY_BASE","POSTGRESQL_PASSWORD","cloudsqlProxyCredentials","RAILS_ENV"]
-application:
-  host: |-
-    my-fancy-website.com
-  command: |-
-    /cnb/process/web
-  livenessProbe:
-    httpGet:
-      path: |-
-        __health
-  readinessProbe:
-    httpGet:
-      path: |-
-        __health
-  startupProbe:
-    httpGet:
-      path: |-
-        __health
-  worker:
-    enabled: true
-    command: |-
-      launcher bundle exec rake jobs:work
-    livenessProbe: false
-cloudsql:
-  enabled: true
-  dbUser: |-
-    postgres
-  instanceConnectionName: |-
-    some-project-id:europe-west6:pan-test-app-prod
-  proxyCredentials: |-
-    $CL_prod_app_cloudsqlProxyCredentials
-  fullDbName: |-
-    app
-  projectId: |-
-    some-project-id
-jobs:
-  db-migrate:
-    hook: |-
-      post-install,post-upgrade
-    command: |-
-      launcher bundle exec rake db:migrate
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"
+    - kubernetesCreateSecret
+    - kubernetesDeploy
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app" "https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" "__sbom.json" vex.json || true
+    - echo deployment successful 😻
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app 🛑 Stop ⚠️ | review '
+    auto_stop_in: 1 week
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_MERGE_REQUEST_ID
+  needs:
+    - job: app 👮 lint
+      artifacts: false
+    - job: 'app 🔨 docker | review '
+      artifacts: false
+    - job: app 🧪 test
+      artifacts: false
+    - job: 'app 🧾 sbom | review '
+      artifacts: true
+    - job: app 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app 🛑 Stop ⚠️ | review ':
+  stage: stop review
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="."
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-review"
+    - export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"
+    - export SECRET_KEY_BASE="$CL_review_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_review_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_review_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --server="$CL_review_app_KUBE_URL" --certificate-authority <(echo $CL_review_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --token="$CL_review_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --namespace="pan-test-app-review"
+    - kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - kubernetesDelete
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app" "https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app ↩️ Rollback ⚠️ | review ':
+  stage: rollback review
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="."
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-review"
+    - export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"
+    - export SECRET_KEY_BASE="$CL_review_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_review_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_review_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --server="$CL_review_app_KUBE_URL" --certificate-authority <(echo $CL_review_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --token="$CL_review_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app" --namespace="pan-test-app-review"
+    - kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app"
+    - kubernetesRollback
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: access
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app 🔨 docker | stage ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="."
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"
+    - export DOCKER_IMAGE_NAME="stage/app"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'app 🧾 sbom | stage ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" .
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app 🚀 Deploy | stage ':
+  stage: deploy stage
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="."
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.stage.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.stage.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.stage.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-stage"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_stage_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_stage_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_stage_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"
+    - export DOCKER_IMAGE_NAME="stage/app"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export RELEASE_NAME="pan-test-app-stage-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-stage-app" --server="$CL_stage_app_KUBE_URL" --certificate-authority <(echo $CL_stage_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-stage-app" --token="$CL_stage_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-stage-app" --cluster="kube-pan-test-app-stage-app" --user="kube-pan-test-app-stage-app" --namespace="pan-test-app-stage"
+    - kubectl config use-context "kube-pan-test-app-stage-app"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"
+    - |
+      cat > __all_values.yml <<EOF
+      env:
+        secret:
+          SECRET_KEY_BASE: |-
+      $(printf %s "$CL_stage_app_SECRET_KEY_BASE" | sed 's/^/      /')
+          POSTGRESQL_PASSWORD: |-
+      $(printf %s "$CL_stage_app_POSTGRESQL_PASSWORD" | sed 's/^/      /')
+          cloudsqlProxyCredentials: |-
+      $(printf %s "$CL_stage_app_cloudsqlProxyCredentials" | sed 's/^/      /')
+        public:
+          ENV_SHORT: |-
+            stage
+          APP_DIR: |-
+            .
+          ENV_TYPE: |-
+            stage
+          BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
+          BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
+          BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
+          ROOT_URL: |-
+            https://app.stage.test-app.pan.panter.cloud
+          HOST_INTERNAL: |-
+            app.stage.test-app.pan.panter.cloud
+          HOST_CANONICAL: |-
+            app.stage.test-app.pan.panter.cloud
+          ROOT_URL_INTERNAL: |-
+            https://app.stage.test-app.pan.panter.cloud
+          KUBE_NAMESPACE: |-
+            pan-test-app-stage
+          KUBE_APP_NAME: |-
+            app
+          KUBE_APP_NAME_PREFIX: ""
+          RAILS_ENV: |-
+            production
+          _ALL_ENV_VAR_KEYS: |-
+            ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","SECRET_KEY_BASE","POSTGRESQL_PASSWORD","cloudsqlProxyCredentials","RAILS_ENV"]
+      application:
+        host: |-
+          app.stage.test-app.pan.panter.cloud
+        command: |-
+          /cnb/process/web
+        livenessProbe:
+          httpGet:
+            path: |-
+              __health
+        readinessProbe:
+          httpGet:
+            path: |-
+              __health
+        startupProbe:
+          httpGet:
+            path: |-
+              __health
+        worker:
+          enabled: true
+          command: |-
+            launcher bundle exec rake jobs:work
+          livenessProbe: false
+      cloudsql:
+        enabled: true
+        dbUser: |-
+          postgres
+        instanceConnectionName: |-
+          some-project-id:europe-west6:pan-test-app-stage
+        proxyCredentials: |-
+          $CL_stage_app_cloudsqlProxyCredentials
+        fullDbName: |-
+          app
+        projectId: |-
+          some-project-id
+      jobs:
+        db-migrate:
+          hook: |-
+            post-install,post-upgrade
+          command: |-
+            launcher bundle exec rake db:migrate
-EOF
-",
-          "echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"",
-          "kubernetesCreateSecret",
-          "kubernetesDeploy",
-          "echo 'Uploading SBOM to Dependency Track'",
-          "/dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app" "https://my-fancy-website.com" "__sbom.json" vex.json || true",
-          "echo deployment successful 😻",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://my-fancy-website.com" >> gitlab_environment.env",
-        ],
-        "stage": "deploy prod",
-        "variables": {
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🚀 Deploy | stage ": {
-        "allow_failure": false,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "auto_stop_in": undefined,
-          "name": "stage/app",
-          "on_stop": "app 🛑 Stop ⚠️ | stage ",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [
-          {
-            "artifacts": false,
-            "job": "app 🔨 docker | stage ",
-          },
-          {
-            "artifacts": true,
-            "job": "app 🧾 sbom | stage ",
-          },
-        ],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "when": "on_success",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="stage"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="stage"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.stage.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.stage.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.stage.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.stage.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-stage"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_stage_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_stage_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_stage_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export DOCKER_REGISTRY="$CI_REGISTRY"",
-          "export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"",
-          "export DOCKER_IMAGE_NAME="stage/app"",
-          "export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"",
-          "export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"",
-          "export RELEASE_NAME="pan-test-app-stage-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-stage-app" --server="$CL_stage_app_KUBE_URL" --certificate-authority <(echo $CL_stage_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-stage-app" --token="$CL_stage_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-stage-app" --cluster="kube-pan-test-app-stage-app" --user="kube-pan-test-app-stage-app" --namespace="pan-test-app-stage"",
-          "kubectl config use-context "kube-pan-test-app-stage-app"",
-          "echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"",
-          "cat > __all_values.yml <<EOF
-env:
-  secret:
-    SECRET_KEY_BASE: |-
-$(printf %s "$CL_stage_app_SECRET_KEY_BASE" | sed 's/^/      /')
-    POSTGRESQL_PASSWORD: |-
-$(printf %s "$CL_stage_app_POSTGRESQL_PASSWORD" | sed 's/^/      /')
-    cloudsqlProxyCredentials: |-
-$(printf %s "$CL_stage_app_cloudsqlProxyCredentials" | sed 's/^/      /')
-  public:
-    ENV_SHORT: |-
-      stage
-    APP_DIR: |-
-      .
-    ENV_TYPE: |-
-      stage
-    BUILD_INFO_BUILD_ID: |-
-$(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
-    BUILD_INFO_BUILD_TIME: |-
-$(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
-    BUILD_INFO_CURRENT_VERSION: |-
-$(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
-    ROOT_URL: |-
-      https://app.stage.test-app.pan.panter.cloud
-    HOST_INTERNAL: |-
-      app.stage.test-app.pan.panter.cloud
-    HOST_CANONICAL: |-
-      app.stage.test-app.pan.panter.cloud
-    ROOT_URL_INTERNAL: |-
-      https://app.stage.test-app.pan.panter.cloud
-    KUBE_NAMESPACE: |-
-      pan-test-app-stage
-    KUBE_APP_NAME: |-
-      app
-    KUBE_APP_NAME_PREFIX: ""
-    RAILS_ENV: |-
-      production
-    _ALL_ENV_VAR_KEYS: |-
-      ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","SECRET_KEY_BASE","POSTGRESQL_PASSWORD","cloudsqlProxyCredentials","RAILS_ENV"]
-application:
-  host: |-
-    app.stage.test-app.pan.panter.cloud
-  command: |-
-    /cnb/process/web
-  livenessProbe:
-    httpGet:
-      path: |-
-        __health
-  readinessProbe:
-    httpGet:
-      path: |-
-        __health
-  startupProbe:
-    httpGet:
-      path: |-
-        __health
-  worker:
-    enabled: true
-    command: |-
-      launcher bundle exec rake jobs:work
-    livenessProbe: false
-cloudsql:
-  enabled: true
-  dbUser: |-
-    postgres
-  instanceConnectionName: |-
-    some-project-id:europe-west6:pan-test-app-stage
-  proxyCredentials: |-
-    $CL_stage_app_cloudsqlProxyCredentials
-  fullDbName: |-
-    app
-  projectId: |-
-    some-project-id
-jobs:
-  db-migrate:
-    hook: |-
-      post-install,post-upgrade
-    command: |-
-      launcher bundle exec rake db:migrate
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"
+    - kubernetesCreateSecret
+    - kubernetesDeploy
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app" "https://app.stage.test-app.pan.panter.cloud" "__sbom.json" vex.json || true
+    - echo deployment successful 😻
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.stage.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: stage/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app 🛑 Stop ⚠️ | stage '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'app 🔨 docker | stage '
+      artifacts: false
+    - job: 'app 🧾 sbom | stage '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app 🛑 Stop ⚠️ | stage ':
+  stage: stop stage
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="."
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.stage.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.stage.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.stage.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-stage"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_stage_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_stage_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_stage_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export RELEASE_NAME="pan-test-app-stage-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-stage-app" --server="$CL_stage_app_KUBE_URL" --certificate-authority <(echo $CL_stage_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-stage-app" --token="$CL_stage_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-stage-app" --cluster="kube-pan-test-app-stage-app" --user="kube-pan-test-app-stage-app" --namespace="pan-test-app-stage"
+    - kubectl config use-context "kube-pan-test-app-stage-app"
+    - kubernetesDelete
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app" "https://app.stage.test-app.pan.panter.cloud" || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.stage.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: stage/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app ↩️ Rollback ⚠️ | stage ':
+  stage: rollback stage
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="."
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://app.stage.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app.stage.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.stage.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-stage"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_stage_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_stage_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_stage_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export RELEASE_NAME="pan-test-app-stage-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-stage-app" --server="$CL_stage_app_KUBE_URL" --certificate-authority <(echo $CL_stage_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-stage-app" --token="$CL_stage_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-stage-app" --cluster="kube-pan-test-app-stage-app" --user="kube-pan-test-app-stage-app" --namespace="pan-test-app-stage"
+    - kubectl config use-context "kube-pan-test-app-stage-app"
+    - kubernetesRollback
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app.stage.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: stage/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: access
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app 🔨 docker | prod ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="."
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"
+    - export DOCKER_IMAGE_NAME="prod/app"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'app 🧾 sbom | prod ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" .
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app 🚀 Deploy | prod ':
+  stage: deploy prod
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="."
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://my-fancy-website.com"
+    - export HOST_INTERNAL="app.prod.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.prod.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-prod"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_prod_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_prod_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_prod_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app"
+    - export DOCKER_IMAGE_NAME="prod/app"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export RELEASE_NAME="pan-test-app-prod-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-prod-app" --server="$CL_prod_app_KUBE_URL" --certificate-authority <(echo $CL_prod_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-prod-app" --token="$CL_prod_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-prod-app" --cluster="kube-pan-test-app-prod-app" --user="kube-pan-test-app-prod-app" --namespace="pan-test-app-prod"
+    - kubectl config use-context "kube-pan-test-app-prod-app"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"
+    - |
+      cat > __all_values.yml <<EOF
+      env:
+        secret:
+          SECRET_KEY_BASE: |-
+      $(printf %s "$CL_prod_app_SECRET_KEY_BASE" | sed 's/^/      /')
+          POSTGRESQL_PASSWORD: |-
+      $(printf %s "$CL_prod_app_POSTGRESQL_PASSWORD" | sed 's/^/      /')
+          cloudsqlProxyCredentials: |-
+      $(printf %s "$CL_prod_app_cloudsqlProxyCredentials" | sed 's/^/      /')
+        public:
+          ENV_SHORT: |-
+            prod
+          APP_DIR: |-
+            .
+          ENV_TYPE: |-
+            prod
+          BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
+          BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
+          BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
+          ROOT_URL: |-
+            https://my-fancy-website.com
+          HOST_INTERNAL: |-
+            app.prod.test-app.pan.panter.cloud
+          HOST_CANONICAL: |-
+            app.prod.test-app.pan.panter.cloud
+          ROOT_URL_INTERNAL: |-
+            https://app.prod.test-app.pan.panter.cloud
+          KUBE_NAMESPACE: |-
+            pan-test-app-prod
+          KUBE_APP_NAME: |-
+            app
+          KUBE_APP_NAME_PREFIX: ""
+          RAILS_ENV: |-
+            production
+          _ALL_ENV_VAR_KEYS: |-
+            ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","SECRET_KEY_BASE","POSTGRESQL_PASSWORD","cloudsqlProxyCredentials","RAILS_ENV"]
+      application:
+        host: |-
+          my-fancy-website.com
+        command: |-
+          /cnb/process/web
+        livenessProbe:
+          httpGet:
+            path: |-
+              __health
+        readinessProbe:
+          httpGet:
+            path: |-
+              __health
+        startupProbe:
+          httpGet:
+            path: |-
+              __health
+        worker:
+          enabled: true
+          command: |-
+            launcher bundle exec rake jobs:work
+          livenessProbe: false
+      cloudsql:
+        enabled: true
+        dbUser: |-
+          postgres
+        instanceConnectionName: |-
+          some-project-id:europe-west6:pan-test-app-prod
+        proxyCredentials: |-
+          $CL_prod_app_cloudsqlProxyCredentials
+        fullDbName: |-
+          app
+        projectId: |-
+          some-project-id
+      jobs:
+        db-migrate:
+          hook: |-
+            post-install,post-upgrade
+          command: |-
+            launcher bundle exec rake db:migrate
-EOF
-",
-          "echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"",
-          "kubernetesCreateSecret",
-          "kubernetesDeploy",
-          "echo 'Uploading SBOM to Dependency Track'",
-          "/dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app" "https://app.stage.test-app.pan.panter.cloud" "__sbom.json" vex.json || true",
-          "echo deployment successful 😻",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.stage.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "deploy stage",
-        "variables": {
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🛑 Stop ⚠️ | prod ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "action": "stop",
-          "name": "prod/app",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "if": "$CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/",
-            "when": "on_success",
-          },
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="prod"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="prod"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://my-fancy-website.com"",
-          "export HOST_INTERNAL="app.prod.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.prod.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.prod.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-prod"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_prod_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_prod_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_prod_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export RELEASE_NAME="pan-test-app-prod-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-prod-app" --server="$CL_prod_app_KUBE_URL" --certificate-authority <(echo $CL_prod_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-prod-app" --token="$CL_prod_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-prod-app" --cluster="kube-pan-test-app-prod-app" --user="kube-pan-test-app-prod-app" --namespace="pan-test-app-prod"",
-          "kubectl config use-context "kube-pan-test-app-prod-app"",
-          "kubernetesDelete",
-          "echo 'Disabling component in Dependency Track'",
-          "/dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app" "https://my-fancy-website.com" || true",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://my-fancy-website.com" >> gitlab_environment.env",
-        ],
-        "stage": "stop prod",
-        "variables": {
-          "GIT_STRATEGY": "none",
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🛑 Stop ⚠️ | stage ": {
-        "allow_failure": true,
-        "artifacts": {
-          "reports": {
-            "dotenv": "gitlab_environment.env",
-          },
-        },
-        "environment": {
-          "action": "stop",
-          "name": "stage/app",
-          "url": "$CL_GITLAB_ENVIRONMENT_URL",
-        },
-        "image": "path/to/docker/kubernetes:the-version",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "rules": [
-          {
-            "if": "$CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/",
-            "when": "on_success",
-          },
-          {
-            "when": "manual",
-          },
-        ],
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "export ENV_SHORT="stage"",
-          "export APP_DIR="."",
-          "export ENV_TYPE="stage"",
-          "export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"",
-          "export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"",
-          "export ROOT_URL="https://app.stage.test-app.pan.panter.cloud"",
-          "export HOST_INTERNAL="app.stage.test-app.pan.panter.cloud"",
-          "export HOST_CANONICAL="app.stage.test-app.pan.panter.cloud"",
-          "export ROOT_URL_INTERNAL="https://app.stage.test-app.pan.panter.cloud"",
-          "export KUBE_NAMESPACE="pan-test-app-stage"",
-          "export KUBE_APP_NAME="app"",
-          "export KUBE_APP_NAME_PREFIX=""",
-          "export SECRET_KEY_BASE="$CL_stage_app_SECRET_KEY_BASE"",
-          "export POSTGRESQL_PASSWORD="$CL_stage_app_POSTGRESQL_PASSWORD"",
-          "export cloudsqlProxyCredentials="$CL_stage_app_cloudsqlProxyCredentials"",
-          "export RAILS_ENV="production"",
-          "export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"",
-          "export RELEASE_NAME="pan-test-app-stage-app"",
-          "export HELM_EXPERIMENTAL_OCI="1"",
-          "export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"",
-          "export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"",
-          "export HELM_ARGS=""",
-          "export COMPONENT_NAME="app"",
-          "export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "kubectl config set-cluster "kube-pan-test-app-stage-app" --server="$CL_stage_app_KUBE_URL" --certificate-authority <(echo $CL_stage_app_KUBE_CA_PEM | base64 -d) --embed-certs=true",
-          "kubectl config set-credentials "kube-pan-test-app-stage-app" --token="$CL_stage_app_KUBE_TOKEN"",
-          "kubectl config set-context "kube-pan-test-app-stage-app" --cluster="kube-pan-test-app-stage-app" --user="kube-pan-test-app-stage-app" --namespace="pan-test-app-stage"",
-          "kubectl config use-context "kube-pan-test-app-stage-app"",
-          "kubernetesDelete",
-          "echo 'Disabling component in Dependency Track'",
-          "/dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app" "https://app.stage.test-app.pan.panter.cloud" || true",
-          "echo "CL_GITLAB_ENVIRONMENT_URL=https://app.stage.test-app.pan.panter.cloud" >> gitlab_environment.env",
-        ],
-        "stage": "stop stage",
-        "variables": {
-          "GIT_STRATEGY": "none",
-          "KUBERNETES_CPU_REQUEST": "0.22",
-          "KUBERNETES_MEMORY_LIMIT": "400Mi",
-          "KUBERNETES_MEMORY_REQUEST": "200Mi",
-        },
-      },
-      "app 🧾 sbom | prod ": {
-        "allow_failure": true,
-        "artifacts": {
-          "paths": [
-            "__sbom.json",
-          ],
-        },
-        "image": "aquasec/trivy:0.38.3",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "trivy fs --quiet --format cyclonedx --output "__sbom.json" .",
-        ],
-        "stage": "build",
-        "variables": {},
-      },
-      "app 🧾 sbom | stage ": {
-        "allow_failure": true,
-        "artifacts": {
-          "paths": [
-            "__sbom.json",
-          ],
-        },
-        "image": "aquasec/trivy:0.38.3",
-        "interruptible": true,
-        "needs": [],
-        "retry": {
-          "max": 2,
-          "when": [
-            "runner_system_failure",
-            "stuck_or_timeout_failure",
-          ],
-        },
-        "script": [
-          "echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"",
-          "echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"",
-          "trivy fs --quiet --format cyclonedx --output "__sbom.json" .",
-        ],
-        "stage": "build",
-        "variables": {},
-      },
-    },
-    "stages": [
-      "setup",
-      "setup dev",
-      "setup review",
-      "setup stage",
-      "setup prod",
-      "test",
-      "test dev",
-      "test review",
-      "test stage",
-      "test prod",
-      "build",
-      "build dev",
-      "build review",
-      "build stage",
-      "build prod",
-      "deploy",
-      "deploy dev",
-      "deploy review",
-      "deploy stage",
-      "deploy prod",
-      "verify",
-      "verify dev",
-      "verify review",
-      "verify stage",
-      "verify prod",
-      "rollback",
-      "rollback dev",
-      "rollback review",
-      "rollback stage",
-      "rollback prod",
-      "stop",
-      "stop dev",
-      "stop review",
-      "stop stage",
-      "stop prod",
-    ],
-    "variables": {
-      "ARTIFACT_COMPRESSION_LEVEL": "fast",
-      "CACHE_COMPRESSION_LEVEL": "fast",
-      "FF_USE_FASTZIP": "true",
-      "GIT_DEPTH": "1",
-      "TRANSFER_METER_FREQUENCY": "5s",
-    },
-    "workflow": {
-      "rules": [
-        {
-          "if": "$CI_COMMIT_TAG",
-        },
-        {
-          "if": "$CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/",
-          "when": "never",
-        },
-        {
-          "if": "$CI_PIPELINE_SOURCE  == "schedule"",
-          "when": "never",
-        },
-        {
-          "if": "$CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/",
-        },
-        {
-          "if": "$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH",
-        },
-        {
-          "if": "$CI_MERGE_REQUEST_ID",
-        },
-      ],
-    },
-  },
-}
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"
+    - kubernetesCreateSecret
+    - kubernetesDeploy
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app" "https://my-fancy-website.com" "__sbom.json" vex.json || true
+    - echo deployment successful 😻
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://my-fancy-website.com" >> gitlab_environment.env
+  environment:
+    name: prod/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app 🛑 Stop ⚠️ | prod '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'app 🔨 docker | prod '
+      artifacts: false
+    - job: 'app 🧾 sbom | prod '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app 🛑 Stop ⚠️ | prod ':
+  stage: stop prod
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="."
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://my-fancy-website.com"
+    - export HOST_INTERNAL="app.prod.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.prod.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-prod"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_prod_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_prod_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_prod_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export RELEASE_NAME="pan-test-app-prod-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-prod-app" --server="$CL_prod_app_KUBE_URL" --certificate-authority <(echo $CL_prod_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-prod-app" --token="$CL_prod_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-prod-app" --cluster="kube-pan-test-app-prod-app" --user="kube-pan-test-app-prod-app" --namespace="pan-test-app-prod"
+    - kubectl config use-context "kube-pan-test-app-prod-app"
+    - kubernetesDelete
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app" "https://my-fancy-website.com" || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://my-fancy-website.com" >> gitlab_environment.env
+  environment:
+    name: prod/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app ↩️ Rollback ⚠️ | prod ':
+  stage: rollback prod
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="."
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export ROOT_URL="https://my-fancy-website.com"
+    - export HOST_INTERNAL="app.prod.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app.prod.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-prod"
+    - export KUBE_APP_NAME="app"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export SECRET_KEY_BASE="$CL_prod_app_SECRET_KEY_BASE"
+    - export POSTGRESQL_PASSWORD="$CL_prod_app_POSTGRESQL_PASSWORD"
+    - export cloudsqlProxyCredentials="$CL_prod_app_cloudsqlProxyCredentials"
+    - export RAILS_ENV="production"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"SECRET_KEY_BASE\\",\\"POSTGRESQL_PASSWORD\\",\\"cloudsqlProxyCredentials\\",\\"RAILS_ENV\\"]"
+    - export RELEASE_NAME="pan-test-app-prod-app"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-prod-app" --server="$CL_prod_app_KUBE_URL" --certificate-authority <(echo $CL_prod_app_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-prod-app" --token="$CL_prod_app_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-prod-app" --cluster="kube-pan-test-app-prod-app" --user="kube-pan-test-app-prod-app" --namespace="pan-test-app-prod"
+    - kubectl config use-context "kube-pan-test-app-prod-app"
+    - kubernetesRollback
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://my-fancy-website.com" >> gitlab_environment.env
+  environment:
+    name: prod/app
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: access
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+create release:
+  stage: release
+  image: path/to/docker/semantic-release:the-version
+  script:
+    - semanticRelease
+  after_script:
+    - echo '👉 The project access token might be invald - run \`project-renew-token\` in catladder CLI to fix.'
+  rules:
+    - &a3
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+      when: never
+    - &a4
+      if: $CI_PIPELINE_SOURCE  == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $AUTO_RELEASE == "true"
+      when: on_success
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/
+      when: manual
+⚠️ force create release:
+  stage: release
+  image: path/to/docker/semantic-release:the-version
+  script:
+    - semanticRelease
+  after_script:
+    - echo '👉 The project access token might be invald - run \`project-renew-token\` in catladder CLI to fix.'
+  rules:
+    - *a3
+    - *a4
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/
+      when: manual
+  needs: []
+"
 `;