npm - @catladder/pipeline - Versions diffs - 1.169.0 → 1.170.1 - Mend

@catladder/pipeline 1.169.0 → 1.170.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/dist/bash/BashExpression.d.ts +1 -0
package/dist/bash/BashExpression.js +3 -0
package/dist/bash/replaceAsync.d.ts +1 -1
package/dist/bash/replaceAsync.js +2 -2
package/dist/bundles/catladder-gitlab/index.js +1 -1
package/dist/constants.js +1 -1
package/dist/deploy/cloudRun/createJobs/cloudRunServices.js +2 -0
package/dist/deploy/types/googleCloudRun.d.ts +7 -2
package/dist/tsconfig.tsbuildinfo +1 -1
package/examples/__snapshots__/cloud-run-service-custom-vpc-connector.test.ts.snap +1346 -0
package/examples/__snapshots__/cloud-run-service-custom-vpc.test.ts.snap +4 -4
package/examples/__snapshots__/multiline-var.test.ts.snap +2934 -1020
package/examples/__snapshots__/referencing-other-vars.test.ts.snap +4535 -0
package/examples/cloud-run-service-custom-vpc-connector.test.ts +11 -0
package/examples/cloud-run-service-custom-vpc-connector.ts +30 -0
package/examples/cloud-run-service-custom-vpc.ts +2 -1
package/examples/multiline-var.ts +57 -15
package/examples/referencing-other-vars.test.ts +11 -0
package/examples/referencing-other-vars.ts +83 -0
package/package.json +1 -1
package/src/bash/BashExpression.ts +10 -0
package/src/bash/replaceAsync.ts +8 -9
package/src/deploy/cloudRun/createJobs/cloudRunServices.ts +2 -0
package/src/deploy/types/googleCloudRun.ts +10 -2

package/examples/__snapshots__/referencing-other-vars.test.ts.snap ADDED Viewed

@@ -0,0 +1,4535 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+exports[`matches snapshot for referencing-other-vars local pipeline YAML 1`] = `
+"image: path/to/docker/jobs-default:the-version
+stages:
+  - setup
+  - setup dev
+  - setup review
+  - setup stage
+  - setup prod
+  - test
+  - test dev
+  - test review
+  - test stage
+  - test prod
+  - build
+  - build dev
+  - build review
+  - build stage
+  - build prod
+  - deploy
+  - deploy dev
+  - deploy review
+  - deploy stage
+  - deploy prod
+  - verify
+  - verify dev
+  - verify review
+  - verify stage
+  - verify prod
+  - rollback
+  - rollback dev
+  - rollback review
+  - rollback stage
+  - rollback prod
+  - stop
+  - stop dev
+  - stop review
+  - stop stage
+  - stop prod
+  - release
+variables:
+  FF_USE_FASTZIP: 'true'
+  ARTIFACT_COMPRESSION_LEVEL: fast
+  CACHE_COMPRESSION_LEVEL: fast
+  TRANSFER_METER_FREQUENCY: 5s
+  GIT_DEPTH: '1'
+app1 🛡 audit:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="app1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - cd app1
+    - yarn npm audit --environment production
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: &a1
+    max: 2
+    when:
+      - runner_system_failure
+      - stuck_or_timeout_failure
+  interruptible: true
+  allow_failure: true
+app1 👮 lint:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="app1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app1
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn lint
+  cache:
+    - key: app1-yarn
+      policy: pull-push
+      paths:
+        - app1/.yarn
+    - key: app1-node-modules
+      policy: pull-push
+      paths:
+        - app1/node_modules
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+app1 🧪 test:
+  stage: test
+  image: path/to/docker/jobs-testing-chrome:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="app1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app1
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn test
+  cache:
+    - key: app1-yarn
+      policy: pull-push
+      paths:
+        - app1/.yarn
+    - key: app1-node-modules
+      policy: pull-push
+      paths:
+        - app1/node_modules
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'app1 🔨 app | dev ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="app1"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET1="$CL_dev_app1_SECRET1"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_app1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo="foo-value"
+    - export bar="bar-value"
+    - 'export foo3="from app3: foo-value-3"'
+    - 'export circle="this is from app3 that has reference to app1: \\\\"this is from app2: this is from app1: foo-value\\\\""'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET1\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo\\",\\"bar\\",\\"foo3\\",\\"circle\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > app1/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app1
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: app1-yarn
+      policy: pull-push
+      paths:
+        - app1/.yarn
+    - key: app1-node-modules
+      policy: pull-push
+      paths:
+        - app1/node_modules
+    - key: app1-next-cache
+      policy: pull-push
+      paths:
+        - app1/.next/cache
+  artifacts:
+    paths:
+      - app1/__build_info.json
+      - app1/.next
+      - app1/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+'app1 🔨 docker | dev ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="app1"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app1"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node app1/package.json /app/app1/package.json
+      COPY --chown=node:node app1/yarn.lock /app/app1/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_app1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker asia-east1-docker.pkg.dev
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: app1-yarn
+      policy: pull
+      paths:
+        - app1/.yarn
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs:
+    - 'app1 🔨 app | dev '
+  retry: *a1
+  interruptible: true
+'app1 🧾 sbom | dev ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" app1
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app1 🚀 Deploy | dev ':
+  stage: deploy dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="app1"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET1="$CL_dev_app1_SECRET1"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_app1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo="foo-value"
+    - export bar="bar-value"
+    - 'export foo3="from app3: foo-value-3"'
+    - 'export circle="this is from app3 that has reference to app1: \\\\"this is from app2: this is from app1: foo-value\\\\""'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET1\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo\\",\\"bar\\",\\"foo3\\",\\"circle\\"]"
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app1"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):prepare[collapsed=true]\\r\\e[0KPrepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_app1_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe asdf --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - echo -e "\\e[0Ksection_end:$(date +%s):prepare\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeenvvars[collapsed=true]\\r\\e[0KWrite env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        dev
+      APP_DIR: |-
+        app1
+      ENV_TYPE: |-
+        dev
+      BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/  /')
+      HOST: |-
+      $(printf %s "$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_INTERNAL: |-
+      $(printf %s "$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_CANONICAL: |-
+      $(printf %s "$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL_INTERNAL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        asdf
+      DEPLOY_CLOUD_RUN_REGION: |-
+        asia-east1
+      SECRET1: |-
+      $(printf %s "$CL_dev_app1_SECRET1" | sed 's/^/  /')
+      GCLOUD_RUN_canonicalHostSuffix: |-
+      $(printf %s "$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | sed 's/^/  /')
+      foo: |-
+        foo-value
+      bar: |-
+        bar-value
+      foo3: |-
+        from app3: foo-value-3
+      circle: |-
+        this is from app3 that has reference to app1: \\"this is from app2: this is from app1: foo-value\\"
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","SECRET1","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","foo","bar","foo3","circle"]
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeenvvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):deploy[collapsed=true]\\r\\e[0KDeploy to cloud run"
+    - gcloud run deploy pan-test-app-dev-app1 --command="yarn,start" --image=asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app1:$DOCKER_IMAGE_TAG --project=asdf --region=asia-east1 --labels=customer-name=pan,component-name=app1,app-name=test-app,env-type=dev,env-name=dev,build-type=node,cloud-run-service-name=pan-test-app-dev-app1 --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - echo -e "\\e[0Ksection_end:$(date +%s):deploy\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):cleanup[collapsed=true]\\r\\e[0KCleanup"
+    - gcloud run revisions list --project=asdf --region=asia-east1 --service=pan-test-app-dev-app1 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=asdf --region=asia-east1 --quiet $revisionname ; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app1@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1@$version --quiet --delete-tags; done
+    - echo -e "\\e[0Ksection_end:$(date +%s):cleanup\\r\\e[0K"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app1" "https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: dev/app1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app1 🛑 Stop ⚠️ | dev '
+    auto_stop_in: 4 weeks
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: on_success
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs:
+    - job: app1 👮 lint
+      artifacts: false
+    - job: 'app1 🔨 app | dev '
+      artifacts: false
+    - job: 'app1 🔨 docker | dev '
+      artifacts: false
+    - job: app1 🧪 test
+      artifacts: false
+    - job: 'app1 🧾 sbom | dev '
+      artifacts: true
+    - job: app1 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app1 🛑 Stop ⚠️ | dev ':
+  stage: stop dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_app1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-dev-app1 --project=asdf --region=asia-east1
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app1 --quiet --delete-tags
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app1" "https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" || true
+    - set -e
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: dev/app1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app1 🔨 app | review ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="app1"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET1="$CL_review_app1_SECRET1"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_app1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo="foo-value"
+    - export bar="bar-value"
+    - 'export foo3="from app3: foo-value-3"'
+    - 'export circle="this is from app3 that has reference to app1: \\\\"this is from app2: this is from app1: foo-value\\\\""'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET1\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo\\",\\"bar\\",\\"foo3\\",\\"circle\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > app1/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app1
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: app1-yarn
+      policy: pull-push
+      paths:
+        - app1/.yarn
+    - key: app1-node-modules
+      policy: pull-push
+      paths:
+        - app1/node_modules
+    - key: app1-next-cache
+      policy: pull-push
+      paths:
+        - app1/.next/cache
+  artifacts:
+    paths:
+      - app1/__build_info.json
+      - app1/.next
+      - app1/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'app1 🔨 docker | review ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="app1"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node app1/package.json /app/app1/package.json
+      COPY --chown=node:node app1/yarn.lock /app/app1/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_app1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker asia-east1-docker.pkg.dev
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: app1-yarn
+      policy: pull
+      paths:
+        - app1/.yarn
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs:
+    - 'app1 🔨 app | review '
+  retry: *a1
+  interruptible: true
+'app1 🧾 sbom | review ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" app1
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app1 🚀 Deploy | review ':
+  stage: deploy review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="app1"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET1="$CL_review_app1_SECRET1"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_app1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo="foo-value"
+    - export bar="bar-value"
+    - 'export foo3="from app3: foo-value-3"'
+    - 'export circle="this is from app3 that has reference to app1: \\\\"this is from app2: this is from app1: foo-value\\\\""'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET1\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo\\",\\"bar\\",\\"foo3\\",\\"circle\\"]"
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):prepare[collapsed=true]\\r\\e[0KPrepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_app1_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe asdf --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - echo -e "\\e[0Ksection_end:$(date +%s):prepare\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeenvvars[collapsed=true]\\r\\e[0KWrite env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        review
+      APP_DIR: |-
+        app1
+      ENV_TYPE: |-
+        review
+      BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/  /')
+      HOST: |-
+      $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_INTERNAL: |-
+      $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_CANONICAL: |-
+      $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL_INTERNAL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        asdf
+      DEPLOY_CLOUD_RUN_REGION: |-
+        asia-east1
+      SECRET1: |-
+      $(printf %s "$CL_review_app1_SECRET1" | sed 's/^/  /')
+      GCLOUD_RUN_canonicalHostSuffix: |-
+      $(printf %s "$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | sed 's/^/  /')
+      foo: |-
+        foo-value
+      bar: |-
+        bar-value
+      foo3: |-
+        from app3: foo-value-3
+      circle: |-
+        this is from app3 that has reference to app1: \\"this is from app2: this is from app1: foo-value\\"
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","SECRET1","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","foo","bar","foo3","circle"]
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeenvvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):deploy[collapsed=true]\\r\\e[0KDeploy to cloud run"
+    - gcloud run deploy $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1" | awk '{print tolower($0)}') --command="yarn,start" --image=asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }):$DOCKER_IMAGE_TAG --project=asdf --region=asia-east1 --labels=customer-name=pan,component-name=app1,app-name=test-app,env-type=review,env-name=review,build-type=node,cloud-run-service-name=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1" | awk '{print tolower($0)}') --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - echo -e "\\e[0Ksection_end:$(date +%s):deploy\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):cleanup[collapsed=true]\\r\\e[0KCleanup"
+    - gcloud run revisions list --project=asdf --region=asia-east1 --service=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1" | awk '{print tolower($0)}') --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=asdf --region=asia-east1 --quiet $revisionname ; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app1 --quiet --delete-tags
+    - set -e
+    - echo -e "\\e[0Ksection_end:$(date +%s):cleanup\\r\\e[0K"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app1" "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app1 🛑 Stop ⚠️ | review '
+    auto_stop_in: 1 week
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_MERGE_REQUEST_ID
+  needs:
+    - job: app1 👮 lint
+      artifacts: false
+    - job: 'app1 🔨 app | review '
+      artifacts: false
+    - job: 'app1 🔨 docker | review '
+      artifacts: false
+    - job: app1 🧪 test
+      artifacts: false
+    - job: 'app1 🧾 sbom | review '
+      artifacts: true
+    - job: app1 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app1 🛑 Stop ⚠️ | review ':
+  stage: stop review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_app1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1" | awk '{print tolower($0)}') --project=asdf --region=asia-east1
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --quiet --delete-tags
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app1 --quiet --delete-tags
+    - set -e
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app1" "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" || true
+    - set -e
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app1 🔨 app | stage ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="app1"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET1="$CL_stage_app1_SECRET1"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_app1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo="foo-value"
+    - export bar="bar-value"
+    - 'export foo3="from app3: foo-value-3"'
+    - 'export circle="this is from app3 that has reference to app1: \\\\"this is from app2: this is from app1: foo-value\\\\""'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET1\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo\\",\\"bar\\",\\"foo3\\",\\"circle\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > app1/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app1
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: app1-yarn
+      policy: pull-push
+      paths:
+        - app1/.yarn
+    - key: app1-node-modules
+      policy: pull-push
+      paths:
+        - app1/node_modules
+    - key: app1-next-cache
+      policy: pull-push
+      paths:
+        - app1/.next/cache
+  artifacts:
+    paths:
+      - app1/__build_info.json
+      - app1/.next
+      - app1/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'app1 🔨 docker | stage ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="app1"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app1"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node app1/package.json /app/app1/package.json
+      COPY --chown=node:node app1/yarn.lock /app/app1/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_app1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker asia-east1-docker.pkg.dev
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: app1-yarn
+      policy: pull
+      paths:
+        - app1/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'app1 🔨 app | stage '
+  retry: *a1
+  interruptible: true
+'app1 🧾 sbom | stage ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" app1
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app1 🚀 Deploy | stage ':
+  stage: deploy stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="app1"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET1="$CL_stage_app1_SECRET1"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_app1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo="foo-value"
+    - export bar="bar-value"
+    - 'export foo3="from app3: foo-value-3"'
+    - 'export circle="this is from app3 that has reference to app1: \\\\"this is from app2: this is from app1: foo-value\\\\""'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET1\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo\\",\\"bar\\",\\"foo3\\",\\"circle\\"]"
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app1"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):prepare[collapsed=true]\\r\\e[0KPrepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_app1_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe asdf --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - echo -e "\\e[0Ksection_end:$(date +%s):prepare\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeenvvars[collapsed=true]\\r\\e[0KWrite env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        stage
+      APP_DIR: |-
+        app1
+      ENV_TYPE: |-
+        stage
+      BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/  /')
+      HOST: |-
+      $(printf %s "$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_INTERNAL: |-
+      $(printf %s "$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_CANONICAL: |-
+      $(printf %s "$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL_INTERNAL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        asdf
+      DEPLOY_CLOUD_RUN_REGION: |-
+        asia-east1
+      SECRET1: |-
+      $(printf %s "$CL_stage_app1_SECRET1" | sed 's/^/  /')
+      GCLOUD_RUN_canonicalHostSuffix: |-
+      $(printf %s "$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | sed 's/^/  /')
+      foo: |-
+        foo-value
+      bar: |-
+        bar-value
+      foo3: |-
+        from app3: foo-value-3
+      circle: |-
+        this is from app3 that has reference to app1: \\"this is from app2: this is from app1: foo-value\\"
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","SECRET1","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","foo","bar","foo3","circle"]
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeenvvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):deploy[collapsed=true]\\r\\e[0KDeploy to cloud run"
+    - gcloud run deploy pan-test-app-stage-app1 --command="yarn,start" --image=asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app1:$DOCKER_IMAGE_TAG --project=asdf --region=asia-east1 --labels=customer-name=pan,component-name=app1,app-name=test-app,env-type=stage,env-name=stage,build-type=node,cloud-run-service-name=pan-test-app-stage-app1 --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - echo -e "\\e[0Ksection_end:$(date +%s):deploy\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):cleanup[collapsed=true]\\r\\e[0KCleanup"
+    - gcloud run revisions list --project=asdf --region=asia-east1 --service=pan-test-app-stage-app1 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=asdf --region=asia-east1 --quiet $revisionname ; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app1@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1@$version --quiet --delete-tags; done
+    - echo -e "\\e[0Ksection_end:$(date +%s):cleanup\\r\\e[0K"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app1" "https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: stage/app1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app1 🛑 Stop ⚠️ | stage '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'app1 🔨 app | stage '
+      artifacts: false
+    - job: 'app1 🔨 docker | stage '
+      artifacts: false
+    - job: 'app1 🧾 sbom | stage '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app1 🛑 Stop ⚠️ | stage ':
+  stage: stop stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_app1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-stage-app1 --project=asdf --region=asia-east1
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app1 --quiet --delete-tags
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app1" "https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" || true
+    - set -e
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: stage/app1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app1 🔨 app | prod ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="app1"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET1="$CL_prod_app1_SECRET1"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_app1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo="foo-value"
+    - export bar="bar-value"
+    - 'export foo3="from app3: foo-value-3"'
+    - 'export circle="this is from app3 that has reference to app1: \\\\"this is from app2: this is from app1: foo-value\\\\""'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET1\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo\\",\\"bar\\",\\"foo3\\",\\"circle\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > app1/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app1
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: app1-yarn
+      policy: pull-push
+      paths:
+        - app1/.yarn
+    - key: app1-node-modules
+      policy: pull-push
+      paths:
+        - app1/node_modules
+    - key: app1-next-cache
+      policy: pull-push
+      paths:
+        - app1/.next/cache
+  artifacts:
+    paths:
+      - app1/__build_info.json
+      - app1/.next
+      - app1/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'app1 🔨 docker | prod ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="app1"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app1"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node app1/package.json /app/app1/package.json
+      COPY --chown=node:node app1/yarn.lock /app/app1/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_app1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker asia-east1-docker.pkg.dev
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: app1-yarn
+      policy: pull
+      paths:
+        - app1/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'app1 🔨 app | prod '
+  retry: *a1
+  interruptible: true
+'app1 🧾 sbom | prod ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" app1
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app1 🚀 Deploy | prod ':
+  stage: deploy prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="app1"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET1="$CL_prod_app1_SECRET1"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_app1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo="foo-value"
+    - export bar="bar-value"
+    - 'export foo3="from app3: foo-value-3"'
+    - 'export circle="this is from app3 that has reference to app1: \\\\"this is from app2: this is from app1: foo-value\\\\""'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET1\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo\\",\\"bar\\",\\"foo3\\",\\"circle\\"]"
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app1"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):prepare[collapsed=true]\\r\\e[0KPrepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_app1_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe asdf --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - echo -e "\\e[0Ksection_end:$(date +%s):prepare\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeenvvars[collapsed=true]\\r\\e[0KWrite env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        prod
+      APP_DIR: |-
+        app1
+      ENV_TYPE: |-
+        prod
+      BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/  /')
+      HOST: |-
+      $(printf %s "$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_INTERNAL: |-
+      $(printf %s "$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_CANONICAL: |-
+      $(printf %s "$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL_INTERNAL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        asdf
+      DEPLOY_CLOUD_RUN_REGION: |-
+        asia-east1
+      SECRET1: |-
+      $(printf %s "$CL_prod_app1_SECRET1" | sed 's/^/  /')
+      GCLOUD_RUN_canonicalHostSuffix: |-
+      $(printf %s "$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | sed 's/^/  /')
+      foo: |-
+        foo-value
+      bar: |-
+        bar-value
+      foo3: |-
+        from app3: foo-value-3
+      circle: |-
+        this is from app3 that has reference to app1: \\"this is from app2: this is from app1: foo-value\\"
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","SECRET1","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","foo","bar","foo3","circle"]
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeenvvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):deploy[collapsed=true]\\r\\e[0KDeploy to cloud run"
+    - gcloud run deploy pan-test-app-prod-app1 --command="yarn,start" --image=asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app1:$DOCKER_IMAGE_TAG --project=asdf --region=asia-east1 --labels=customer-name=pan,component-name=app1,app-name=test-app,env-type=prod,env-name=prod,build-type=node,cloud-run-service-name=pan-test-app-prod-app1 --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - echo -e "\\e[0Ksection_end:$(date +%s):deploy\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):cleanup[collapsed=true]\\r\\e[0KCleanup"
+    - gcloud run revisions list --project=asdf --region=asia-east1 --service=pan-test-app-prod-app1 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | tail -n +6 | while read -r revisionname; do gcloud run revisions delete --project=asdf --region=asia-east1 --quiet $revisionname ; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +7 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app1@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1@$version --quiet --delete-tags; done
+    - echo -e "\\e[0Ksection_end:$(date +%s):cleanup\\r\\e[0K"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app1" "https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: prod/app1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app1 🛑 Stop ⚠️ | prod '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'app1 🔨 app | prod '
+      artifacts: false
+    - job: 'app1 🔨 docker | prod '
+      artifacts: false
+    - job: 'app1 🧾 sbom | prod '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app1 🛑 Stop ⚠️ | prod ':
+  stage: stop prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_app1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-prod-app1 --project=asdf --region=asia-east1
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app1 --quiet --delete-tags
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app1@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app1" "https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" || true
+    - set -e
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: prod/app1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+app2 🛡 audit:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="app2"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - cd app2
+    - yarn npm audit --environment production
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+app2 👮 lint:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="app2"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app2
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn lint
+  cache:
+    - key: app2-yarn
+      policy: pull-push
+      paths:
+        - app2/.yarn
+    - key: app2-node-modules
+      policy: pull-push
+      paths:
+        - app2/node_modules
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+app2 🧪 test:
+  stage: test
+  image: path/to/docker/jobs-testing-chrome:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="app2"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app2
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn test
+  cache:
+    - key: app2-yarn
+      policy: pull-push
+      paths:
+        - app2/.yarn
+    - key: app2-node-modules
+      policy: pull-push
+      paths:
+        - app2/node_modules
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'app2 🔨 app | dev ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="app2"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET2="$CL_dev_app2_SECRET2"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_app2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo2="foo-value-2"
+    - 'export referencingSecret="secret1: $CL_dev_app1_SECRET1, secret2: $CL_dev_app2_SECRET2"'
+    - 'export foo1="this is from app1: foo-value"'
+    - 'export selfReference="this is from self: foo-value-2"'
+    - 'export selfReference2="this is from self: this is from app1: foo-value"'
+    - export app1Api="https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET2\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo2\\",\\"referencingSecret\\",\\"foo1\\",\\"selfReference\\",\\"selfReference2\\",\\"app1Api\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > app2/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app2
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: app2-yarn
+      policy: pull-push
+      paths:
+        - app2/.yarn
+    - key: app2-node-modules
+      policy: pull-push
+      paths:
+        - app2/node_modules
+    - key: app2-next-cache
+      policy: pull-push
+      paths:
+        - app2/.next/cache
+  artifacts:
+    paths:
+      - app2/__build_info.json
+      - app2/.next
+      - app2/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+'app2 🔨 docker | dev ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="app2"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app2"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node app2/package.json /app/app2/package.json
+      COPY --chown=node:node app2/yarn.lock /app/app2/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_app2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker asia-east1-docker.pkg.dev
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: app2-yarn
+      policy: pull
+      paths:
+        - app2/.yarn
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs:
+    - 'app2 🔨 app | dev '
+  retry: *a1
+  interruptible: true
+'app2 🧾 sbom | dev ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" app2
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app2 🚀 Deploy | dev ':
+  stage: deploy dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="app2"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET2="$CL_dev_app2_SECRET2"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_app2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo2="foo-value-2"
+    - 'export referencingSecret="secret1: $CL_dev_app1_SECRET1, secret2: $CL_dev_app2_SECRET2"'
+    - 'export foo1="this is from app1: foo-value"'
+    - 'export selfReference="this is from self: foo-value-2"'
+    - 'export selfReference2="this is from self: this is from app1: foo-value"'
+    - export app1Api="https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET2\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo2\\",\\"referencingSecret\\",\\"foo1\\",\\"selfReference\\",\\"selfReference2\\",\\"app1Api\\"]"
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app2"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):prepare[collapsed=true]\\r\\e[0KPrepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_app2_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe asdf --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - echo -e "\\e[0Ksection_end:$(date +%s):prepare\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeenvvars[collapsed=true]\\r\\e[0KWrite env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        dev
+      APP_DIR: |-
+        app2
+      ENV_TYPE: |-
+        dev
+      BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/  /')
+      HOST: |-
+      $(printf %s "$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_INTERNAL: |-
+      $(printf %s "$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_CANONICAL: |-
+      $(printf %s "$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL_INTERNAL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        asdf
+      DEPLOY_CLOUD_RUN_REGION: |-
+        asia-east1
+      SECRET2: |-
+      $(printf %s "$CL_dev_app2_SECRET2" | sed 's/^/  /')
+      GCLOUD_RUN_canonicalHostSuffix: |-
+      $(printf %s "$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | sed 's/^/  /')
+      foo2: |-
+        foo-value-2
+      referencingSecret: |-
+      $(printf %s "secret1: $CL_dev_app1_SECRET1, secret2: $CL_dev_app2_SECRET2" | sed 's/^/  /')
+      foo1: |-
+        this is from app1: foo-value
+      selfReference: |-
+        this is from self: foo-value-2
+      selfReference2: |-
+        this is from self: this is from app1: foo-value
+      app1Api: |-
+      $(printf %s "https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql" | sed 's/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","SECRET2","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","foo2","referencingSecret","foo1","selfReference","selfReference2","app1Api"]
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeenvvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):deploy[collapsed=true]\\r\\e[0KDeploy to cloud run"
+    - gcloud run deploy pan-test-app-dev-app2 --command="yarn,start" --image=asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app2:$DOCKER_IMAGE_TAG --project=asdf --region=asia-east1 --labels=customer-name=pan,component-name=app2,app-name=test-app,env-type=dev,env-name=dev,build-type=node,cloud-run-service-name=pan-test-app-dev-app2 --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - echo -e "\\e[0Ksection_end:$(date +%s):deploy\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):cleanup[collapsed=true]\\r\\e[0KCleanup"
+    - gcloud run revisions list --project=asdf --region=asia-east1 --service=pan-test-app-dev-app2 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=asdf --region=asia-east1 --quiet $revisionname ; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app2@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2@$version --quiet --delete-tags; done
+    - echo -e "\\e[0Ksection_end:$(date +%s):cleanup\\r\\e[0K"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app2" "https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: dev/app2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app2 🛑 Stop ⚠️ | dev '
+    auto_stop_in: 4 weeks
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: on_success
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs:
+    - job: app2 👮 lint
+      artifacts: false
+    - job: 'app2 🔨 app | dev '
+      artifacts: false
+    - job: 'app2 🔨 docker | dev '
+      artifacts: false
+    - job: app2 🧪 test
+      artifacts: false
+    - job: 'app2 🧾 sbom | dev '
+      artifacts: true
+    - job: app2 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app2 🛑 Stop ⚠️ | dev ':
+  stage: stop dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_app2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-dev-app2 --project=asdf --region=asia-east1
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/dev/app2 --quiet --delete-tags
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app2" "https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" || true
+    - set -e
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: dev/app2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app2 🔨 app | review ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="app2"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET2="$CL_review_app2_SECRET2"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_app2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo2="foo-value-2"
+    - 'export referencingSecret="secret1: $CL_review_app1_SECRET1, secret2: $CL_review_app2_SECRET2"'
+    - 'export foo1="this is from app1: foo-value"'
+    - 'export selfReference="this is from self: foo-value-2"'
+    - 'export selfReference2="this is from self: this is from app1: foo-value"'
+    - export app1Api="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET2\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo2\\",\\"referencingSecret\\",\\"foo1\\",\\"selfReference\\",\\"selfReference2\\",\\"app1Api\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > app2/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app2
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: app2-yarn
+      policy: pull-push
+      paths:
+        - app2/.yarn
+    - key: app2-node-modules
+      policy: pull-push
+      paths:
+        - app2/node_modules
+    - key: app2-next-cache
+      policy: pull-push
+      paths:
+        - app2/.next/cache
+  artifacts:
+    paths:
+      - app2/__build_info.json
+      - app2/.next
+      - app2/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'app2 🔨 docker | review ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="app2"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node app2/package.json /app/app2/package.json
+      COPY --chown=node:node app2/yarn.lock /app/app2/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_app2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker asia-east1-docker.pkg.dev
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: app2-yarn
+      policy: pull
+      paths:
+        - app2/.yarn
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs:
+    - 'app2 🔨 app | review '
+  retry: *a1
+  interruptible: true
+'app2 🧾 sbom | review ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" app2
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app2 🚀 Deploy | review ':
+  stage: deploy review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="app2"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET2="$CL_review_app2_SECRET2"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_app2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo2="foo-value-2"
+    - 'export referencingSecret="secret1: $CL_review_app1_SECRET1, secret2: $CL_review_app2_SECRET2"'
+    - 'export foo1="this is from app1: foo-value"'
+    - 'export selfReference="this is from self: foo-value-2"'
+    - 'export selfReference2="this is from self: this is from app1: foo-value"'
+    - export app1Api="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET2\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo2\\",\\"referencingSecret\\",\\"foo1\\",\\"selfReference\\",\\"selfReference2\\",\\"app1Api\\"]"
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):prepare[collapsed=true]\\r\\e[0KPrepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_app2_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe asdf --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - echo -e "\\e[0Ksection_end:$(date +%s):prepare\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeenvvars[collapsed=true]\\r\\e[0KWrite env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        review
+      APP_DIR: |-
+        app2
+      ENV_TYPE: |-
+        review
+      BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/  /')
+      HOST: |-
+      $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_INTERNAL: |-
+      $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_CANONICAL: |-
+      $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL_INTERNAL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        asdf
+      DEPLOY_CLOUD_RUN_REGION: |-
+        asia-east1
+      SECRET2: |-
+      $(printf %s "$CL_review_app2_SECRET2" | sed 's/^/  /')
+      GCLOUD_RUN_canonicalHostSuffix: |-
+      $(printf %s "$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | sed 's/^/  /')
+      foo2: |-
+        foo-value-2
+      referencingSecret: |-
+      $(printf %s "secret1: $CL_review_app1_SECRET1, secret2: $CL_review_app2_SECRET2" | sed 's/^/  /')
+      foo1: |-
+        this is from app1: foo-value
+      selfReference: |-
+        this is from self: foo-value-2
+      selfReference2: |-
+        this is from self: this is from app1: foo-value
+      app1Api: |-
+      $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql" | sed 's/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","SECRET2","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","foo2","referencingSecret","foo1","selfReference","selfReference2","app1Api"]
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeenvvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):deploy[collapsed=true]\\r\\e[0KDeploy to cloud run"
+    - gcloud run deploy $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2" | awk '{print tolower($0)}') --command="yarn,start" --image=asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }):$DOCKER_IMAGE_TAG --project=asdf --region=asia-east1 --labels=customer-name=pan,component-name=app2,app-name=test-app,env-type=review,env-name=review,build-type=node,cloud-run-service-name=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2" | awk '{print tolower($0)}') --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - echo -e "\\e[0Ksection_end:$(date +%s):deploy\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):cleanup[collapsed=true]\\r\\e[0KCleanup"
+    - gcloud run revisions list --project=asdf --region=asia-east1 --service=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2" | awk '{print tolower($0)}') --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=asdf --region=asia-east1 --quiet $revisionname ; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app2 --quiet --delete-tags
+    - set -e
+    - echo -e "\\e[0Ksection_end:$(date +%s):cleanup\\r\\e[0K"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app2" "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app2 🛑 Stop ⚠️ | review '
+    auto_stop_in: 1 week
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_MERGE_REQUEST_ID
+  needs:
+    - job: app2 👮 lint
+      artifacts: false
+    - job: 'app2 🔨 app | review '
+      artifacts: false
+    - job: 'app2 🔨 docker | review '
+      artifacts: false
+    - job: app2 🧪 test
+      artifacts: false
+    - job: 'app2 🧾 sbom | review '
+      artifacts: true
+    - job: app2 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app2 🛑 Stop ⚠️ | review ':
+  stage: stop review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_app2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2" | awk '{print tolower($0)}') --project=asdf --region=asia-east1
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --quiet --delete-tags
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/review/app2 --quiet --delete-tags
+    - set -e
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app2" "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" || true
+    - set -e
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app2 🔨 app | stage ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="app2"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET2="$CL_stage_app2_SECRET2"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_app2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo2="foo-value-2"
+    - 'export referencingSecret="secret1: $CL_stage_app1_SECRET1, secret2: $CL_stage_app2_SECRET2"'
+    - 'export foo1="this is from app1: foo-value"'
+    - 'export selfReference="this is from self: foo-value-2"'
+    - 'export selfReference2="this is from self: this is from app1: foo-value"'
+    - export app1Api="https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET2\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo2\\",\\"referencingSecret\\",\\"foo1\\",\\"selfReference\\",\\"selfReference2\\",\\"app1Api\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > app2/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app2
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: app2-yarn
+      policy: pull-push
+      paths:
+        - app2/.yarn
+    - key: app2-node-modules
+      policy: pull-push
+      paths:
+        - app2/node_modules
+    - key: app2-next-cache
+      policy: pull-push
+      paths:
+        - app2/.next/cache
+  artifacts:
+    paths:
+      - app2/__build_info.json
+      - app2/.next
+      - app2/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'app2 🔨 docker | stage ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="app2"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app2"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node app2/package.json /app/app2/package.json
+      COPY --chown=node:node app2/yarn.lock /app/app2/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_app2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker asia-east1-docker.pkg.dev
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: app2-yarn
+      policy: pull
+      paths:
+        - app2/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'app2 🔨 app | stage '
+  retry: *a1
+  interruptible: true
+'app2 🧾 sbom | stage ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" app2
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app2 🚀 Deploy | stage ':
+  stage: deploy stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="app2"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET2="$CL_stage_app2_SECRET2"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_app2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo2="foo-value-2"
+    - 'export referencingSecret="secret1: $CL_stage_app1_SECRET1, secret2: $CL_stage_app2_SECRET2"'
+    - 'export foo1="this is from app1: foo-value"'
+    - 'export selfReference="this is from self: foo-value-2"'
+    - 'export selfReference2="this is from self: this is from app1: foo-value"'
+    - export app1Api="https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET2\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo2\\",\\"referencingSecret\\",\\"foo1\\",\\"selfReference\\",\\"selfReference2\\",\\"app1Api\\"]"
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app2"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):prepare[collapsed=true]\\r\\e[0KPrepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_app2_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe asdf --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - echo -e "\\e[0Ksection_end:$(date +%s):prepare\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeenvvars[collapsed=true]\\r\\e[0KWrite env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        stage
+      APP_DIR: |-
+        app2
+      ENV_TYPE: |-
+        stage
+      BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/  /')
+      HOST: |-
+      $(printf %s "$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_INTERNAL: |-
+      $(printf %s "$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_CANONICAL: |-
+      $(printf %s "$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL_INTERNAL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        asdf
+      DEPLOY_CLOUD_RUN_REGION: |-
+        asia-east1
+      SECRET2: |-
+      $(printf %s "$CL_stage_app2_SECRET2" | sed 's/^/  /')
+      GCLOUD_RUN_canonicalHostSuffix: |-
+      $(printf %s "$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | sed 's/^/  /')
+      foo2: |-
+        foo-value-2
+      referencingSecret: |-
+      $(printf %s "secret1: $CL_stage_app1_SECRET1, secret2: $CL_stage_app2_SECRET2" | sed 's/^/  /')
+      foo1: |-
+        this is from app1: foo-value
+      selfReference: |-
+        this is from self: foo-value-2
+      selfReference2: |-
+        this is from self: this is from app1: foo-value
+      app1Api: |-
+      $(printf %s "https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql" | sed 's/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","SECRET2","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","foo2","referencingSecret","foo1","selfReference","selfReference2","app1Api"]
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeenvvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):deploy[collapsed=true]\\r\\e[0KDeploy to cloud run"
+    - gcloud run deploy pan-test-app-stage-app2 --command="yarn,start" --image=asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app2:$DOCKER_IMAGE_TAG --project=asdf --region=asia-east1 --labels=customer-name=pan,component-name=app2,app-name=test-app,env-type=stage,env-name=stage,build-type=node,cloud-run-service-name=pan-test-app-stage-app2 --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - echo -e "\\e[0Ksection_end:$(date +%s):deploy\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):cleanup[collapsed=true]\\r\\e[0KCleanup"
+    - gcloud run revisions list --project=asdf --region=asia-east1 --service=pan-test-app-stage-app2 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=asdf --region=asia-east1 --quiet $revisionname ; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app2@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2@$version --quiet --delete-tags; done
+    - echo -e "\\e[0Ksection_end:$(date +%s):cleanup\\r\\e[0K"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app2" "https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: stage/app2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app2 🛑 Stop ⚠️ | stage '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'app2 🔨 app | stage '
+      artifacts: false
+    - job: 'app2 🔨 docker | stage '
+      artifacts: false
+    - job: 'app2 🧾 sbom | stage '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app2 🛑 Stop ⚠️ | stage ':
+  stage: stop stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_app2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-stage-app2 --project=asdf --region=asia-east1
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/stage/app2 --quiet --delete-tags
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app2" "https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" || true
+    - set -e
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: stage/app2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app2 🔨 app | prod ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="app2"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET2="$CL_prod_app2_SECRET2"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_app2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo2="foo-value-2"
+    - 'export referencingSecret="secret1: $CL_prod_app1_SECRET1, secret2: $CL_prod_app2_SECRET2"'
+    - 'export foo1="this is from app1: foo-value"'
+    - 'export selfReference="this is from self: foo-value-2"'
+    - 'export selfReference2="this is from self: this is from app1: foo-value"'
+    - export app1Api="https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET2\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo2\\",\\"referencingSecret\\",\\"foo1\\",\\"selfReference\\",\\"selfReference2\\",\\"app1Api\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > app2/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd app2
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: app2-yarn
+      policy: pull-push
+      paths:
+        - app2/.yarn
+    - key: app2-node-modules
+      policy: pull-push
+      paths:
+        - app2/node_modules
+    - key: app2-next-cache
+      policy: pull-push
+      paths:
+        - app2/.next/cache
+  artifacts:
+    paths:
+      - app2/__build_info.json
+      - app2/.next
+      - app2/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'app2 🔨 docker | prod ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="app2"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app2"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node app2/package.json /app/app2/package.json
+      COPY --chown=node:node app2/yarn.lock /app/app2/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_app2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker asia-east1-docker.pkg.dev
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: app2-yarn
+      policy: pull
+      paths:
+        - app2/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'app2 🔨 app | prod '
+  retry: *a1
+  interruptible: true
+'app2 🧾 sbom | prod ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" app2
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app2 🚀 Deploy | prod ':
+  stage: deploy prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="app2"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_INTERNAL="$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOST_CANONICAL="$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="asdf"
+    - export DEPLOY_CLOUD_RUN_REGION="asia-east1"
+    - export SECRET2="$CL_prod_app2_SECRET2"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_app2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix"
+    - export foo2="foo-value-2"
+    - 'export referencingSecret="secret1: $CL_prod_app1_SECRET1, secret2: $CL_prod_app2_SECRET2"'
+    - 'export foo1="this is from app1: foo-value"'
+    - 'export selfReference="this is from self: foo-value-2"'
+    - 'export selfReference2="this is from self: this is from app1: foo-value"'
+    - export app1Api="https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"SECRET2\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"foo2\\",\\"referencingSecret\\",\\"foo1\\",\\"selfReference\\",\\"selfReference2\\",\\"app1Api\\"]"
+    - export DOCKER_REGISTRY="asia-east1-docker.pkg.dev"
+    - export DOCKER_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app2"
+    - export DOCKER_CACHE_IMAGE="asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):prepare[collapsed=true]\\r\\e[0KPrepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_app2_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe asdf --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - echo -e "\\e[0Ksection_end:$(date +%s):prepare\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeenvvars[collapsed=true]\\r\\e[0KWrite env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        prod
+      APP_DIR: |-
+        app2
+      ENV_TYPE: |-
+        prod
+      BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/  /')
+      HOST: |-
+      $(printf %s "$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_INTERNAL: |-
+      $(printf %s "$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      HOST_CANONICAL: |-
+      $(printf %s "$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      ROOT_URL_INTERNAL: |-
+      $(printf %s "https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed 's/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        asdf
+      DEPLOY_CLOUD_RUN_REGION: |-
+        asia-east1
+      SECRET2: |-
+      $(printf %s "$CL_prod_app2_SECRET2" | sed 's/^/  /')
+      GCLOUD_RUN_canonicalHostSuffix: |-
+      $(printf %s "$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | sed 's/^/  /')
+      foo2: |-
+        foo-value-2
+      referencingSecret: |-
+      $(printf %s "secret1: $CL_prod_app1_SECRET1, secret2: $CL_prod_app2_SECRET2" | sed 's/^/  /')
+      foo1: |-
+        this is from app1: foo-value
+      selfReference: |-
+        this is from self: foo-value-2
+      selfReference2: |-
+        this is from self: this is from app1: foo-value
+      app1Api: |-
+      $(printf %s "https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')/graphql" | sed 's/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","SECRET2","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","foo2","referencingSecret","foo1","selfReference","selfReference2","app1Api"]
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeenvvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):deploy[collapsed=true]\\r\\e[0KDeploy to cloud run"
+    - gcloud run deploy pan-test-app-prod-app2 --command="yarn,start" --image=asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app2:$DOCKER_IMAGE_TAG --project=asdf --region=asia-east1 --labels=customer-name=pan,component-name=app2,app-name=test-app,env-type=prod,env-name=prod,build-type=node,cloud-run-service-name=pan-test-app-prod-app2 --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - echo -e "\\e[0Ksection_end:$(date +%s):deploy\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):cleanup[collapsed=true]\\r\\e[0KCleanup"
+    - gcloud run revisions list --project=asdf --region=asia-east1 --service=pan-test-app-prod-app2 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | tail -n +6 | while read -r revisionname; do gcloud run revisions delete --project=asdf --region=asia-east1 --quiet $revisionname ; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +7 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app2@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2@$version --quiet --delete-tags; done
+    - echo -e "\\e[0Ksection_end:$(date +%s):cleanup\\r\\e[0K"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app2" "https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: prod/app2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app2 🛑 Stop ⚠️ | prod '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'app2 🔨 app | prod '
+      artifacts: false
+    - job: 'app2 🔨 docker | prod '
+      artifacts: false
+    - job: 'app2 🧾 sbom | prod '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app2 🛑 Stop ⚠️ | prod ':
+  stage: stop prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_app2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-prod-app2 --project=asdf --region=asia-east1
+    - gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/prod/app2 --quiet --delete-tags
+    - gcloud artifacts docker images list asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete asia-east1-docker.pkg.dev/asdf/catladder-deploy/pan-test-app/caches/app2@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app2" "https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" || true
+    - set -e
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" >> gitlab_environment.env
+  environment:
+    name: prod/app2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+app3 🛡 audit:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="kube"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - cd kube
+    - yarn npm audit --environment production
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+app3 👮 lint:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="kube"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd kube
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn lint
+  cache:
+    - key: kube-yarn
+      policy: pull-push
+      paths:
+        - kube/.yarn
+    - key: kube-node-modules
+      policy: pull-push
+      paths:
+        - kube/node_modules
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+app3 🧪 test:
+  stage: test
+  image: path/to/docker/jobs-testing-chrome:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_PATH="kube"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd kube
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn test
+  cache:
+    - key: kube-yarn
+      policy: pull-push
+      paths:
+        - kube/.yarn
+    - key: kube-node-modules
+      policy: pull-push
+      paths:
+        - kube/node_modules
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'app3 🔨 app | dev ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.dev.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.dev.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.dev.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-dev"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_dev_app1_SECRET1, secret2: $CL_dev_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.dev.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > kube/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd kube
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: kube-yarn
+      policy: pull-push
+      paths:
+        - kube/.yarn
+    - key: kube-node-modules
+      policy: pull-push
+      paths:
+        - kube/node_modules
+    - key: app3-next-cache
+      policy: pull-push
+      paths:
+        - kube/.next/cache
+  artifacts:
+    paths:
+      - kube/__build_info.json
+      - kube/.next
+      - kube/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+'app3 🔨 docker | dev ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="kube"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app3"
+    - export DOCKER_IMAGE_NAME="dev/app3"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node kube/package.json /app/kube/package.json
+      COPY --chown=node:node kube/yarn.lock /app/kube/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: kube-yarn
+      policy: pull
+      paths:
+        - kube/.yarn
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs:
+    - 'app3 🔨 app | dev '
+  retry: *a1
+  interruptible: true
+'app3 🧾 sbom | dev ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" kube
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 🚀 Deploy | dev ':
+  stage: deploy dev
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.dev.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.dev.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.dev.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-dev"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_dev_app1_SECRET1, secret2: $CL_dev_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.dev.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app3"
+    - export DOCKER_IMAGE_NAME="dev/app3"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export RELEASE_NAME="pan-test-app-dev-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-dev-app3" --server="$CL_dev_app3_KUBE_URL" --certificate-authority <(echo $CL_dev_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-dev-app3" --token="$CL_dev_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-dev-app3" --cluster="kube-pan-test-app-dev-app3" --user="kube-pan-test-app-dev-app3" --namespace="pan-test-app-dev"
+    - kubectl config use-context "kube-pan-test-app-dev-app3"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"
+    - |
+      cat > __all_values.yml <<EOF
+      env:
+        secret:
+          transitiveWithSecret: |-
+      $(printf %s "this is from app2: secret1: $CL_dev_app1_SECRET1, secret2: $CL_dev_app2_SECRET2" | sed 's/^/      /')
+          someJson: |-
+      $(printf %s "[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.dev.test-app.pan.panter.cloud\\"}]" | sed 's/^/      /')
+        public:
+          ENV_SHORT: |-
+            dev
+          APP_DIR: |-
+            kube
+          ENV_TYPE: |-
+            dev
+          BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
+          BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
+          BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
+          HOST: |-
+            app3.dev.test-app.pan.panter.cloud
+          ROOT_URL: |-
+            https://app3.dev.test-app.pan.panter.cloud
+          HOST_INTERNAL: |-
+            app3.dev.test-app.pan.panter.cloud
+          HOST_CANONICAL: |-
+            app3.dev.test-app.pan.panter.cloud
+          ROOT_URL_INTERNAL: |-
+            https://app3.dev.test-app.pan.panter.cloud
+          KUBE_NAMESPACE: |-
+            pan-test-app-dev
+          KUBE_APP_NAME: |-
+            app3
+          KUBE_APP_NAME_PREFIX: ""
+          foo3: |-
+            foo-value-3
+          foo2: |-
+            this is from app2: foo-value-2
+          transitive: |-
+            this is from app2: this is from app1: foo-value
+          _ALL_ENV_VAR_KEYS: |-
+            ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","foo3","foo2","transitive","transitiveWithSecret","someJson"]
+      application:
+        host: |-
+          app3.dev.test-app.pan.panter.cloud
+        command: |-
+          yarn start
+        livenessProbe:
+          httpGet:
+            path: |-
+              __health
+        readinessProbe:
+          httpGet:
+            path: |-
+              __health
+        startupProbe:
+          httpGet:
+            path: |-
+              __health
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"
+    - kubernetesCreateSecret
+    - kubernetesDeploy
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app3" "https://app3.dev.test-app.pan.panter.cloud" "__sbom.json" vex.json || true
+    - echo deployment successful 😻
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.dev.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: dev/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app3 🛑 Stop ⚠️ | dev '
+    auto_stop_in: 4 weeks
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: on_success
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs:
+    - job: app3 👮 lint
+      artifacts: false
+    - job: 'app3 🔨 app | dev '
+      artifacts: false
+    - job: 'app3 🔨 docker | dev '
+      artifacts: false
+    - job: app3 🧪 test
+      artifacts: false
+    - job: 'app3 🧾 sbom | dev '
+      artifacts: true
+    - job: app3 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app3 🛑 Stop ⚠️ | dev ':
+  stage: stop dev
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.dev.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.dev.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.dev.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-dev"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_dev_app1_SECRET1, secret2: $CL_dev_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.dev.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export RELEASE_NAME="pan-test-app-dev-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-dev-app3" --server="$CL_dev_app3_KUBE_URL" --certificate-authority <(echo $CL_dev_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-dev-app3" --token="$CL_dev_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-dev-app3" --cluster="kube-pan-test-app-dev-app3" --user="kube-pan-test-app-dev-app3" --namespace="pan-test-app-dev"
+    - kubectl config use-context "kube-pan-test-app-dev-app3"
+    - kubernetesDelete
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app3" "https://app3.dev.test-app.pan.panter.cloud" || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.dev.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: dev/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 ↩️ Rollback ⚠️ | dev ':
+  stage: rollback dev
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.dev.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.dev.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.dev.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.dev.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-dev"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_dev_app1_SECRET1, secret2: $CL_dev_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app1-$CL_dev_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-dev-app2-$CL_dev_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.dev.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export RELEASE_NAME="pan-test-app-dev-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-dev-app3" --server="$CL_dev_app3_KUBE_URL" --certificate-authority <(echo $CL_dev_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-dev-app3" --token="$CL_dev_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-dev-app3" --cluster="kube-pan-test-app-dev-app3" --user="kube-pan-test-app-dev-app3" --namespace="pan-test-app-dev"
+    - kubectl config use-context "kube-pan-test-app-dev-app3"
+    - kubernetesRollback
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.dev.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: dev/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: access
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 🔨 app | review ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-review"
+    - export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_review_app1_SECRET1, secret2: $CL_review_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > kube/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd kube
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: kube-yarn
+      policy: pull-push
+      paths:
+        - kube/.yarn
+    - key: kube-node-modules
+      policy: pull-push
+      paths:
+        - kube/node_modules
+    - key: app3-next-cache
+      policy: pull-push
+      paths:
+        - kube/.next/cache
+  artifacts:
+    paths:
+      - kube/__build_info.json
+      - kube/.next
+      - kube/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'app3 🔨 docker | review ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="kube"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app3"
+    - export DOCKER_IMAGE_NAME="review/app3"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node kube/package.json /app/kube/package.json
+      COPY --chown=node:node kube/yarn.lock /app/kube/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: kube-yarn
+      policy: pull
+      paths:
+        - kube/.yarn
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs:
+    - 'app3 🔨 app | review '
+  retry: *a1
+  interruptible: true
+'app3 🧾 sbom | review ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" kube
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 🚀 Deploy | review ':
+  stage: deploy review
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-review"
+    - export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_review_app1_SECRET1, secret2: $CL_review_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app3"
+    - export DOCKER_IMAGE_NAME="review/app3"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --server="$CL_review_app3_KUBE_URL" --certificate-authority <(echo $CL_review_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --token="$CL_review_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --namespace="pan-test-app-review"
+    - kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"
+    - |
+      cat > __all_values.yml <<EOF
+      env:
+        secret:
+          transitiveWithSecret: |-
+      $(printf %s "this is from app2: secret1: $CL_review_app1_SECRET1, secret2: $CL_review_app2_SECRET2" | sed 's/^/      /')
+          someJson: |-
+      $(printf %s "[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud\\"}]" | sed 's/^/      /')
+        public:
+          ENV_SHORT: |-
+            review
+          APP_DIR: |-
+            kube
+          ENV_TYPE: |-
+            review
+          BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
+          BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
+          BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
+          HOST: |-
+      $(printf %s "app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          ROOT_URL: |-
+      $(printf %s "https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          HOST_INTERNAL: |-
+      $(printf %s "app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          HOST_CANONICAL: |-
+      $(printf %s "app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          ROOT_URL_INTERNAL: |-
+      $(printf %s "https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/      /')
+          KUBE_NAMESPACE: |-
+            pan-test-app-review
+          KUBE_APP_NAME: |-
+      $(printf %s "$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" | sed 's/^/      /')
+          KUBE_APP_NAME_PREFIX: |-
+      $(printf %s "$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-" | sed 's/^/      /')
+          foo3: |-
+            foo-value-3
+          foo2: |-
+            this is from app2: foo-value-2
+          transitive: |-
+            this is from app2: this is from app1: foo-value
+          _ALL_ENV_VAR_KEYS: |-
+            ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","foo3","foo2","transitive","transitiveWithSecret","someJson"]
+      application:
+        host: |-
+      $(printf %s "app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" | sed 's/^/    /')
+        command: |-
+          yarn start
+        livenessProbe:
+          httpGet:
+            path: |-
+              __health
+        readinessProbe:
+          httpGet:
+            path: |-
+              __health
+        startupProbe:
+          httpGet:
+            path: |-
+              __health
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"
+    - kubernetesCreateSecret
+    - kubernetesDeploy
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app3" "https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" "__sbom.json" vex.json || true
+    - echo deployment successful 😻
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app3 🛑 Stop ⚠️ | review '
+    auto_stop_in: 1 week
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_MERGE_REQUEST_ID
+  needs:
+    - job: app3 👮 lint
+      artifacts: false
+    - job: 'app3 🔨 app | review '
+      artifacts: false
+    - job: 'app3 🔨 docker | review '
+      artifacts: false
+    - job: app3 🧪 test
+      artifacts: false
+    - job: 'app3 🧾 sbom | review '
+      artifacts: true
+    - job: app3 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app3 🛑 Stop ⚠️ | review ':
+  stage: stop review
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-review"
+    - export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_review_app1_SECRET1, secret2: $CL_review_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --server="$CL_review_app3_KUBE_URL" --certificate-authority <(echo $CL_review_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --token="$CL_review_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --namespace="pan-test-app-review"
+    - kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - kubernetesDelete
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app3" "https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 ↩️ Rollback ⚠️ | review ':
+  stage: rollback review
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-review"
+    - export KUBE_APP_NAME="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - export KUBE_APP_NAME_PREFIX="$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-"
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_review_app1_SECRET1, secret2: $CL_review_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app1-$CL_review_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app2-$CL_review_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export RELEASE_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --server="$CL_review_app3_KUBE_URL" --certificate-authority <(echo $CL_review_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --token="$CL_review_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --cluster="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --user="kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3" --namespace="pan-test-app-review"
+    - kubectl config use-context "kube-pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-app3"
+    - kubernetesRollback
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }).review.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: access
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 🔨 app | stage ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.stage.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.stage.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.stage.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-stage"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_stage_app1_SECRET1, secret2: $CL_stage_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.stage.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > kube/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd kube
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: kube-yarn
+      policy: pull-push
+      paths:
+        - kube/.yarn
+    - key: kube-node-modules
+      policy: pull-push
+      paths:
+        - kube/node_modules
+    - key: app3-next-cache
+      policy: pull-push
+      paths:
+        - kube/.next/cache
+  artifacts:
+    paths:
+      - kube/__build_info.json
+      - kube/.next
+      - kube/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'app3 🔨 docker | stage ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="kube"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app3"
+    - export DOCKER_IMAGE_NAME="stage/app3"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node kube/package.json /app/kube/package.json
+      COPY --chown=node:node kube/yarn.lock /app/kube/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: kube-yarn
+      policy: pull
+      paths:
+        - kube/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'app3 🔨 app | stage '
+  retry: *a1
+  interruptible: true
+'app3 🧾 sbom | stage ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" kube
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 🚀 Deploy | stage ':
+  stage: deploy stage
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.stage.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.stage.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.stage.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-stage"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_stage_app1_SECRET1, secret2: $CL_stage_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.stage.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app3"
+    - export DOCKER_IMAGE_NAME="stage/app3"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export RELEASE_NAME="pan-test-app-stage-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-stage-app3" --server="$CL_stage_app3_KUBE_URL" --certificate-authority <(echo $CL_stage_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-stage-app3" --token="$CL_stage_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-stage-app3" --cluster="kube-pan-test-app-stage-app3" --user="kube-pan-test-app-stage-app3" --namespace="pan-test-app-stage"
+    - kubectl config use-context "kube-pan-test-app-stage-app3"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"
+    - |
+      cat > __all_values.yml <<EOF
+      env:
+        secret:
+          transitiveWithSecret: |-
+      $(printf %s "this is from app2: secret1: $CL_stage_app1_SECRET1, secret2: $CL_stage_app2_SECRET2" | sed 's/^/      /')
+          someJson: |-
+      $(printf %s "[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.stage.test-app.pan.panter.cloud\\"}]" | sed 's/^/      /')
+        public:
+          ENV_SHORT: |-
+            stage
+          APP_DIR: |-
+            kube
+          ENV_TYPE: |-
+            stage
+          BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
+          BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
+          BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
+          HOST: |-
+            app3.stage.test-app.pan.panter.cloud
+          ROOT_URL: |-
+            https://app3.stage.test-app.pan.panter.cloud
+          HOST_INTERNAL: |-
+            app3.stage.test-app.pan.panter.cloud
+          HOST_CANONICAL: |-
+            app3.stage.test-app.pan.panter.cloud
+          ROOT_URL_INTERNAL: |-
+            https://app3.stage.test-app.pan.panter.cloud
+          KUBE_NAMESPACE: |-
+            pan-test-app-stage
+          KUBE_APP_NAME: |-
+            app3
+          KUBE_APP_NAME_PREFIX: ""
+          foo3: |-
+            foo-value-3
+          foo2: |-
+            this is from app2: foo-value-2
+          transitive: |-
+            this is from app2: this is from app1: foo-value
+          _ALL_ENV_VAR_KEYS: |-
+            ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","foo3","foo2","transitive","transitiveWithSecret","someJson"]
+      application:
+        host: |-
+          app3.stage.test-app.pan.panter.cloud
+        command: |-
+          yarn start
+        livenessProbe:
+          httpGet:
+            path: |-
+              __health
+        readinessProbe:
+          httpGet:
+            path: |-
+              __health
+        startupProbe:
+          httpGet:
+            path: |-
+              __health
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"
+    - kubernetesCreateSecret
+    - kubernetesDeploy
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app3" "https://app3.stage.test-app.pan.panter.cloud" "__sbom.json" vex.json || true
+    - echo deployment successful 😻
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.stage.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: stage/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app3 🛑 Stop ⚠️ | stage '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'app3 🔨 app | stage '
+      artifacts: false
+    - job: 'app3 🔨 docker | stage '
+      artifacts: false
+    - job: 'app3 🧾 sbom | stage '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'app3 🛑 Stop ⚠️ | stage ':
+  stage: stop stage
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.stage.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.stage.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.stage.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-stage"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_stage_app1_SECRET1, secret2: $CL_stage_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.stage.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export RELEASE_NAME="pan-test-app-stage-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-stage-app3" --server="$CL_stage_app3_KUBE_URL" --certificate-authority <(echo $CL_stage_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-stage-app3" --token="$CL_stage_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-stage-app3" --cluster="kube-pan-test-app-stage-app3" --user="kube-pan-test-app-stage-app3" --namespace="pan-test-app-stage"
+    - kubectl config use-context "kube-pan-test-app-stage-app3"
+    - kubernetesDelete
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app3" "https://app3.stage.test-app.pan.panter.cloud" || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.stage.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: stage/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 ↩️ Rollback ⚠️ | stage ':
+  stage: rollback stage
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.stage.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.stage.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.stage.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.stage.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-stage"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_stage_app1_SECRET1, secret2: $CL_stage_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app1-$CL_stage_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-stage-app2-$CL_stage_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.stage.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export RELEASE_NAME="pan-test-app-stage-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-stage-app3" --server="$CL_stage_app3_KUBE_URL" --certificate-authority <(echo $CL_stage_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-stage-app3" --token="$CL_stage_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-stage-app3" --cluster="kube-pan-test-app-stage-app3" --user="kube-pan-test-app-stage-app3" --namespace="pan-test-app-stage"
+    - kubectl config use-context "kube-pan-test-app-stage-app3"
+    - kubernetesRollback
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.stage.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: stage/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: access
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 🔨 app | prod ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.prod.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.prod.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.prod.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-prod"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_prod_app1_SECRET1, secret2: $CL_prod_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.prod.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > kube/__build_info.json
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - cd kube
+    - echo -e "\\e[0Ksection_start:$(date +%s):nodeinstall[collapsed=true]\\r\\e[0KEnsure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - echo -e "\\e[0Ksection_end:$(date +%s):nodeinstall\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):yarninstall[collapsed=true]\\r\\e[0KYarn install"
+    - yarn install --immutable
+    - echo -e "\\e[0Ksection_end:$(date +%s):yarninstall\\r\\e[0K"
+    - yarn build
+  cache:
+    - key: kube-yarn
+      policy: pull-push
+      paths:
+        - kube/.yarn
+    - key: kube-node-modules
+      policy: pull-push
+      paths:
+        - kube/node_modules
+    - key: app3-next-cache
+      policy: pull-push
+      paths:
+        - kube/.next/cache
+  artifacts:
+    paths:
+      - kube/__build_info.json
+      - kube/.next
+      - kube/dist
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'app3 🔨 docker | prod ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://0.0.0.0:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export APP_DIR="kube"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app3"
+    - export DOCKER_IMAGE_NAME="prod/app3"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node kube/package.json /app/kube/package.json
+      COPY --chown=node:node kube/yarn.lock /app/kube/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - ensureNodeDockerfile
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-login[collapsed=true]\\r\\e[0KDocker Login"
+    - docker login --username gitlab-ci-token --password $CI_JOB_TOKEN $CI_REGISTRY
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-login\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-build[collapsed=true]\\r\\e[0KDocker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-build\\r\\e[0K"
+    - echo -e "\\e[0Ksection_start:$(date +%s):docker-push[collapsed=true]\\r\\e[0KDocker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - echo -e "\\e[0Ksection_end:$(date +%s):docker-push\\r\\e[0K"
+  cache:
+    - key: kube-yarn
+      policy: pull
+      paths:
+        - kube/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'app3 🔨 app | prod '
+  retry: *a1
+  interruptible: true
+'app3 🧾 sbom | prod ':
+  stage: build
+  image: aquasec/trivy:0.38.3
+  variables: {}
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" kube
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 🚀 Deploy | prod ':
+  stage: deploy prod
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.prod.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.prod.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.prod.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-prod"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_prod_app1_SECRET1, secret2: $CL_prod_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.prod.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export DOCKER_REGISTRY="$CI_REGISTRY"
+    - export DOCKER_CACHE_IMAGE="$CI_REGISTRY_IMAGE/caches/app3"
+    - export DOCKER_IMAGE_NAME="prod/app3"
+    - export DOCKER_IMAGE="$CI_REGISTRY_IMAGE/$DOCKER_IMAGE_NAME"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export RELEASE_NAME="pan-test-app-prod-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-prod-app3" --server="$CL_prod_app3_KUBE_URL" --certificate-authority <(echo $CL_prod_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-prod-app3" --token="$CL_prod_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-prod-app3" --cluster="kube-pan-test-app-prod-app3" --user="kube-pan-test-app-prod-app3" --namespace="pan-test-app-prod"
+    - kubectl config use-context "kube-pan-test-app-prod-app3"
+    - echo -e "\\e[0Ksection_start:$(date +%s):writeallvalues[collapsed=true]\\r\\e[0KWrite __all_values.yml for helm deployment"
+    - |
+      cat > __all_values.yml <<EOF
+      env:
+        secret:
+          transitiveWithSecret: |-
+      $(printf %s "this is from app2: secret1: $CL_prod_app1_SECRET1, secret2: $CL_prod_app2_SECRET2" | sed 's/^/      /')
+          someJson: |-
+      $(printf %s "[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.prod.test-app.pan.panter.cloud\\"}]" | sed 's/^/      /')
+        public:
+          ENV_SHORT: |-
+            prod
+          APP_DIR: |-
+            kube
+          ENV_TYPE: |-
+            prod
+          BUILD_INFO_BUILD_ID: |-
+      $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed 's/^/      /')
+          BUILD_INFO_BUILD_TIME: |-
+      $(printf %s "$CI_JOB_STARTED_AT" | sed 's/^/      /')
+          BUILD_INFO_CURRENT_VERSION: |-
+      $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed 's/^/      /')
+          HOST: |-
+            app3.prod.test-app.pan.panter.cloud
+          ROOT_URL: |-
+            https://app3.prod.test-app.pan.panter.cloud
+          HOST_INTERNAL: |-
+            app3.prod.test-app.pan.panter.cloud
+          HOST_CANONICAL: |-
+            app3.prod.test-app.pan.panter.cloud
+          ROOT_URL_INTERNAL: |-
+            https://app3.prod.test-app.pan.panter.cloud
+          KUBE_NAMESPACE: |-
+            pan-test-app-prod
+          KUBE_APP_NAME: |-
+            app3
+          KUBE_APP_NAME_PREFIX: ""
+          foo3: |-
+            foo-value-3
+          foo2: |-
+            this is from app2: foo-value-2
+          transitive: |-
+            this is from app2: this is from app1: foo-value
+          _ALL_ENV_VAR_KEYS: |-
+            ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOST","ROOT_URL","HOST_INTERNAL","HOST_CANONICAL","ROOT_URL_INTERNAL","KUBE_NAMESPACE","KUBE_APP_NAME","KUBE_APP_NAME_PREFIX","foo3","foo2","transitive","transitiveWithSecret","someJson"]
+      application:
+        host: |-
+          app3.prod.test-app.pan.panter.cloud
+        command: |-
+          yarn start
+        livenessProbe:
+          httpGet:
+            path: |-
+              __health
+        readinessProbe:
+          httpGet:
+            path: |-
+              __health
+        startupProbe:
+          httpGet:
+            path: |-
+              __health
+      EOF
+    - echo -e "\\e[0Ksection_end:$(date +%s):writeallvalues\\r\\e[0K"
+    - kubernetesCreateSecret
+    - kubernetesDeploy
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/app3" "https://app3.prod.test-app.pan.panter.cloud" "__sbom.json" vex.json || true
+    - echo deployment successful 😻
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.prod.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: prod/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'app3 🛑 Stop ⚠️ | prod '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'app3 🔨 app | prod '
+      artifacts: false
+    - job: 'app3 🔨 docker | prod '
+      artifacts: false
+    - job: 'app3 🧾 sbom | prod '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 🛑 Stop ⚠️ | prod ':
+  stage: stop prod
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.prod.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.prod.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.prod.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-prod"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_prod_app1_SECRET1, secret2: $CL_prod_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.prod.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export RELEASE_NAME="pan-test-app-prod-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-prod-app3" --server="$CL_prod_app3_KUBE_URL" --certificate-authority <(echo $CL_prod_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-prod-app3" --token="$CL_prod_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-prod-app3" --cluster="kube-pan-test-app-prod-app3" --user="kube-pan-test-app-prod-app3" --namespace="pan-test-app-prod"
+    - kubectl config use-context "kube-pan-test-app-prod-app3"
+    - kubernetesDelete
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/app3" "https://app3.prod.test-app.pan.panter.cloud" || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.prod.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: prod/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: stop
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'app3 ↩️ Rollback ⚠️ | prod ':
+  stage: rollback prod
+  image: path/to/docker/kubernetes:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - echo -e "\\e[0Ksection_start:$(date +%s):injectvars[collapsed=true]\\r\\e[0KInjecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="kube"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOST="app3.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL="https://app3.prod.test-app.pan.panter.cloud"
+    - export HOST_INTERNAL="app3.prod.test-app.pan.panter.cloud"
+    - export HOST_CANONICAL="app3.prod.test-app.pan.panter.cloud"
+    - export ROOT_URL_INTERNAL="https://app3.prod.test-app.pan.panter.cloud"
+    - export KUBE_NAMESPACE="pan-test-app-prod"
+    - export KUBE_APP_NAME="app3"
+    - export KUBE_APP_NAME_PREFIX=""
+    - export foo3="foo-value-3"
+    - 'export foo2="this is from app2: foo-value-2"'
+    - 'export transitive="this is from app2: this is from app1: foo-value"'
+    - 'export transitiveWithSecret="this is from app2: secret1: $CL_prod_app1_SECRET1, secret2: $CL_prod_app2_SECRET2"'
+    - 'export someJson="[{\\"name\\": \\"app1\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app1-$CL_prod_app1_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app2\\", \\"url\\": \\"https://$(printf %s "pan-test-app-prod-app2-$CL_prod_app2_GCLOUD_RUN_canonicalHostSuffix" | awk ''{print tolower($0)}'')\\"}, {\\"name\\": \\"app3\\", \\"url\\": \\"https://app3.prod.test-app.pan.panter.cloud\\"}]"'
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOST\\",\\"ROOT_URL\\",\\"HOST_INTERNAL\\",\\"HOST_CANONICAL\\",\\"ROOT_URL_INTERNAL\\",\\"KUBE_NAMESPACE\\",\\"KUBE_APP_NAME\\",\\"KUBE_APP_NAME_PREFIX\\",\\"foo3\\",\\"foo2\\",\\"transitive\\",\\"transitiveWithSecret\\",\\"someJson\\"]"
+    - export RELEASE_NAME="pan-test-app-prod-app3"
+    - export HELM_EXPERIMENTAL_OCI="1"
+    - export KUBE_DOCKER_IMAGE_PULL_SECRET="gitlab-registry-app3"
+    - export HELM_GITLAB_CHART_NAME="/helm-charts/the-panter-chart"
+    - export HELM_ARGS=""
+    - export COMPONENT_NAME="app3"
+    - export BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - echo -e "\\e[0Ksection_end:$(date +%s):injectvars\\r\\e[0K"
+    - kubectl config set-cluster "kube-pan-test-app-prod-app3" --server="$CL_prod_app3_KUBE_URL" --certificate-authority <(echo $CL_prod_app3_KUBE_CA_PEM | base64 -d) --embed-certs=true
+    - kubectl config set-credentials "kube-pan-test-app-prod-app3" --token="$CL_prod_app3_KUBE_TOKEN"
+    - kubectl config set-context "kube-pan-test-app-prod-app3" --cluster="kube-pan-test-app-prod-app3" --user="kube-pan-test-app-prod-app3" --namespace="pan-test-app-prod"
+    - kubectl config use-context "kube-pan-test-app-prod-app3"
+    - kubernetesRollback
+    - echo "CL_GITLAB_ENVIRONMENT_URL=https://app3.prod.test-app.pan.panter.cloud" >> gitlab_environment.env
+  environment:
+    name: prod/app3
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    action: access
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+create release:
+  stage: release
+  image: path/to/docker/semantic-release:the-version
+  script:
+    - semanticRelease
+  after_script:
+    - echo '👉 The project access token might be invald - run \`project-renew-token\` in catladder CLI to fix.'
+  rules:
+    - &a2
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+      when: never
+    - &a3
+      if: $CI_PIPELINE_SOURCE  == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $AUTO_RELEASE == "true"
+      when: on_success
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/
+      when: manual
+⚠️ force create release:
+  stage: release
+  image: path/to/docker/semantic-release:the-version
+  script:
+    - semanticRelease
+  after_script:
+    - echo '👉 The project access token might be invald - run \`project-renew-token\` in catladder CLI to fix.'
+  rules:
+    - *a2
+    - *a3
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/
+      when: manual
+  needs: []
+"
+`;