npm - @catladder/pipeline - Versions diffs - 3.13.1 → 3.14.0 - Mend

@catladder/pipeline 3.13.1 → 3.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (107) hide show

package/examples/__snapshots__/cloud-run-with-agents.test.ts.snap ADDED Viewed

@@ -0,0 +1,1576 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+exports[`matches snapshot for cloud-run-with-agents local pipeline YAML 1`] = `
+"image: path/to/docker/jobs-default:the-version
+stages:
+  - setup
+  - setup dev
+  - setup review
+  - setup stage
+  - setup prod
+  - test
+  - test dev
+  - test review
+  - test stage
+  - test prod
+  - build
+  - build dev
+  - build review
+  - build stage
+  - build prod
+  - deploy
+  - deploy dev
+  - deploy review
+  - deploy stage
+  - deploy prod
+  - verify
+  - verify dev
+  - verify review
+  - verify stage
+  - verify prod
+  - agents
+  - agents dev
+  - agents review
+  - agents stage
+  - agents prod
+  - rollback
+  - rollback dev
+  - rollback review
+  - rollback stage
+  - rollback prod
+  - stop
+  - stop dev
+  - stop review
+  - stop stage
+  - stop prod
+  - release
+variables:
+  FF_USE_FASTZIP: 'true'
+  ARTIFACT_COMPRESSION_LEVEL: fast
+  CACHE_COMPRESSION_LEVEL: fast
+  TRANSFER_METER_FREQUENCY: 5s
+  GIT_DEPTH: '1'
+workflow:
+  name: $PIPELINE_ICON $PIPELINE_NAME
+  rules:
+    - if: $CI_PIPELINE_SOURCE  == "trigger"
+      variables:
+        PIPELINE_ICON: 🤖
+        PIPELINE_NAME: Thinking...
+    - if: $CI_MERGE_REQUEST_ID
+      variables:
+        PIPELINE_ICON: 🐱🔨
+        PIPELINE_NAME: Merge Request $CI_MERGE_REQUEST_IID
+    - if: $CI_COMMIT_TAG
+      variables:
+        PIPELINE_ICON: 🐱📦
+        PIPELINE_NAME: Release $CI_COMMIT_TAG
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+      variables:
+        PIPELINE_ICON: 🐱🔨
+        PIPELINE_NAME: Main
+    - when: always
+      variables:
+        PIPELINE_ICON: 🐱❓
+        PIPELINE_NAME: Default
+before_script:
+  - |-
+    function escapeForDotEnv () {
+    input="\${1:-$(cat)}"
+     input="\${input//$'\\n'/\\\\n}"
+      if [[ "$input" == *\\\\n* ]]; then
+        if [[ "$input" == *\\"* && "$input" == *\\'* && "$input" == *\\\`* ]]; then
+          printf "\\"%s\\"\\n" "$input"
+        elif [[ "$input" == *\\"* && "$input" == *\\'* ]]; then
+          printf "\`%s\`\\n" "$input"
+        elif [[ "$input" == *\\"* ]]; then
+          printf "'%s'\\n" "$input"
+        else
+          printf "\\"%s\\"\\n" "$input"
+        fi
+      else
+        printf "%s\\n" "$input"
+      fi
+    }
+  - |-
+    function collapseable_section_start () {
+    local section_title="\${1}"
+      local section_description="\${2:-$section_title}"
+      echo -e "section_start:\`date +%s\`:\${section_title}[collapsed=true]\\r\\e[0K\${section_description}"
+    }
+  - |-
+    function collapseable_section_end () {
+    local section_title="\${1}"
+      echo -e "section_end:\`date +%s\`:\${section_title}\\r\\e[0K"
+    }
+www 🛡 audit:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="www"
+    - collapseable_section_end "injectvars"
+    - cd www
+    - yarn npm audit --environment production
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: &a1
+    max: 2
+    when:
+      - runner_system_failure
+      - stuck_or_timeout_failure
+  interruptible: true
+  allow_failure: true
+www 👮 lint:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="www"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd www
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn lint
+  cache:
+    - key: www-yarn
+      policy: pull-push
+      paths:
+        - www/.yarn
+    - key: www-node-modules
+      policy: pull-push
+      paths:
+        - www/node_modules
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+www 🧪 test:
+  stage: test
+  image: path/to/docker/jobs-testing-chrome:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="www"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd www
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn test
+  cache:
+    - key: www-yarn
+      policy: pull-push
+      paths:
+        - www/.yarn
+    - key: www-node-modules
+      policy: pull-push
+      paths:
+        - www/node_modules
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'www 🔨 app | dev ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="www"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_www_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-www" "write dot env for www"
+    - |-
+      cat <<EOF > www/.env
+      ENV_SHORT=dev
+      APP_DIR=www
+      ENV_TYPE=dev
+      HOSTNAME=$(printf %s "$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_dev_www_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-www"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > www/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd www
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: www-yarn
+      policy: pull-push
+      paths:
+        - www/.yarn
+    - key: www-node-modules
+      policy: pull-push
+      paths:
+        - www/node_modules
+    - key: www-default
+      policy: pull-push
+      paths:
+        - www/.next/cache
+  artifacts:
+    paths:
+      - www/__build_info.json
+      - www/.next
+      - www/dist
+    exclude:
+      - www/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+'www 🔨 docker | dev ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="www"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/dev/www"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node www/package.json /app/www/package.json
+      COPY --chown=node:node www/yarn.lock /app/www/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_www_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: www-yarn
+      policy: pull
+      paths:
+        - www/.yarn
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs:
+    - 'www 🔨 app | dev '
+  retry: *a1
+  interruptible: true
+'www 🧾 sbom | dev ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" www
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'www 🚀 Deploy | dev ':
+  stage: deploy dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="www"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_www_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/dev/www"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_www_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        dev
+      APP_DIR: |-
+        www
+      ENV_TYPE: |-
+        dev
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-agent-example-app-dev-www-$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_dev_www_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - gcloud run deploy pan-agent-example-app-dev-www --command="yarn,start" --image=europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/dev/www:$DOCKER_IMAGE_TAG --project=google-project-id --region=europe-west6 --labels=customer-name=pan,component-name=www,app-name=agent-example-app,env-type=dev,env-name=dev,build-type=node,cloud-run-service-name=pan-agent-example-app-dev-www --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - set +e
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-agent-example-app-dev-www --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/dev/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/dev/www@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www@$version --quiet --delete-tags; done
+    - set -e
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-agent-example-app/www" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: dev/www
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'www 🛑 Stop ⚠️ | dev '
+    auto_stop_in: 4 weeks
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - when: on_success
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs:
+    - job: www 👮 lint
+      artifacts: false
+    - job: 'www 🔨 app | dev '
+      artifacts: false
+    - job: 'www 🔨 docker | dev '
+      artifacts: false
+    - job: www 🧪 test
+      artifacts: false
+    - job: 'www 🧾 sbom | dev '
+      artifacts: true
+    - job: www 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'www 🛑 Stop ⚠️ | dev ':
+  stage: stop dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_www_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-agent-example-app-dev-www --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/dev/www --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-agent-example-app/www" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: dev/www
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'www 🔨 app | review ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="www"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_www_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_www_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-www" "write dot env for www"
+    - |-
+      cat <<EOF > www/.env
+      ENV_SHORT=review
+      APP_DIR=www
+      ENV_TYPE=review
+      HOSTNAME=$(printf %s "$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_review_www_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-www"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > www/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd www
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: www-yarn
+      policy: pull-push
+      paths:
+        - www/.yarn
+    - key: www-node-modules
+      policy: pull-push
+      paths:
+        - www/node_modules
+    - key: www-default
+      policy: pull-push
+      paths:
+        - www/.next/cache
+  artifacts:
+    paths:
+      - www/__build_info.json
+      - www/.next
+      - www/dist
+    exclude:
+      - www/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'www 🔨 docker | review ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="www"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/review/www/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node www/package.json /app/www/package.json
+      COPY --chown=node:node www/yarn.lock /app/www/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_www_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: www-yarn
+      policy: pull
+      paths:
+        - www/.yarn
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_MERGE_REQUEST_ID
+  needs:
+    - 'www 🔨 app | review '
+  retry: *a1
+  interruptible: true
+'www 🧾 sbom | review ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" www
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'www 🚀 Deploy | review ':
+  stage: deploy review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="www"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_www_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_www_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/review/www/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_www_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        review
+      APP_DIR: |-
+        www
+      ENV_TYPE: |-
+        review
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www-$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_review_www_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - gcloud run deploy $(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www" | awk '{print tolower($0)}') --command="yarn,start" --image=europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/review/www/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }):$DOCKER_IMAGE_TAG --project=google-project-id --region=europe-west6 --labels=customer-name=pan,component-name=www,app-name=agent-example-app,env-type=review,env-name=review,build-type=node,cloud-run-service-name=$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www" | awk '{print tolower($0)}') --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - set +e
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=$(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www" | awk '{print tolower($0)}') --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/review/www/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/review/www/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/review/www --quiet --delete-tags
+    - set -e
+    - set -e
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-agent-example-app/www" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/www
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'www 🛑 Stop ⚠️ | review '
+    auto_stop_in: 1 week
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - when: on_success
+      if: $CI_MERGE_REQUEST_ID
+  needs:
+    - job: www 👮 lint
+      artifacts: false
+    - job: 'www 🔨 app | review '
+      artifacts: false
+    - job: 'www 🔨 docker | review '
+      artifacts: false
+    - job: www 🧪 test
+      artifacts: false
+    - job: 'www 🧾 sbom | review '
+      artifacts: true
+    - job: www 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'www 🛑 Stop ⚠️ | review ':
+  stage: stop review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_www_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete $(printf %s "pan-agent-example-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-www" | awk '{print tolower($0)}') --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/review/www/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/review/www --quiet --delete-tags
+    - set -e
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-agent-example-app/www" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/www
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'www 🔨 app | stage ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="www"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_www_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-www" "write dot env for www"
+    - |-
+      cat <<EOF > www/.env
+      ENV_SHORT=stage
+      APP_DIR=www
+      ENV_TYPE=stage
+      HOSTNAME=$(printf %s "$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_stage_www_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-www"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > www/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd www
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: www-yarn
+      policy: pull-push
+      paths:
+        - www/.yarn
+    - key: www-node-modules
+      policy: pull-push
+      paths:
+        - www/node_modules
+    - key: www-default
+      policy: pull-push
+      paths:
+        - www/.next/cache
+  artifacts:
+    paths:
+      - www/__build_info.json
+      - www/.next
+      - www/dist
+    exclude:
+      - www/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'www 🔨 docker | stage ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="www"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/stage/www"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node www/package.json /app/www/package.json
+      COPY --chown=node:node www/yarn.lock /app/www/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_www_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: www-yarn
+      policy: pull
+      paths:
+        - www/.yarn
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'www 🔨 app | stage '
+  retry: *a1
+  interruptible: true
+'www 🧾 sbom | stage ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" www
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'www 🚀 Deploy | stage ':
+  stage: deploy stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="www"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_www_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/stage/www"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_www_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        stage
+      APP_DIR: |-
+        www
+      ENV_TYPE: |-
+        stage
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-agent-example-app-stage-www-$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_stage_www_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - gcloud run deploy pan-agent-example-app-stage-www --command="yarn,start" --image=europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/stage/www:$DOCKER_IMAGE_TAG --project=google-project-id --region=europe-west6 --labels=customer-name=pan,component-name=www,app-name=agent-example-app,env-type=stage,env-name=stage,build-type=node,cloud-run-service-name=pan-agent-example-app-stage-www --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - set +e
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-agent-example-app-stage-www --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/stage/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/stage/www@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www@$version --quiet --delete-tags; done
+    - set -e
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-agent-example-app/www" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: stage/www
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'www 🛑 Stop ⚠️ | stage '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - when: on_success
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'www 🔨 app | stage '
+      artifacts: false
+    - job: 'www 🔨 docker | stage '
+      artifacts: false
+    - job: 'www 🧾 sbom | stage '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'www 🛑 Stop ⚠️ | stage ':
+  stage: stop stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_www_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-agent-example-app-stage-www --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/stage/www --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-agent-example-app/www" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: stage/www
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'www 🔨 app | prod ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="www"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_www_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-www" "write dot env for www"
+    - |-
+      cat <<EOF > www/.env
+      ENV_SHORT=prod
+      APP_DIR=www
+      ENV_TYPE=prod
+      HOSTNAME=$(printf %s "$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_prod_www_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-www"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > www/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd www
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: www-yarn
+      policy: pull-push
+      paths:
+        - www/.yarn
+    - key: www-node-modules
+      policy: pull-push
+      paths:
+        - www/node_modules
+    - key: www-default
+      policy: pull-push
+      paths:
+        - www/.next/cache
+  artifacts:
+    paths:
+      - www/__build_info.json
+      - www/.next
+      - www/dist
+    exclude:
+      - www/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'www 🔨 docker | prod ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="www"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/prod/www"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node www/package.json /app/www/package.json
+      COPY --chown=node:node www/yarn.lock /app/www/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_www_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: www-yarn
+      policy: pull
+      paths:
+        - www/.yarn
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'www 🔨 app | prod '
+  retry: *a1
+  interruptible: true
+'www 🧾 sbom | prod ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" www
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'www 🚀 Deploy | prod ':
+  stage: deploy prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="www"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_www_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/prod/www"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_www_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        prod
+      APP_DIR: |-
+        www
+      ENV_TYPE: |-
+        prod
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-agent-example-app-prod-www-$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_prod_www_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - gcloud run deploy pan-agent-example-app-prod-www --command="yarn,start" --image=europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/prod/www:$DOCKER_IMAGE_TAG --project=google-project-id --region=europe-west6 --labels=customer-name=pan,component-name=www,app-name=agent-example-app,env-type=prod,env-name=prod,build-type=node,cloud-run-service-name=pan-agent-example-app-prod-www --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - set +e
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-agent-example-app-prod-www --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | tail -n +6 | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/prod/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +7 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/prod/www@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www@$version --quiet --delete-tags; done
+    - set -e
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-agent-example-app/www" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: prod/www
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'www 🛑 Stop ⚠️ | prod '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'www 🔨 app | prod '
+      artifacts: false
+    - job: 'www 🔨 docker | prod '
+      artifacts: false
+    - job: 'www 🧾 sbom | prod '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'www 🛑 Stop ⚠️ | prod ':
+  stage: stop prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_www_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-agent-example-app-prod-www --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/prod/www --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-agent-example-app/caches/www@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-agent-example-app/www" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: prod/www
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+claude claude-agent-event:
+  stage: agents
+  image: node:24-alpine3.21
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export MAX_MCP_OUTPUT_TOKENS="75000"
+    - export GITLAB_PERSONAL_ACCESS_TOKEN="$AGENT_GITLAB_PERSONAL_ACCESS_TOKEN"
+    - export GITLAB_API_URL="$CI_API_V4_URL"
+    - collapseable_section_end "injectvars"
+    - apk update
+    - apk add --no-cache git curl bash
+    - npm install -g @anthropic-ai/claude-code
+    - claude mcp add gitlab --env GITLAB_PERSONAL_ACCESS_TOKEN=$GITLAB_PERSONAL_ACCESS_TOKEN --env GITLAB_API_URL=$GITLAB_API_URL -- npx -y @zereight/mcp-gitlab
+    - 'export PROMPT="\\nYou are a GitLab assistant bot. You receive ONE raw GitLab webhook JSON payload.\\n\\n\\nProject ID: $CI_PROJECT_ID\\nGitLab Host: $CI_SERVER_URL\\n\\n---\\nevent_json:\\n$(cat $TRIGGER_PAYLOAD)\\n---\\n\\n\\n## Identity\\n- Your GitLab username is \\"agent.claude\\".\\n\\n\\n## Golden Rules\\n- Use the \\\`gitlab-mcp\\\` tool for ALL GitLab actions. If a needed action is missing, use GitLab REST/GraphQL API directly as a fallback.\\n- NEVER mention yourself (\\"@agent.claude\\").\\n- NEVER push to main/default or any protected branch. Always create a new branch and open a Merge Request (MR).\\n- Do not create an MR for a **closed** issue.\\n- Keep actions minimal and idempotent. Avoid duplicate comments or duplicate MRs.\\n- Use ONE stable \\\`source_branch\\\` per run; do not regenerate its name later.\\n\\n\\n## Self-Parse the Raw Payload (no preprocessing available)\\nFrom \\\`event_json\\\`, extract:\\n- kind: \\"issue\\" | \\"merge_request\\" | \\"note\\"\\n- target + iid from URL:\\n  - \\\`/-/issues/<n>\\\` → target=\\"issue\\", iid=<n>\\n  - \\\`/-/merge_requests/<n>\\\` → target=\\"mr\\", iid=<n>\\n- note_id if present (\\\`#note_<id>\\\`)\\n- description/body text, state, author \\\`user_username\\\`, timestamps\\n- project id/path; detect default branch via tool/API when needed\\n\\nIf any key is missing, choose the safest minimal action or briefly explain via a comment.\\n\\n\\n## High-Reliability Workflow (sequence + postconditions)\\nFollow this order for any change work:\\n\\n1) **Acknowledge** with a short comment on the issue/MR thread.\\n2) **Discover default branch** (e.g., \\"main\\") via MCP or API.\\n3) **Create a working branch** from default (stable name, e.g., \\\`fix/issue-<iid>-<slug>\\\` or \\\`feat/issue-<iid>-<slug>\\\`).\\n4) **Write changes → commit → push to remote branch.**\\n5) **Verify push landed**:\\n   - Fetch latest commit on \\\`source_branch\\\`; record its short SHA.\\n   - Compare default vs \\\`source_branch\\\` and ensure \\\`diffs.length > 0\\\`.\\n6) **Create or update MR** ONLY if there is a non-empty diff.\\n   - Include \\\`Closes #<issue_iid>\\\` in MR description when applicable.\\n   - Assign yourself to the MR.\\n7) **Follow-up comment** with branch name, commit short SHA, files changed count, and MR link.\\n8) **If verification fails**:\\n   - Do NOT create the MR.\\n   - Comment the exact failure and retry once with a fresh branch name. If still failing, comment and stop.\\n\\nFor Q&A-only (no code changes), just post a concise, helpful answer on the same issue/MR.\\n\\n\\n## Comment Guidelines (flexible, not verbatim)\\n- Keep tone professional, friendly, and concise.\\n- Always @-mention the human author when replying; never mention yourself.\\n- Acknowledgements: confirm you saw the request and you’ll handle it.\\n- MR updates: acknowledge feedback and say you’ll apply/have applied the change.\\n- Q&A: answer directly first; add context/links only if useful.\\n- Avoid repeating identical boilerplate across comments.\\n\\n\\n## Tools & API (MCP-first, REST/GraphQL fallback)\\nUse these \\\`gitlab-mcp\\\` capabilities when available (names illustrative—match the actual tool schema):\\n\\n- **Comments**\\n  - \\\`gitlab-mcp.comment.create({ project_id: $CI_PROJECT_ID, target: \\"issue\\"|\\"mr\\", iid, body })\\\`\\n\\n- **Branch**\\n  - \\\`gitlab-mcp.branch.create({ project_id: $CI_PROJECT_ID, from: \\"<default_branch>\\", name: \\"<source_branch>\\" })\\\`\\n\\n- **Commits & push**\\n  - \\\`gitlab-mcp.commit.push({ project_id: $CI_PROJECT_ID, branch: \\"<source_branch>\\", message, files: [{ path, content | patch }] })\\\`\\n\\n- **Merge Requests**\\n  - \\\`gitlab-mcp.merge_request.create({ project_id: $CI_PROJECT_ID, source_branch, target_branch: \\"<default_branch>\\", title, description, assign_to_self: true })\\\`\\n  - \\\`gitlab-mcp.merge_request.update({ project_id: $CI_PROJECT_ID, mr_iid, ... })\\\`\\n  - \\\`gitlab-mcp.merge_request.rebase({ project_id: $CI_PROJECT_ID, mr_iid, onto: \\"<default_branch>\\" })\\\`\\n\\n- **Read/verify**\\n  - \\\`gitlab-mcp.project.get({ project_id: $CI_PROJECT_ID })\\\` → default branch\\n  - \\\`gitlab-mcp.repo.compare({ project_id: $CI_PROJECT_ID, from: \\"<default_branch>\\", to: \\"<source_branch>\\" })\\\`\\n  - \\\`gitlab-mcp.repo.branch.get({ project_id: $CI_PROJECT_ID, name: \\"<source_branch>\\" })\\\`\\n  - \\\`gitlab-mcp.repo.commits.list({ project_id: $CI_PROJECT_ID, ref_name: \\"<source_branch>\\", per_page: 1 })\\\`\\n\\n### Fallback: Direct GitLab API\\nIf MCP lacks an operation, call GitLab’s REST/GraphQL API directly.\\n\\n- **Authentication**  \\n  Use the environment variable \\\`GITLAB_PERSONAL_ACCESS_TOKEN\\\`.  \\n  Send it in the HTTP header:\\n  \\\`\\\`\\\`\\n  Private-Token: $GITLAB_PERSONAL_ACCESS_TOKEN\\n  \\\`\\\`\\\`\\n\\n- **Host & project variables**\\n  - API base URL: \\\`$CI_SERVER_URL/api/v4\\\`\\n  - Project ID: \\\`$CI_PROJECT_ID\\\`\\n\\n- **Examples**\\n  - Get project (default branch):  \\n    \\\`GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID\\\`\\n  - Get/create branch:  \\n    \\\`GET|POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/branches\\\`\\n  - Compare refs:  \\n    \\\`GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/compare?from=<default>&to=<source>\\\`\\n  - List commits:  \\n    \\\`GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/commits?ref_name=<branch>&per_page=1\\\`\\n  - Create comment on issue/MR:  \\n    \\\`POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/issues/:iid/notes\\\`  \\n    \\\`POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests/:iid/notes\\\`\\n  - Create MR:  \\n    \\\`POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests\\\`\\n  - Get MR changes:  \\n    \\\`GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests/:iid/changes\\\`\\n\\n\\n## Output Discipline\\n- Prefer \\\`gitlab-mcp\\\` tool calls. If unavailable, output direct API requests (endpoint, method, headers, JSON body).\\n- Keep comments concise and professional.\\n- Never include \\"@agent.claude\\" in any body.\\n\\n"'
+    - claude -p "$PROMPT" --permission-mode acceptEdits --allowedTools "Bash(*) Read(*) Edit(*) Write(*) mcp__gitlab" --verbose --debug
+  rules:
+    - if: $CI_PIPELINE_SOURCE  == "trigger" && ($ASSIGNEE_USER_ID == $DEFAULT_AGENT_USER_ID || $OBJECT_DESCRIPTION =~ /@agent.claude/)
+      when: always
+    - when: never
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_PIPELINE_SOURCE  == "trigger" && ($ASSIGNEE_USER_ID == $DEFAULT_AGENT_USER_ID || $OBJECT_DESCRIPTION =~ /@agent.claude/)
+      when: always
+    - when: never
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_MERGE_REQUEST_ID
+    - if: $CI_PIPELINE_SOURCE  == "trigger" && ($ASSIGNEE_USER_ID == $DEFAULT_AGENT_USER_ID || $OBJECT_DESCRIPTION =~ /@agent.claude/)
+      when: always
+    - when: never
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_TAG
+  retry: *a1
+  interruptible: false
+claude claude-agent-review:
+  stage: agents
+  image: node:24-alpine3.21
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export MAX_MCP_OUTPUT_TOKENS="75000"
+    - export GITLAB_PERSONAL_ACCESS_TOKEN="$AGENT_GITLAB_PERSONAL_ACCESS_TOKEN"
+    - export GITLAB_API_URL="$CI_API_V4_URL"
+    - collapseable_section_end "injectvars"
+    - apk update
+    - apk add --no-cache git curl bash
+    - npm install -g @anthropic-ai/claude-code
+    - claude mcp add gitlab --env GITLAB_PERSONAL_ACCESS_TOKEN=$GITLAB_PERSONAL_ACCESS_TOKEN --env GITLAB_API_URL=$GITLAB_API_URL -- npx -y @zereight/mcp-gitlab
+    - 'export PROMPT="\\nYou are a GitLab assistant bot reviewing and updating a single Merge Request (MR).\\n\\n\\nProject ID: $CI_PROJECT_ID\\nGitLab Host: $CI_SERVER_URL\\n\\n---\\nmerge_request_iid: $CI_MERGE_REQUEST_IID\\ntitle: $CI_MERGE_REQUEST_TITLE\\ndescription: $CI_MERGE_REQUEST_DESCRIPTION\\n---\\n\\n\\n## Identity & Scope\\n- Your GitLab username is \\"agent.claude\\".\\n- This prompt runs in the context of ONE MR (no webhook).\\n- You may review, comment, rebase, and push updates **to the MR''s source branch**.\\n- You must **never merge** the MR yourself.\\n\\n\\n## Golden Rules\\n- Use the \\\`gitlab-mcp\\\` tool for ALL GitLab actions. If a needed action is missing, use GitLab REST/GraphQL API directly as a fallback.\\n- NEVER mention yourself (\\"@agent.claude\\").\\n- NEVER push to main/default or any protected branch. Always create a new branch and open a Merge Request (MR).\\n- Do not create an MR for a **closed** issue.\\n- Keep actions minimal and idempotent. Avoid duplicate comments or duplicate MRs.\\n- Use ONE stable \\\`source_branch\\\` per run; do not regenerate its name later.\\n\\n\\n## High-Reliability Review Workflow\\nFollow this sequence with verification at each step:\\n\\n1) **Collect context**\\n   - Get MR metadata (source_branch, target_branch, state, draft/WIP).\\n   - Fetch the full changeset/diffs and open discussions (notes, threads, unresolved discussions).\\n   - Read existing reviews/comments to avoid duplication.\\n   - (Optional) Fetch recent CI pipeline(s) for this MR SHA/branch).\\n\\n2) **Code review**\\n   - Identify required changes (bugs, tests, style, security, perf, docs).\\n   - If no meaningful changes are needed:\\n     - Post a concise review comment summarizing findings.\\n     - Ask for review by a **recent active human contributor** (not you).\\n\\n3) **If changes are needed**\\n   - Post a short acknowledgment comment on the MR.\\n   - **Rebase** the MR onto the target/default branch (resolve trivial conflicts).\\n   - Implement minimal, safe changes; keep commits small and clear.\\n   - **Push** to the MR''s **source_branch**.\\n   - **Verify push landed** (latest commit short SHA; compare target vs source shows diffs > 0).\\n   - Comment summarizing what changed and why.\\n\\n4) **CI pipeline**\\n   - Check pipeline status for the new commit on the MR branch.\\n   - Retry/re-run if allowed on flaky failures; fix minimal issues; push again if needed.\\n   - If still failing, comment with failure summary and next steps.\\n\\n5) **Assign human reviewer if ready**\\n   - If discussions are resolved and CI is passing (or running), request review from a recent active human contributor (not you).\\n\\n6) **Stdout summary**\\n   - Print concise summary: commits pushed (short SHAs), files changed count, discussions resolved/left, CI status, and requested reviewers.\\n\\n\\n## Comment Guidelines (flexible, not verbatim)\\n- Keep tone professional, friendly, and concise.\\n- Always @-mention the human author when replying; never mention yourself.\\n- Acknowledgements: confirm you saw the request and you’ll handle it.\\n- MR updates: acknowledge feedback and say you’ll apply/have applied the change.\\n- Q&A: answer directly first; add context/links only if useful.\\n- Avoid repeating identical boilerplate across comments.\\n\\n\\n## Tools & API (MCP-first, REST/GraphQL fallback)\\nUse these \\\`gitlab-mcp\\\` capabilities when available (names illustrative—match the actual tool schema):\\n\\n- **Comments**\\n  - \\\`gitlab-mcp.comment.create({ project_id: $CI_PROJECT_ID, target: \\"issue\\"|\\"mr\\", iid, body })\\\`\\n\\n- **Branch**\\n  - \\\`gitlab-mcp.branch.create({ project_id: $CI_PROJECT_ID, from: \\"<default_branch>\\", name: \\"<source_branch>\\" })\\\`\\n\\n- **Commits & push**\\n  - \\\`gitlab-mcp.commit.push({ project_id: $CI_PROJECT_ID, branch: \\"<source_branch>\\", message, files: [{ path, content | patch }] })\\\`\\n\\n- **Merge Requests**\\n  - \\\`gitlab-mcp.merge_request.create({ project_id: $CI_PROJECT_ID, source_branch, target_branch: \\"<default_branch>\\", title, description, assign_to_self: true })\\\`\\n  - \\\`gitlab-mcp.merge_request.update({ project_id: $CI_PROJECT_ID, mr_iid, ... })\\\`\\n  - \\\`gitlab-mcp.merge_request.rebase({ project_id: $CI_PROJECT_ID, mr_iid, onto: \\"<default_branch>\\" })\\\`\\n\\n- **Read/verify**\\n  - \\\`gitlab-mcp.project.get({ project_id: $CI_PROJECT_ID })\\\` → default branch\\n  - \\\`gitlab-mcp.repo.compare({ project_id: $CI_PROJECT_ID, from: \\"<default_branch>\\", to: \\"<source_branch>\\" })\\\`\\n  - \\\`gitlab-mcp.repo.branch.get({ project_id: $CI_PROJECT_ID, name: \\"<source_branch>\\" })\\\`\\n  - \\\`gitlab-mcp.repo.commits.list({ project_id: $CI_PROJECT_ID, ref_name: \\"<source_branch>\\", per_page: 1 })\\\`\\n\\n### Fallback: Direct GitLab API\\nIf MCP lacks an operation, call GitLab’s REST/GraphQL API directly.\\n\\n- **Authentication**  \\n  Use the environment variable \\\`GITLAB_PERSONAL_ACCESS_TOKEN\\\`.  \\n  Send it in the HTTP header:\\n  \\\`\\\`\\\`\\n  Private-Token: $GITLAB_PERSONAL_ACCESS_TOKEN\\n  \\\`\\\`\\\`\\n\\n- **Host & project variables**\\n  - API base URL: \\\`$CI_SERVER_URL/api/v4\\\`\\n  - Project ID: \\\`$CI_PROJECT_ID\\\`\\n\\n- **Examples**\\n  - Get project (default branch):  \\n    \\\`GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID\\\`\\n  - Get/create branch:  \\n    \\\`GET|POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/branches\\\`\\n  - Compare refs:  \\n    \\\`GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/compare?from=<default>&to=<source>\\\`\\n  - List commits:  \\n    \\\`GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/repository/commits?ref_name=<branch>&per_page=1\\\`\\n  - Create comment on issue/MR:  \\n    \\\`POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/issues/:iid/notes\\\`  \\n    \\\`POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests/:iid/notes\\\`\\n  - Create MR:  \\n    \\\`POST $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests\\\`\\n  - Get MR changes:  \\n    \\\`GET $CI_SERVER_URL/api/v4/projects/$CI_PROJECT_ID/merge_requests/:iid/changes\\\`\\n\\n\\n## Fallback API Auth (if MCP lacks a method)\\n- Base URL: \\\`$CI_SERVER_URL/api/v4\\\`\\n- Project: \\\`$CI_PROJECT_ID\\\`\\n- Header: \\\`Private-Token: $GITLAB_PERSONAL_ACCESS_TOKEN\\\`\\n\\n## Output Discipline (MR)\\n- Prefer \\\`gitlab-mcp\\\` tool calls; if unavailable, provide explicit REST calls (method, url, headers, body).\\n- At the end, print a **plain-text** summary to STDOUT including:\\n  - \\\`source_branch\\\` and \\\`target_branch\\\`\\n  - commits pushed (short SHAs)\\n  - number of files changed\\n  - CI status/result\\n  - reviewers requested (if any)\\n- Do **not** merge the MR yourself under any circumstance.\\n"'
+    - claude -p "$PROMPT" --permission-mode acceptEdits --allowedTools "Bash(*) Read(*) Edit(*) Write(*) mcp__gitlab" --verbose --debug
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+      when: always
+    - when: never
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+      when: always
+    - when: never
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_MERGE_REQUEST_ID
+    - if: $CI_MERGE_REQUEST_ID
+      when: always
+    - when: never
+    - when: never
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+    - if: $CI_COMMIT_TAG
+  retry: *a1
+  interruptible: true
+create release:
+  stage: release
+  image: path/to/docker/semantic-release:the-version
+  script:
+    - semanticRelease
+    - echo '👉 The project access token might be invald - run \`project-renew-token\` in catladder CLI to fix.'
+  rules:
+    - &a2
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+      when: never
+    - &a3
+      if: $CI_PIPELINE_SOURCE  == "trigger"
+      when: never
+    - &a4
+      if: $CI_PIPELINE_SOURCE  == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $AUTO_RELEASE == "true"
+      when: on_success
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/
+      when: manual
+⚠️ force create release:
+  stage: release
+  image: path/to/docker/semantic-release:the-version
+  script:
+    - semanticRelease
+    - echo '👉 The project access token might be invald - run \`project-renew-token\` in catladder CLI to fix.'
+  rules:
+    - *a2
+    - *a3
+    - *a4
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/
+      when: manual
+  needs: []
+"
+`;