npm - @catladder/pipeline - Versions diffs - 3.9.3 → 3.10.0 - Mend

@catladder/pipeline 3.9.3 → 3.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/constants.js +1 -1
package/dist/deploy/cloudRun/index.js +7 -5
package/dist/deploy/cloudRun/utils/database.d.ts +21 -2
package/dist/deploy/cloudRun/utils/database.js +27 -6
package/dist/deploy/types/googleCloudRun.d.ts +10 -0
package/dist/tsconfig.tsbuildinfo +1 -1
package/examples/__snapshots__/cloud-run-with-sql-multiple-dbs.test.ts.snap +4515 -0
package/examples/cloud-run-with-sql-multiple-dbs.test.ts +11 -0
package/examples/cloud-run-with-sql-multiple-dbs.ts +87 -0
package/package.json +1 -1
package/src/deploy/cloudRun/index.ts +14 -5
package/src/deploy/cloudRun/utils/database.ts +93 -8
package/src/deploy/types/googleCloudRun.ts +11 -0

package/examples/__snapshots__/cloud-run-with-sql-multiple-dbs.test.ts.snap ADDED Viewed

@@ -0,0 +1,4515 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+exports[`matches snapshot for cloud-run-with-sql-multiple-dbs local pipeline YAML 1`] = `
+"image: path/to/docker/jobs-default:the-version
+stages:
+  - setup
+  - setup dev
+  - setup review
+  - setup stage
+  - setup prod
+  - test
+  - test dev
+  - test review
+  - test stage
+  - test prod
+  - build
+  - build dev
+  - build review
+  - build stage
+  - build prod
+  - deploy
+  - deploy dev
+  - deploy review
+  - deploy stage
+  - deploy prod
+  - verify
+  - verify dev
+  - verify review
+  - verify stage
+  - verify prod
+  - rollback
+  - rollback dev
+  - rollback review
+  - rollback stage
+  - rollback prod
+  - stop
+  - stop dev
+  - stop review
+  - stop stage
+  - stop prod
+  - release
+variables:
+  FF_USE_FASTZIP: 'true'
+  ARTIFACT_COMPRESSION_LEVEL: fast
+  CACHE_COMPRESSION_LEVEL: fast
+  TRANSFER_METER_FREQUENCY: 5s
+  GIT_DEPTH: '1'
+before_script:
+  - |-
+    function escapeForDotEnv () {
+    input="\${1:-$(cat)}"
+     input="\${input//$'\\n'/\\\\n}"
+      if [[ "$input" == *\\\\n* ]]; then
+        if [[ "$input" == *\\"* && "$input" == *\\'* && "$input" == *\\\`* ]]; then
+          printf "\\"%s\\"\\n" "$input"
+        elif [[ "$input" == *\\"* && "$input" == *\\'* ]]; then
+          printf "\`%s\`\\n" "$input"
+        elif [[ "$input" == *\\"* ]]; then
+          printf "'%s'\\n" "$input"
+        else
+          printf "\\"%s\\"\\n" "$input"
+        fi
+      else
+        printf "%s\\n" "$input"
+      fi
+    }
+  - |-
+    function collapseable_section_start () {
+    local section_title="\${1}"
+      local section_description="\${2:-$section_title}"
+      echo -e "section_start:\`date +%s\`:\${section_title}[collapsed=true]\\r\\e[0K\${section_description}"
+    }
+  - |-
+    function collapseable_section_end () {
+    local section_title="\${1}"
+      echo -e "section_end:\`date +%s\`:\${section_title}\\r\\e[0K"
+    }
+db1 🛡 audit:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="packages/db1"
+    - collapseable_section_end "injectvars"
+    - cd packages/db1
+    - yarn npm audit --environment production
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: &a1
+    max: 2
+    when:
+      - runner_system_failure
+      - stuck_or_timeout_failure
+  interruptible: true
+  allow_failure: true
+db1 👮 lint:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="packages/db1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db1
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn lint
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull-push
+      paths:
+        - packages/db1/.yarn
+    - key: packagesdb1-node-modules
+      policy: pull-push
+      paths:
+        - packages/db1/node_modules
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+db1 🧪 test:
+  stage: test
+  image: path/to/docker/jobs-testing-chrome:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="packages/db1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db1
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn test
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull-push
+      paths:
+        - packages/db1/.yarn
+    - key: packagesdb1-node-modules
+      policy: pull-push
+      paths:
+        - packages/db1/node_modules
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'db1 🔨 app | dev ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="packages/db1"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-dev-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_dev_db1_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_dev_db1_DB_PASSWORD@localhost/pan-test-app-dev-db1?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-dev-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_dev_db1_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-dev-db1-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_db1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-db1" "write dot env for db1"
+    - |-
+      cat <<EOF > packages/db1/.env
+      ENV_SHORT=dev
+      APP_DIR=packages/db1
+      ENV_TYPE=dev
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-dev-db1
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_dev_db1_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://my-user:$CL_dev_db1_DB_PASSWORD@localhost/pan-test-app-dev-db1?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL=jdbc:postgresql:///pan-test-app-dev-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_dev_db1_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate=https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-dev-db1-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_dev_db1_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-db1"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > packages/db1/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db1
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull-push
+      paths:
+        - packages/db1/.yarn
+    - key: packagesdb1-node-modules
+      policy: pull-push
+      paths:
+        - packages/db1/node_modules
+  artifacts:
+    paths:
+      - packages/db1/__build_info.json
+      - packages/db1/.next
+      - packages/db1/dist
+    exclude:
+      - packages/db1/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+'db1 🔨 docker | dev ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="packages/db1"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db1"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node packages/db1/package.json /app/packages/db1/package.json
+      COPY --chown=node:node packages/db1/yarn.lock /app/packages/db1/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_db1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull
+      paths:
+        - packages/db1/.yarn
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs:
+    - 'db1 🔨 app | dev '
+  retry: *a1
+  interruptible: true
+'db1 🧾 sbom | dev ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" packages/db1
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db1 🚀 Deploy | dev ':
+  stage: deploy dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="packages/db1"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-dev-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_dev_db1_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_dev_db1_DB_PASSWORD@localhost/pan-test-app-dev-db1?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-dev-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_dev_db1_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-dev-db1-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_db1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db1"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_db1_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        dev
+      APP_DIR: |-
+        packages/db1
+      ENV_TYPE: |-
+        dev
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-dev-db1-$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-dev-db1
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_dev_db1_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://my-user:$CL_dev_db1_DB_PASSWORD@localhost/pan-test-app-dev-db1?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///pan-test-app-dev-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_dev_db1_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate: |-
+        https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-dev-db1-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_dev_db1_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-dev-db1 --instance=instancename --project projectId
+    - set -e
+    - |-
+      exist_job_names="$(
+        gcloud run jobs list --filter='metadata.name ~ dev.*db1' --format='value(name)' --limit=999 --project='google-project-id' --region='europe-west6'
+      )"
+      current_job_name="pan-test-app-dev-db1-migrate"
+      if grep "$current_job_name" <<<"$exist_job_names" >/dev/null; then
+        gcloud run jobs update "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db1,app-name=test-app,env-type=dev,env-name=dev,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db1:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      else
+        gcloud run jobs create "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db1,app-name=test-app,env-type=dev,env-name=dev,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db1:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      fi
+    - gcloud run jobs execute pan-test-app-dev-db1-migrate --project=google-project-id --region=europe-west6
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-dev-db1 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db1@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/db1" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: dev/db1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'db1 🛑 Stop ⚠️ | dev '
+    auto_stop_in: 4 weeks
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs:
+    - job: db1 👮 lint
+      artifacts: false
+    - job: 'db1 🔨 app | dev '
+      artifacts: false
+    - job: 'db1 🔨 docker | dev '
+      artifacts: false
+    - job: db1 🧪 test
+      artifacts: false
+    - job: 'db1 🧾 sbom | dev '
+      artifacts: true
+    - job: db1 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'db1 🛑 Stop ⚠️ | dev ':
+  stage: stop dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_db1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run jobs executions list --project=google-project-id --region=europe-west6 --job pan-test-app-dev-db1-migrate --format="value(name)" | xargs -I {} gcloud run jobs executions delete {}  --quiet --project=google-project-id --region=europe-west6
+    - gcloud run jobs delete pan-test-app-dev-db1-migrate --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db1 --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/db1" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: dev/db1
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db1 🔨 app | review ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="packages/db1"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_review_db1_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_review_db1_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_review_db1_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/$(printf %s \\"pan-test-app-review-$([ -n \\"$CI_MERGE_REQUEST_IID\\" ] && echo \\"mr$CI_MERGE_REQUEST_IID\\" || { [ -n \\"$CI_COMMIT_REF_SLUG\\" ] && echo \\"$CI_COMMIT_REF_SLUG\\" || echo \\"unknown\\"; })-db1\\" | awk '{print tolower($0)}')-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_db1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-db1" "write dot env for db1"
+    - |-
+      cat <<EOF > packages/db1/.env
+      ENV_SHORT=review
+      APP_DIR=packages/db1
+      ENV_TYPE=review
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | escapeForDotEnv)
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_review_db1_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=$(printf %s "postgresql://my-user:$CL_review_db1_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1?host=/cloudsql/projectId:region:instancename" | escapeForDotEnv)
+      DATABASE_JDBC_URL=$(printf %s "jdbc:postgresql:///pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_review_db1_DB_PASSWORD" | escapeForDotEnv)
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate=https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | awk '{print tolower($0)}')-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_review_db1_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-db1"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > packages/db1/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db1
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull-push
+      paths:
+        - packages/db1/.yarn
+    - key: packagesdb1-node-modules
+      policy: pull-push
+      paths:
+        - packages/db1/node_modules
+  artifacts:
+    paths:
+      - packages/db1/__build_info.json
+      - packages/db1/.next
+      - packages/db1/dist
+    exclude:
+      - packages/db1/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'db1 🔨 docker | review ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="packages/db1"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node packages/db1/package.json /app/packages/db1/package.json
+      COPY --chown=node:node packages/db1/yarn.lock /app/packages/db1/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_db1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull
+      paths:
+        - packages/db1/.yarn
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs:
+    - 'db1 🔨 app | review '
+  retry: *a1
+  interruptible: true
+'db1 🧾 sbom | review ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" packages/db1
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db1 🚀 Deploy | review ':
+  stage: deploy review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="packages/db1"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_review_db1_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_review_db1_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_review_db1_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/$(printf %s \\"pan-test-app-review-$([ -n \\"$CI_MERGE_REQUEST_IID\\" ] && echo \\"mr$CI_MERGE_REQUEST_IID\\" || { [ -n \\"$CI_COMMIT_REF_SLUG\\" ] && echo \\"$CI_COMMIT_REF_SLUG\\" || echo \\"unknown\\"; })-db1\\" | awk '{print tolower($0)}')-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_db1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_db1_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        review
+      APP_DIR: |-
+        packages/db1
+      ENV_TYPE: |-
+        review
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1-$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | sed '1!s/^/  /')
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_review_db1_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        $(printf %s "postgresql://my-user:$CL_review_db1_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1?host=/cloudsql/projectId:region:instancename" | sed '1!s/^/  /')
+      DATABASE_JDBC_URL: |-
+        $(printf %s "jdbc:postgresql:///pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_review_db1_DB_PASSWORD" | sed '1!s/^/  /')
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate: |-
+        https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | awk '{print tolower($0)}')-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_review_db1_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1 --instance=instancename --project projectId
+    - set -e
+    - |-
+      exist_job_names="$(
+        gcloud run jobs list --filter='metadata.name ~ review.*db1' --format='value(name)' --limit=999 --project='google-project-id' --region='europe-west6'
+      )"
+      current_job_name="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | awk '{print tolower($0)}')-migrate"
+      if grep "$current_job_name" <<<"$exist_job_names" >/dev/null; then
+        gcloud run jobs update "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db1,app-name=test-app,env-type=review,env-name=review,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }):$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      else
+        gcloud run jobs create "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db1,app-name=test-app,env-type=review,env-name=review,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }):$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      fi
+    - gcloud run jobs execute $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | awk '{print tolower($0)}')-migrate --project=google-project-id --region=europe-west6
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | awk '{print tolower($0)}') --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1 --quiet --delete-tags
+    - set -e
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/db1" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/db1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'db1 🛑 Stop ⚠️ | review '
+    auto_stop_in: 1 week
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_MERGE_REQUEST_ID
+  needs:
+    - job: db1 👮 lint
+      artifacts: false
+    - job: 'db1 🔨 app | review '
+      artifacts: false
+    - job: 'db1 🔨 docker | review '
+      artifacts: false
+    - job: db1 🧪 test
+      artifacts: false
+    - job: 'db1 🧾 sbom | review '
+      artifacts: true
+    - job: db1 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'db1 🛑 Stop ⚠️ | review ':
+  stage: stop review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_db1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run jobs executions list --project=google-project-id --region=europe-west6 --job $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | awk '{print tolower($0)}')-migrate --format="value(name)" | xargs -I {} gcloud run jobs executions delete {}  --quiet --project=google-project-id --region=europe-west6
+    - gcloud run jobs delete $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | awk '{print tolower($0)}')-migrate --project=google-project-id --region=europe-west6
+    - echo "deleting database pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1..."
+    - echo "👆 this can take multiple attemps (3-5min), because google cloud run may still have a connection to the database after the cloud run service is shut down"
+    - "\\n    until gcloud sql databases delete pan-test-app-review-$([ -n \\"$CI_MERGE_REQUEST_IID\\" ] && echo \\"mr$CI_MERGE_REQUEST_IID\\" || { [ -n \\"$CI_COMMIT_REF_SLUG\\" ] && echo \\"$CI_COMMIT_REF_SLUG\\" || echo \\"unknown\\"; })-db1 --instance=instancename --project projectId\\n    do\\n      echo \\"Trying again.\\"\\n      sleep 10\\n    done\\n  "
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db1 --quiet --delete-tags
+    - set -e
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/db1" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/db1
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db1 🔨 app | stage ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="packages/db1"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-stage-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_stage_db1_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_stage_db1_DB_PASSWORD@localhost/pan-test-app-stage-db1?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-stage-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_stage_db1_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-stage-db1-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_db1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-db1" "write dot env for db1"
+    - |-
+      cat <<EOF > packages/db1/.env
+      ENV_SHORT=stage
+      APP_DIR=packages/db1
+      ENV_TYPE=stage
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-stage-db1
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_stage_db1_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://my-user:$CL_stage_db1_DB_PASSWORD@localhost/pan-test-app-stage-db1?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL=jdbc:postgresql:///pan-test-app-stage-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_stage_db1_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate=https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-stage-db1-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_stage_db1_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-db1"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > packages/db1/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db1
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull-push
+      paths:
+        - packages/db1/.yarn
+    - key: packagesdb1-node-modules
+      policy: pull-push
+      paths:
+        - packages/db1/node_modules
+  artifacts:
+    paths:
+      - packages/db1/__build_info.json
+      - packages/db1/.next
+      - packages/db1/dist
+    exclude:
+      - packages/db1/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'db1 🔨 docker | stage ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="packages/db1"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db1"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node packages/db1/package.json /app/packages/db1/package.json
+      COPY --chown=node:node packages/db1/yarn.lock /app/packages/db1/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_db1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull
+      paths:
+        - packages/db1/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'db1 🔨 app | stage '
+  retry: *a1
+  interruptible: true
+'db1 🧾 sbom | stage ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" packages/db1
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db1 🚀 Deploy | stage ':
+  stage: deploy stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="packages/db1"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-stage-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_stage_db1_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_stage_db1_DB_PASSWORD@localhost/pan-test-app-stage-db1?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-stage-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_stage_db1_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-stage-db1-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_db1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db1"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_db1_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        stage
+      APP_DIR: |-
+        packages/db1
+      ENV_TYPE: |-
+        stage
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-stage-db1-$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-stage-db1
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_stage_db1_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://my-user:$CL_stage_db1_DB_PASSWORD@localhost/pan-test-app-stage-db1?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///pan-test-app-stage-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_stage_db1_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate: |-
+        https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-stage-db1-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_stage_db1_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-stage-db1 --instance=instancename --project projectId
+    - set -e
+    - |-
+      exist_job_names="$(
+        gcloud run jobs list --filter='metadata.name ~ stage.*db1' --format='value(name)' --limit=999 --project='google-project-id' --region='europe-west6'
+      )"
+      current_job_name="pan-test-app-stage-db1-migrate"
+      if grep "$current_job_name" <<<"$exist_job_names" >/dev/null; then
+        gcloud run jobs update "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db1,app-name=test-app,env-type=stage,env-name=stage,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db1:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      else
+        gcloud run jobs create "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db1,app-name=test-app,env-type=stage,env-name=stage,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db1:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      fi
+    - gcloud run jobs execute pan-test-app-stage-db1-migrate --project=google-project-id --region=europe-west6
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-stage-db1 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db1@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/db1" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: stage/db1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'db1 🛑 Stop ⚠️ | stage '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'db1 🔨 app | stage '
+      artifacts: false
+    - job: 'db1 🔨 docker | stage '
+      artifacts: false
+    - job: 'db1 🧾 sbom | stage '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'db1 🛑 Stop ⚠️ | stage ':
+  stage: stop stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_db1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run jobs executions list --project=google-project-id --region=europe-west6 --job pan-test-app-stage-db1-migrate --format="value(name)" | xargs -I {} gcloud run jobs executions delete {}  --quiet --project=google-project-id --region=europe-west6
+    - gcloud run jobs delete pan-test-app-stage-db1-migrate --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db1 --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/db1" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: stage/db1
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db1 🔨 app | prod ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="packages/db1"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-prod-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_prod_db1_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_prod_db1_DB_PASSWORD@localhost/pan-test-app-prod-db1?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-prod-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_prod_db1_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-prod-db1-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_db1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-db1" "write dot env for db1"
+    - |-
+      cat <<EOF > packages/db1/.env
+      ENV_SHORT=prod
+      APP_DIR=packages/db1
+      ENV_TYPE=prod
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-prod-db1
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_prod_db1_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://my-user:$CL_prod_db1_DB_PASSWORD@localhost/pan-test-app-prod-db1?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL=jdbc:postgresql:///pan-test-app-prod-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_prod_db1_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate=https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-prod-db1-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_prod_db1_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-db1"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > packages/db1/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db1
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull-push
+      paths:
+        - packages/db1/.yarn
+    - key: packagesdb1-node-modules
+      policy: pull-push
+      paths:
+        - packages/db1/node_modules
+  artifacts:
+    paths:
+      - packages/db1/__build_info.json
+      - packages/db1/.next
+      - packages/db1/dist
+    exclude:
+      - packages/db1/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'db1 🔨 docker | prod ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="packages/db1"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db1"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node packages/db1/package.json /app/packages/db1/package.json
+      COPY --chown=node:node packages/db1/yarn.lock /app/packages/db1/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_db1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: packagesdb1-yarn
+      policy: pull
+      paths:
+        - packages/db1/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'db1 🔨 app | prod '
+  retry: *a1
+  interruptible: true
+'db1 🧾 sbom | prod ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" packages/db1
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db1 🚀 Deploy | prod ':
+  stage: deploy prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="packages/db1"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-prod-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_prod_db1_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_prod_db1_DB_PASSWORD@localhost/pan-test-app-prod-db1?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-prod-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_prod_db1_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-prod-db1-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_db1_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db1"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_db1_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        prod
+      APP_DIR: |-
+        packages/db1
+      ENV_TYPE: |-
+        prod
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-prod-db1-$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-prod-db1
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_prod_db1_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://my-user:$CL_prod_db1_DB_PASSWORD@localhost/pan-test-app-prod-db1?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///pan-test-app-prod-db1?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_prod_db1_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate: |-
+        https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-prod-db1-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_prod_db1_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-prod-db1 --instance=instancename --project projectId
+    - set -e
+    - |-
+      exist_job_names="$(
+        gcloud run jobs list --filter='metadata.name ~ prod.*db1' --format='value(name)' --limit=999 --project='google-project-id' --region='europe-west6'
+      )"
+      current_job_name="pan-test-app-prod-db1-migrate"
+      if grep "$current_job_name" <<<"$exist_job_names" >/dev/null; then
+        gcloud run jobs update "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db1,app-name=test-app,env-type=prod,env-name=prod,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db1:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      else
+        gcloud run jobs create "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db1,app-name=test-app,env-type=prod,env-name=prod,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db1:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      fi
+    - gcloud run jobs execute pan-test-app-prod-db1-migrate --project=google-project-id --region=europe-west6
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-prod-db1 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | tail -n +6 | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +7 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db1@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/db1" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: prod/db1
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'db1 🛑 Stop ⚠️ | prod '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'db1 🔨 app | prod '
+      artifacts: false
+    - job: 'db1 🔨 docker | prod '
+      artifacts: false
+    - job: 'db1 🧾 sbom | prod '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db1 🛑 Stop ⚠️ | prod ':
+  stage: stop prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_db1_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run jobs executions list --project=google-project-id --region=europe-west6 --job pan-test-app-prod-db1-migrate --format="value(name)" | xargs -I {} gcloud run jobs executions delete {}  --quiet --project=google-project-id --region=europe-west6
+    - gcloud run jobs delete pan-test-app-prod-db1-migrate --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db1 --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db1@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/db1" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: prod/db1
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+db2 🛡 audit:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="packages/db2"
+    - collapseable_section_end "injectvars"
+    - cd packages/db2
+    - yarn npm audit --environment production
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+db2 👮 lint:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="packages/db2"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db2
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn lint
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull-push
+      paths:
+        - packages/db2/.yarn
+    - key: packagesdb2-node-modules
+      policy: pull-push
+      paths:
+        - packages/db2/node_modules
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+db2 🧪 test:
+  stage: test
+  image: path/to/docker/jobs-testing-chrome:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="packages/db2"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db2
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn test
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull-push
+      paths:
+        - packages/db2/.yarn
+    - key: packagesdb2-node-modules
+      policy: pull-push
+      paths:
+        - packages/db2/node_modules
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'db2 🔨 app | dev ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="packages/db2"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-dev-db2"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_dev_db2_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_dev_db2_DB_PASSWORD@localhost/pan-test-app-dev-db2?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-dev-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_dev_db2_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-dev-db2-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_db2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-db2" "write dot env for db2"
+    - |-
+      cat <<EOF > packages/db2/.env
+      ENV_SHORT=dev
+      APP_DIR=packages/db2
+      ENV_TYPE=dev
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-dev-db2
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_dev_db2_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://my-user:$CL_dev_db2_DB_PASSWORD@localhost/pan-test-app-dev-db2?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL=jdbc:postgresql:///pan-test-app-dev-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_dev_db2_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate=https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-dev-db2-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_dev_db2_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-db2"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > packages/db2/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db2
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull-push
+      paths:
+        - packages/db2/.yarn
+    - key: packagesdb2-node-modules
+      policy: pull-push
+      paths:
+        - packages/db2/node_modules
+  artifacts:
+    paths:
+      - packages/db2/__build_info.json
+      - packages/db2/.next
+      - packages/db2/dist
+    exclude:
+      - packages/db2/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+'db2 🔨 docker | dev ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="packages/db2"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db2"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node packages/db2/package.json /app/packages/db2/package.json
+      COPY --chown=node:node packages/db2/yarn.lock /app/packages/db2/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_db2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull
+      paths:
+        - packages/db2/.yarn
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs:
+    - 'db2 🔨 app | dev '
+  retry: *a1
+  interruptible: true
+'db2 🧾 sbom | dev ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" packages/db2
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db2 🚀 Deploy | dev ':
+  stage: deploy dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="packages/db2"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-dev-db2"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_dev_db2_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_dev_db2_DB_PASSWORD@localhost/pan-test-app-dev-db2?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-dev-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_dev_db2_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-dev-db2-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_db2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db2"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_db2_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        dev
+      APP_DIR: |-
+        packages/db2
+      ENV_TYPE: |-
+        dev
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-dev-db2-$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-dev-db2
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_dev_db2_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://my-user:$CL_dev_db2_DB_PASSWORD@localhost/pan-test-app-dev-db2?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///pan-test-app-dev-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_dev_db2_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate: |-
+        https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-dev-db2-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_dev_db2_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-dev-db2 --instance=instancename --project projectId
+    - set -e
+    - |-
+      exist_job_names="$(
+        gcloud run jobs list --filter='metadata.name ~ dev.*db2' --format='value(name)' --limit=999 --project='google-project-id' --region='europe-west6'
+      )"
+      current_job_name="pan-test-app-dev-db2-migrate"
+      if grep "$current_job_name" <<<"$exist_job_names" >/dev/null; then
+        gcloud run jobs update "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db2,app-name=test-app,env-type=dev,env-name=dev,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db2:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      else
+        gcloud run jobs create "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db2,app-name=test-app,env-type=dev,env-name=dev,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db2:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      fi
+    - gcloud run jobs execute pan-test-app-dev-db2-migrate --project=google-project-id --region=europe-west6
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-dev-db2 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db2@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/db2" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: dev/db2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'db2 🛑 Stop ⚠️ | dev '
+    auto_stop_in: 4 weeks
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs:
+    - job: db2 👮 lint
+      artifacts: false
+    - job: 'db2 🔨 app | dev '
+      artifacts: false
+    - job: 'db2 🔨 docker | dev '
+      artifacts: false
+    - job: db2 🧪 test
+      artifacts: false
+    - job: 'db2 🧾 sbom | dev '
+      artifacts: true
+    - job: db2 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'db2 🛑 Stop ⚠️ | dev ':
+  stage: stop dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_db2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run jobs executions list --project=google-project-id --region=europe-west6 --job pan-test-app-dev-db2-migrate --format="value(name)" | xargs -I {} gcloud run jobs executions delete {}  --quiet --project=google-project-id --region=europe-west6
+    - gcloud run jobs delete pan-test-app-dev-db2-migrate --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/db2 --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/db2" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: dev/db2
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db2 🔨 app | review ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="packages/db2"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_review_db2_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_review_db2_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_review_db2_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/$(printf %s \\"pan-test-app-review-$([ -n \\"$CI_MERGE_REQUEST_IID\\" ] && echo \\"mr$CI_MERGE_REQUEST_IID\\" || { [ -n \\"$CI_COMMIT_REF_SLUG\\" ] && echo \\"$CI_COMMIT_REF_SLUG\\" || echo \\"unknown\\"; })-db2\\" | awk '{print tolower($0)}')-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_db2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-db2" "write dot env for db2"
+    - |-
+      cat <<EOF > packages/db2/.env
+      ENV_SHORT=review
+      APP_DIR=packages/db2
+      ENV_TYPE=review
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | escapeForDotEnv)
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_review_db2_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=$(printf %s "postgresql://my-user:$CL_review_db2_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?host=/cloudsql/projectId:region:instancename" | escapeForDotEnv)
+      DATABASE_JDBC_URL=$(printf %s "jdbc:postgresql:///pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_review_db2_DB_PASSWORD" | escapeForDotEnv)
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate=https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | awk '{print tolower($0)}')-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_review_db2_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-db2"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > packages/db2/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db2
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull-push
+      paths:
+        - packages/db2/.yarn
+    - key: packagesdb2-node-modules
+      policy: pull-push
+      paths:
+        - packages/db2/node_modules
+  artifacts:
+    paths:
+      - packages/db2/__build_info.json
+      - packages/db2/.next
+      - packages/db2/dist
+    exclude:
+      - packages/db2/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'db2 🔨 docker | review ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="packages/db2"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node packages/db2/package.json /app/packages/db2/package.json
+      COPY --chown=node:node packages/db2/yarn.lock /app/packages/db2/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_db2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull
+      paths:
+        - packages/db2/.yarn
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs:
+    - 'db2 🔨 app | review '
+  retry: *a1
+  interruptible: true
+'db2 🧾 sbom | review ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" packages/db2
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db2 🚀 Deploy | review ':
+  stage: deploy review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="packages/db2"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_review_db2_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_review_db2_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_review_db2_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/$(printf %s \\"pan-test-app-review-$([ -n \\"$CI_MERGE_REQUEST_IID\\" ] && echo \\"mr$CI_MERGE_REQUEST_IID\\" || { [ -n \\"$CI_COMMIT_REF_SLUG\\" ] && echo \\"$CI_COMMIT_REF_SLUG\\" || echo \\"unknown\\"; })-db2\\" | awk '{print tolower($0)}')-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_db2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_db2_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        review
+      APP_DIR: |-
+        packages/db2
+      ENV_TYPE: |-
+        review
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2-$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | sed '1!s/^/  /')
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_review_db2_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        $(printf %s "postgresql://my-user:$CL_review_db2_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?host=/cloudsql/projectId:region:instancename" | sed '1!s/^/  /')
+      DATABASE_JDBC_URL: |-
+        $(printf %s "jdbc:postgresql:///pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_review_db2_DB_PASSWORD" | sed '1!s/^/  /')
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate: |-
+        https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | awk '{print tolower($0)}')-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_review_db2_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2 --instance=instancename --project projectId
+    - set -e
+    - |-
+      exist_job_names="$(
+        gcloud run jobs list --filter='metadata.name ~ review.*db2' --format='value(name)' --limit=999 --project='google-project-id' --region='europe-west6'
+      )"
+      current_job_name="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | awk '{print tolower($0)}')-migrate"
+      if grep "$current_job_name" <<<"$exist_job_names" >/dev/null; then
+        gcloud run jobs update "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db2,app-name=test-app,env-type=review,env-name=review,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }):$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      else
+        gcloud run jobs create "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db2,app-name=test-app,env-type=review,env-name=review,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }):$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      fi
+    - gcloud run jobs execute $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | awk '{print tolower($0)}')-migrate --project=google-project-id --region=europe-west6
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | awk '{print tolower($0)}') --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2 --quiet --delete-tags
+    - set -e
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/db2" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/db2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'db2 🛑 Stop ⚠️ | review '
+    auto_stop_in: 1 week
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_MERGE_REQUEST_ID
+  needs:
+    - job: db2 👮 lint
+      artifacts: false
+    - job: 'db2 🔨 app | review '
+      artifacts: false
+    - job: 'db2 🔨 docker | review '
+      artifacts: false
+    - job: db2 🧪 test
+      artifacts: false
+    - job: 'db2 🧾 sbom | review '
+      artifacts: true
+    - job: db2 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'db2 🛑 Stop ⚠️ | review ':
+  stage: stop review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_db2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run jobs executions list --project=google-project-id --region=europe-west6 --job $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | awk '{print tolower($0)}')-migrate --format="value(name)" | xargs -I {} gcloud run jobs executions delete {}  --quiet --project=google-project-id --region=europe-west6
+    - gcloud run jobs delete $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2" | awk '{print tolower($0)}')-migrate --project=google-project-id --region=europe-west6
+    - echo "deleting database pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2..."
+    - echo "👆 this can take multiple attemps (3-5min), because google cloud run may still have a connection to the database after the cloud run service is shut down"
+    - "\\n    until gcloud sql databases delete pan-test-app-review-$([ -n \\"$CI_MERGE_REQUEST_IID\\" ] && echo \\"mr$CI_MERGE_REQUEST_IID\\" || { [ -n \\"$CI_COMMIT_REF_SLUG\\" ] && echo \\"$CI_COMMIT_REF_SLUG\\" || echo \\"unknown\\"; })-db2 --instance=instancename --project projectId\\n    do\\n      echo \\"Trying again.\\"\\n      sleep 10\\n    done\\n  "
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/db2 --quiet --delete-tags
+    - set -e
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/db2" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/db2
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db2 🔨 app | stage ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="packages/db2"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-stage-db2"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_stage_db2_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_stage_db2_DB_PASSWORD@localhost/pan-test-app-stage-db2?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-stage-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_stage_db2_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-stage-db2-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_db2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-db2" "write dot env for db2"
+    - |-
+      cat <<EOF > packages/db2/.env
+      ENV_SHORT=stage
+      APP_DIR=packages/db2
+      ENV_TYPE=stage
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-stage-db2
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_stage_db2_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://my-user:$CL_stage_db2_DB_PASSWORD@localhost/pan-test-app-stage-db2?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL=jdbc:postgresql:///pan-test-app-stage-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_stage_db2_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate=https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-stage-db2-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_stage_db2_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-db2"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > packages/db2/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db2
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull-push
+      paths:
+        - packages/db2/.yarn
+    - key: packagesdb2-node-modules
+      policy: pull-push
+      paths:
+        - packages/db2/node_modules
+  artifacts:
+    paths:
+      - packages/db2/__build_info.json
+      - packages/db2/.next
+      - packages/db2/dist
+    exclude:
+      - packages/db2/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'db2 🔨 docker | stage ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="packages/db2"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db2"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node packages/db2/package.json /app/packages/db2/package.json
+      COPY --chown=node:node packages/db2/yarn.lock /app/packages/db2/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_db2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull
+      paths:
+        - packages/db2/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'db2 🔨 app | stage '
+  retry: *a1
+  interruptible: true
+'db2 🧾 sbom | stage ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" packages/db2
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db2 🚀 Deploy | stage ':
+  stage: deploy stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="packages/db2"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-stage-db2"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_stage_db2_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_stage_db2_DB_PASSWORD@localhost/pan-test-app-stage-db2?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-stage-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_stage_db2_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-stage-db2-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_db2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db2"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_db2_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        stage
+      APP_DIR: |-
+        packages/db2
+      ENV_TYPE: |-
+        stage
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-stage-db2-$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-stage-db2
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_stage_db2_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://my-user:$CL_stage_db2_DB_PASSWORD@localhost/pan-test-app-stage-db2?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///pan-test-app-stage-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_stage_db2_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate: |-
+        https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-stage-db2-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_stage_db2_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-stage-db2 --instance=instancename --project projectId
+    - set -e
+    - |-
+      exist_job_names="$(
+        gcloud run jobs list --filter='metadata.name ~ stage.*db2' --format='value(name)' --limit=999 --project='google-project-id' --region='europe-west6'
+      )"
+      current_job_name="pan-test-app-stage-db2-migrate"
+      if grep "$current_job_name" <<<"$exist_job_names" >/dev/null; then
+        gcloud run jobs update "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db2,app-name=test-app,env-type=stage,env-name=stage,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db2:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      else
+        gcloud run jobs create "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db2,app-name=test-app,env-type=stage,env-name=stage,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db2:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      fi
+    - gcloud run jobs execute pan-test-app-stage-db2-migrate --project=google-project-id --region=europe-west6
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-stage-db2 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db2@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/db2" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: stage/db2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'db2 🛑 Stop ⚠️ | stage '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'db2 🔨 app | stage '
+      artifacts: false
+    - job: 'db2 🔨 docker | stage '
+      artifacts: false
+    - job: 'db2 🧾 sbom | stage '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'db2 🛑 Stop ⚠️ | stage ':
+  stage: stop stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_db2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run jobs executions list --project=google-project-id --region=europe-west6 --job pan-test-app-stage-db2-migrate --format="value(name)" | xargs -I {} gcloud run jobs executions delete {}  --quiet --project=google-project-id --region=europe-west6
+    - gcloud run jobs delete pan-test-app-stage-db2-migrate --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/db2 --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/db2" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: stage/db2
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db2 🔨 app | prod ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="packages/db2"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-prod-db2"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_prod_db2_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_prod_db2_DB_PASSWORD@localhost/pan-test-app-prod-db2?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-prod-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_prod_db2_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-prod-db2-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_db2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-db2" "write dot env for db2"
+    - |-
+      cat <<EOF > packages/db2/.env
+      ENV_SHORT=prod
+      APP_DIR=packages/db2
+      ENV_TYPE=prod
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-prod-db2
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_prod_db2_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://my-user:$CL_prod_db2_DB_PASSWORD@localhost/pan-test-app-prod-db2?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL=jdbc:postgresql:///pan-test-app-prod-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_prod_db2_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate=https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-prod-db2-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_prod_db2_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "write-dotenv-db2"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > packages/db2/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd packages/db2
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull-push
+      paths:
+        - packages/db2/.yarn
+    - key: packagesdb2-node-modules
+      policy: pull-push
+      paths:
+        - packages/db2/node_modules
+  artifacts:
+    paths:
+      - packages/db2/__build_info.json
+      - packages/db2/.next
+      - packages/db2/dist
+    exclude:
+      - packages/db2/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'db2 🔨 docker | prod ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="packages/db2"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db2"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node packages/db2/package.json /app/packages/db2/package.json
+      COPY --chown=node:node packages/db2/yarn.lock /app/packages/db2/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_db2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: packagesdb2-yarn
+      policy: pull
+      paths:
+        - packages/db2/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'db2 🔨 app | prod '
+  retry: *a1
+  interruptible: true
+'db2 🧾 sbom | prod ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" packages/db2
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db2 🚀 Deploy | prod ':
+  stage: deploy prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="packages/db2"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-prod-db2"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_prod_db2_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://my-user:$CL_prod_db2_DB_PASSWORD@localhost/pan-test-app-prod-db2?host=/cloudsql/projectId:region:instancename"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///pan-test-app-prod-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_prod_db2_DB_PASSWORD"
+    - export CLOUD_RUN_JOB_TRIGGER_URL_migrate="https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-prod-db2-migrate:run"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_db2_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"CLOUD_RUN_JOB_TRIGGER_URL_migrate\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db2"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_db2_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        prod
+      APP_DIR: |-
+        packages/db2
+      ENV_TYPE: |-
+        prod
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-prod-db2-$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-prod-db2
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_prod_db2_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://my-user:$CL_prod_db2_DB_PASSWORD@localhost/pan-test-app-prod-db2?host=/cloudsql/projectId:region:instancename
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///pan-test-app-prod-db2?cloudSqlInstance=projectId:region:instancename&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=my-user&password=$CL_prod_db2_DB_PASSWORD
+      CLOUD_RUN_JOB_TRIGGER_URL_migrate: |-
+        https://europe-west6-run.googleapis.com/apis/run.googleapis.com/v1/namespaces/google-project-id/jobs/pan-test-app-prod-db2-migrate:run
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_prod_db2_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","CLOUD_RUN_JOB_TRIGGER_URL_migrate","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-prod-db2 --instance=instancename --project projectId
+    - set -e
+    - |-
+      exist_job_names="$(
+        gcloud run jobs list --filter='metadata.name ~ prod.*db2' --format='value(name)' --limit=999 --project='google-project-id' --region='europe-west6'
+      )"
+      current_job_name="pan-test-app-prod-db2-migrate"
+      if grep "$current_job_name" <<<"$exist_job_names" >/dev/null; then
+        gcloud run jobs update "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db2,app-name=test-app,env-type=prod,env-name=prod,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db2:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      else
+        gcloud run jobs create "$current_job_name" --command="yarn,migrate" --labels="customer-name=pan,component-name=db2,app-name=test-app,env-type=prod,env-name=prod,build-type=node,cloud-run-job-name=$current_job_name" --image="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db2:$DOCKER_IMAGE_TAG" --project=google-project-id --region=europe-west6 --memory=512Mi --parallelism=1 --task-timeout=10m --env-vars-file=____envvars.yaml --max-retries=0 --set-cloudsql-instances=projectId:region:instancename
+      fi
+    - gcloud run jobs execute pan-test-app-prod-db2-migrate --project=google-project-id --region=europe-west6
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-prod-db2 --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | tail -n +6 | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +7 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db2@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/db2" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: prod/db2
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'db2 🛑 Stop ⚠️ | prod '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'db2 🔨 app | prod '
+      artifacts: false
+    - job: 'db2 🔨 docker | prod '
+      artifacts: false
+    - job: 'db2 🧾 sbom | prod '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'db2 🛑 Stop ⚠️ | prod ':
+  stage: stop prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_db2_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run jobs executions list --project=google-project-id --region=europe-west6 --job pan-test-app-prod-db2-migrate --format="value(name)" | xargs -I {} gcloud run jobs executions delete {}  --quiet --project=google-project-id --region=europe-west6
+    - gcloud run jobs delete pan-test-app-prod-db2-migrate --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/db2 --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2 --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/db2@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/db2" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: prod/db2
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+api 🛡 audit:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="api"
+    - collapseable_section_end "injectvars"
+    - cd api
+    - yarn npm audit --environment production
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+api 👮 lint:
+  stage: test
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="api"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd api
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn lint
+  cache:
+    - key: api-yarn
+      policy: pull-push
+      paths:
+        - api/.yarn
+    - key: api-node-modules
+      policy: pull-push
+      paths:
+        - api/node_modules
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+api 🧪 test:
+  stage: test
+  image: path/to/docker/jobs-testing-chrome:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_PATH="api"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd api
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn test
+  cache:
+    - key: api-yarn
+      policy: pull-push
+      paths:
+        - api/.yarn
+    - key: api-node-modules
+      policy: pull-push
+      paths:
+        - api/node_modules
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'api 🔨 app | dev ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="api"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-dev-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_dev_api_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_api_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix"
+    - export DATABASE_URL_2="postgresql://my-user:$CL_dev_db2_DB_PASSWORD@localhost/pan-test-app-dev-db2?host=/cloudsql/projectId:region:instancename"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"DATABASE_URL_2\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-api" "write dot env for api"
+    - |-
+      cat <<EOF > api/.env
+      ENV_SHORT=dev
+      APP_DIR=api
+      ENV_TYPE=dev
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-dev-db1
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_dev_api_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME
+      DATABASE_JDBC_URL=jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_dev_api_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      DATABASE_URL_2=postgresql://my-user:$CL_dev_db2_DB_PASSWORD@localhost/pan-test-app-dev-db2?host=/cloudsql/projectId:region:instancename
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","DATABASE_URL_2"]
+      EOF
+    - collapseable_section_end "write-dotenv-api"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > api/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd api
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build:worker
+  cache:
+    - key: api-yarn
+      policy: pull-push
+      paths:
+        - api/.yarn
+    - key: api-node-modules
+      policy: pull-push
+      paths:
+        - api/node_modules
+  artifacts:
+    paths:
+      - api/__build_info.json
+      - api/.next
+      - api/dist
+    exclude:
+      - api/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+'api 🔨 docker | dev ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="api"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/api"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node api/package.json /app/api/package.json
+      COPY --chown=node:node api/yarn.lock /app/api/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_api_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: api-yarn
+      policy: pull
+      paths:
+        - api/.yarn
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs:
+    - 'api 🔨 app | dev '
+  retry: *a1
+  interruptible: true
+'api 🧾 sbom | dev ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" api
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'api 🚀 Deploy | dev ':
+  stage: deploy dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="dev"
+    - export APP_DIR="api"
+    - export ENV_TYPE="dev"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-dev-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_dev_api_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_dev_api_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix"
+    - export DATABASE_URL_2="postgresql://my-user:$CL_dev_db2_DB_PASSWORD@localhost/pan-test-app-dev-db2?host=/cloudsql/projectId:region:instancename"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"DATABASE_URL_2\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/api"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_api_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        dev
+      APP_DIR: |-
+        api
+      ENV_TYPE: |-
+        dev
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-dev-api-$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-dev-db1
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_dev_api_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_dev_api_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      DATABASE_URL_2: |-
+        postgresql://my-user:$CL_dev_db2_DB_PASSWORD@localhost/pan-test-app-dev-db2?host=/cloudsql/projectId:region:instancename
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","DATABASE_URL_2"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-dev-db1 --instance=instancename --project projectId
+    - set -e
+    - gcloud run deploy pan-test-app-dev-api --command="yarn,start" --image=europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/api:$DOCKER_IMAGE_TAG --project=google-project-id --region=europe-west6 --set-cloudsql-instances=projectId:region:instancename --labels=customer-name=pan,component-name=api,app-name=test-app,env-type=dev,env-name=dev,build-type=node,cloud-run-service-name=pan-test-app-dev-api --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-dev-api --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/api@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/api" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: dev/api
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'api 🛑 Stop ⚠️ | dev '
+    auto_stop_in: 4 weeks
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs:
+    - job: api 👮 lint
+      artifacts: false
+    - job: 'api 🔨 app | dev '
+      artifacts: false
+    - job: 'api 🔨 docker | dev '
+      artifacts: false
+    - job: api 🧪 test
+      artifacts: false
+    - job: 'api 🧾 sbom | dev '
+      artifacts: true
+    - job: api 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'api 🛑 Stop ⚠️ | dev ':
+  stage: stop dev
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_dev_api_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-dev-api --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/dev/api --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/api" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: dev/api
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE !~ /^chore\\(release\\).*/
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'api 🔨 app | review ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="api"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_review_api_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_api_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_api_GCLOUD_RUN_canonicalHostSuffix"
+    - export DATABASE_URL_2="postgresql://my-user:$CL_review_db2_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?host=/cloudsql/projectId:region:instancename"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"DATABASE_URL_2\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-api" "write dot env for api"
+    - |-
+      cat <<EOF > api/.env
+      ENV_SHORT=review
+      APP_DIR=api
+      ENV_TYPE=review
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | escapeForDotEnv)
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_review_api_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME
+      DATABASE_JDBC_URL=jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_review_api_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      DATABASE_URL_2=$(printf %s "postgresql://my-user:$CL_review_db2_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?host=/cloudsql/projectId:region:instancename" | escapeForDotEnv)
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","DATABASE_URL_2"]
+      EOF
+    - collapseable_section_end "write-dotenv-api"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > api/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd api
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build:worker
+  cache:
+    - key: api-yarn
+      policy: pull-push
+      paths:
+        - api/.yarn
+    - key: api-node-modules
+      policy: pull-push
+      paths:
+        - api/node_modules
+  artifacts:
+    paths:
+      - api/__build_info.json
+      - api/.next
+      - api/dist
+    exclude:
+      - api/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+'api 🔨 docker | review ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="api"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/api/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node api/package.json /app/api/package.json
+      COPY --chown=node:node api/yarn.lock /app/api/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_api_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: api-yarn
+      policy: pull
+      paths:
+        - api/.yarn
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs:
+    - 'api 🔨 app | review '
+  retry: *a1
+  interruptible: true
+'api 🧾 sbom | review ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" api
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'api 🚀 Deploy | review ':
+  stage: deploy review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="review"
+    - export APP_DIR="api"
+    - export ENV_TYPE="review"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_review_api_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_review_api_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_review_api_GCLOUD_RUN_canonicalHostSuffix"
+    - export DATABASE_URL_2="postgresql://my-user:$CL_review_db2_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?host=/cloudsql/projectId:region:instancename"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"DATABASE_URL_2\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/api/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_api_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        review
+      APP_DIR: |-
+        api
+      ENV_TYPE: |-
+        review
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api-$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1" | sed '1!s/^/  /')
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_review_api_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_review_api_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      DATABASE_URL_2: |-
+        $(printf %s "postgresql://my-user:$CL_review_db2_DB_PASSWORD@localhost/pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db2?host=/cloudsql/projectId:region:instancename" | sed '1!s/^/  /')
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","DATABASE_URL_2"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1 --instance=instancename --project projectId
+    - set -e
+    - gcloud run deploy $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api" | awk '{print tolower($0)}') --command="yarn,start" --image=europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/api/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }):$DOCKER_IMAGE_TAG --project=google-project-id --region=europe-west6 --set-cloudsql-instances=projectId:region:instancename --labels=customer-name=pan,component-name=api,app-name=test-app,env-type=review,env-name=review,build-type=node,cloud-run-service-name=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api" | awk '{print tolower($0)}') --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=$(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api" | awk '{print tolower($0)}') --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/api/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/api/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/api --quiet --delete-tags
+    - set -e
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/api" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/api
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'api 🛑 Stop ⚠️ | review '
+    auto_stop_in: 1 week
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_MERGE_REQUEST_ID
+  needs:
+    - job: api 👮 lint
+      artifacts: false
+    - job: 'api 🔨 app | review '
+      artifacts: false
+    - job: 'api 🔨 docker | review '
+      artifacts: false
+    - job: api 🧪 test
+      artifacts: false
+    - job: 'api 🧾 sbom | review '
+      artifacts: true
+    - job: api 🛡 audit
+      artifacts: false
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'api 🛑 Stop ⚠️ | review ':
+  stage: stop review
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_review_api_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete $(printf %s "pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-api" | awk '{print tolower($0)}') --project=google-project-id --region=europe-west6
+    - echo "deleting database pan-test-app-review-$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; })-db1..."
+    - echo "👆 this can take multiple attemps (3-5min), because google cloud run may still have a connection to the database after the cloud run service is shut down"
+    - "\\n    until gcloud sql databases delete pan-test-app-review-$([ -n \\"$CI_MERGE_REQUEST_IID\\" ] && echo \\"mr$CI_MERGE_REQUEST_IID\\" || { [ -n \\"$CI_COMMIT_REF_SLUG\\" ] && echo \\"$CI_COMMIT_REF_SLUG\\" || echo \\"unknown\\"; })-db1 --instance=instancename --project projectId\\n    do\\n      echo \\"Trying again.\\"\\n      sleep 10\\n    done\\n  "
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/api/$([ -n "$CI_MERGE_REQUEST_IID" ] && echo "mr$CI_MERGE_REQUEST_IID" || { [ -n "$CI_COMMIT_REF_SLUG" ] && echo "$CI_COMMIT_REF_SLUG" || echo "unknown"; }) --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api@$version --quiet --delete-tags; done
+    - set +e
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/review/api --quiet --delete-tags
+    - set -e
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/api" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: review/$CI_COMMIT_REF_NAME/api
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_MERGE_REQUEST_ID
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'api 🔨 app | stage ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="api"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-stage-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_stage_api_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_api_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix"
+    - export DATABASE_URL_2="postgresql://my-user:$CL_stage_db2_DB_PASSWORD@localhost/pan-test-app-stage-db2?host=/cloudsql/projectId:region:instancename"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"DATABASE_URL_2\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-api" "write dot env for api"
+    - |-
+      cat <<EOF > api/.env
+      ENV_SHORT=stage
+      APP_DIR=api
+      ENV_TYPE=stage
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-stage-db1
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_stage_api_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME
+      DATABASE_JDBC_URL=jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_stage_api_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      DATABASE_URL_2=postgresql://my-user:$CL_stage_db2_DB_PASSWORD@localhost/pan-test-app-stage-db2?host=/cloudsql/projectId:region:instancename
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","DATABASE_URL_2"]
+      EOF
+    - collapseable_section_end "write-dotenv-api"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > api/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd api
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build:worker
+  cache:
+    - key: api-yarn
+      policy: pull-push
+      paths:
+        - api/.yarn
+    - key: api-node-modules
+      policy: pull-push
+      paths:
+        - api/node_modules
+  artifacts:
+    paths:
+      - api/__build_info.json
+      - api/.next
+      - api/dist
+    exclude:
+      - api/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'api 🔨 docker | stage ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="api"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/api"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node api/package.json /app/api/package.json
+      COPY --chown=node:node api/yarn.lock /app/api/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_api_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: api-yarn
+      policy: pull
+      paths:
+        - api/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'api 🔨 app | stage '
+  retry: *a1
+  interruptible: true
+'api 🧾 sbom | stage ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" api
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'api 🚀 Deploy | stage ':
+  stage: deploy stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="stage"
+    - export APP_DIR="api"
+    - export ENV_TYPE="stage"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-stage-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_stage_api_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_stage_api_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix"
+    - export DATABASE_URL_2="postgresql://my-user:$CL_stage_db2_DB_PASSWORD@localhost/pan-test-app-stage-db2?host=/cloudsql/projectId:region:instancename"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"DATABASE_URL_2\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/api"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_api_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        stage
+      APP_DIR: |-
+        api
+      ENV_TYPE: |-
+        stage
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-stage-api-$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-stage-db1
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_stage_api_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_stage_api_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      DATABASE_URL_2: |-
+        postgresql://my-user:$CL_stage_db2_DB_PASSWORD@localhost/pan-test-app-stage-db2?host=/cloudsql/projectId:region:instancename
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","DATABASE_URL_2"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-stage-db1 --instance=instancename --project projectId
+    - set -e
+    - gcloud run deploy pan-test-app-stage-api --command="yarn,start" --image=europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/api:$DOCKER_IMAGE_TAG --project=google-project-id --region=europe-west6 --set-cloudsql-instances=projectId:region:instancename --labels=customer-name=pan,component-name=api,app-name=test-app,env-type=stage,env-name=stage,build-type=node,cloud-run-service-name=pan-test-app-stage-api --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-stage-api --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/api@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/api" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: stage/api
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'api 🛑 Stop ⚠️ | stage '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: on_success
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'api 🔨 app | stage '
+      artifacts: false
+    - job: 'api 🔨 docker | stage '
+      artifacts: false
+    - job: 'api 🧾 sbom | stage '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: false
+'api 🛑 Stop ⚠️ | stage ':
+  stage: stop stage
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_stage_api_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-stage-api --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/stage/api --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/api" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: stage/api
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'api 🔨 app | prod ':
+  stage: build
+  image: path/to/docker/jobs-default:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 4Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="api"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-prod-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_prod_api_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_api_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix"
+    - export DATABASE_URL_2="postgresql://my-user:$CL_prod_db2_DB_PASSWORD@localhost/pan-test-app-prod-db2?host=/cloudsql/projectId:region:instancename"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"DATABASE_URL_2\\"]"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "write-dotenv-api" "write dot env for api"
+    - |-
+      cat <<EOF > api/.env
+      ENV_SHORT=prod
+      APP_DIR=api
+      ENV_TYPE=prod
+      HOSTNAME=$(printf %s "$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL=$(printf %s "https://$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      HOSTNAME_INTERNAL=$(printf %s "$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      ROOT_URL_INTERNAL=$(printf %s "https://$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | escapeForDotEnv)
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME=projectId:region:instancename
+      DB_NAME=pan-test-app-prod-db1
+      DB_USER=my-user
+      DB_PASSWORD=$(printf %s "$CL_prod_api_DB_PASSWORD" | escapeForDotEnv)
+      DATABASE_URL=postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME
+      DATABASE_JDBC_URL=jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD
+      DEPLOY_CLOUD_RUN_PROJECT_ID=google-project-id
+      DEPLOY_CLOUD_RUN_REGION=europe-west6
+      GCLOUD_DEPLOY_credentialsKey=$(printf %s "$CL_prod_api_GCLOUD_DEPLOY_credentialsKey" | escapeForDotEnv)
+      GCLOUD_RUN_canonicalHostSuffix=$(printf %s "$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | escapeForDotEnv)
+      DATABASE_URL_2=postgresql://my-user:$CL_prod_db2_DB_PASSWORD@localhost/pan-test-app-prod-db2?host=/cloudsql/projectId:region:instancename
+      _ALL_ENV_VAR_KEYS=["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","DATABASE_URL_2"]
+      EOF
+    - collapseable_section_end "write-dotenv-api"
+    - echo '{"id":"$(git describe --tags 2>/dev/null || git rev-parse HEAD)","time":"$CI_JOB_STARTED_AT"}' > api/__build_info.json
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - cd api
+    - collapseable_section_start "nodeinstall" "Ensure node version"
+    - if [ -f ~/.nvm/nvm.sh ];  then source ~/.nvm/nvm.sh; fi
+    - if command -v nvm &> /dev/null && [ -f ./.nvmrc ]; then nvm install; fi
+    - collapseable_section_end "nodeinstall"
+    - collapseable_section_start "yarninstall" "Yarn install"
+    - yarn install --immutable
+    - collapseable_section_end "yarninstall"
+    - yarn build:worker
+  cache:
+    - key: api-yarn
+      policy: pull-push
+      paths:
+        - api/.yarn
+    - key: api-node-modules
+      policy: pull-push
+      paths:
+        - api/node_modules
+  artifacts:
+    paths:
+      - api/__build_info.json
+      - api/.next
+      - api/dist
+    exclude:
+      - api/.env
+    expire_in: 1 day
+    when: always
+    reports: {}
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+'api 🔨 docker | prod ':
+  stage: build
+  image: path/to/docker/docker-build:the-version
+  services:
+    - name: docker:24.0.6-dind
+      command:
+        - --tls=false
+        - --registry-mirror=https://mirror.gcr.io
+  variables:
+    DOCKER_HOST: tcp://docker:2375
+    DOCKER_TLS_CERTDIR: ''
+    DOCKER_DRIVER: overlay2
+    DOCKER_BUILDKIT: '1'
+    KUBERNETES_CPU_REQUEST: '0.45'
+    KUBERNETES_MEMORY_REQUEST: 1Gi
+    KUBERNETES_MEMORY_LIMIT: 2Gi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export APP_DIR="api"
+    - export DOCKER_BUILD_CONTEXT="."
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/api"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - |-
+      export DOCKER_COPY_AND_INSTALL_APP="COPY --chown=node:node $APP_DIR .
+      RUN yarn plugin import workspace-tools
+      RUN yarn workspaces focus --production && yarn rebuild"
+    - |-
+      export DOCKER_COPY_WORKSPACE_FILES="COPY --chown=node:node api/package.json /app/api/package.json
+      COPY --chown=node:node api/yarn.lock /app/api/yarn.lock
+      COPY --chown=node:node .yarnrc.yml /app/.yarnrc.yml
+      COPY --chown=node:node .yarn /app/.yarn"
+    - collapseable_section_end "injectvars"
+    - ensureNodeDockerfile
+    - collapseable_section_start "docker-login" "Docker Login"
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_api_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud auth configure-docker europe-west6-docker.pkg.dev
+    - collapseable_section_end "docker-login"
+    - collapseable_section_start "docker-build" "Docker build"
+    - docker build --network host --cache-from $DOCKER_CACHE_IMAGE --tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG -f $APP_DIR/Dockerfile $DOCKER_BUILD_CONTEXT --build-arg BUILDKIT_INLINE_CACHE=1
+    - collapseable_section_end "docker-build"
+    - collapseable_section_start "docker-push" "Docker push and tag"
+    - docker push $DOCKER_IMAGE:$DOCKER_IMAGE_TAG
+    - docker tag $DOCKER_IMAGE:$DOCKER_IMAGE_TAG $DOCKER_CACHE_IMAGE
+    - docker push $DOCKER_CACHE_IMAGE
+    - collapseable_section_end "docker-push"
+  cache:
+    - key: api-yarn
+      policy: pull
+      paths:
+        - api/.yarn
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs:
+    - 'api 🔨 app | prod '
+  retry: *a1
+  interruptible: true
+'api 🧾 sbom | prod ':
+  stage: build
+  image:
+    name: aquasec/trivy:0.58.2
+    entrypoint:
+      - ''
+  variables: {}
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - collapseable_section_end "injectvars"
+    - trivy fs --quiet --format cyclonedx --output "__sbom.json" api
+  artifacts:
+    paths:
+      - __sbom.json
+  rules:
+    - if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'api 🚀 Deploy | prod ':
+  stage: deploy prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export ENV_SHORT="prod"
+    - export APP_DIR="api"
+    - export ENV_TYPE="prod"
+    - export BUILD_INFO_BUILD_ID="$(git describe --tags 2>/dev/null || git rev-parse HEAD)"
+    - export BUILD_INFO_BUILD_TIME="$CI_JOB_STARTED_AT"
+    - export BUILD_INFO_CURRENT_VERSION="$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")"
+    - export HOSTNAME="$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL="https://$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export HOSTNAME_INTERNAL="$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export ROOT_URL_INTERNAL="https://$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')"
+    - export CLOUD_SQL_INSTANCE_CONNECTION_NAME="projectId:region:instancename"
+    - export DB_NAME="pan-test-app-prod-db1"
+    - export DB_USER="my-user"
+    - export DB_PASSWORD="$CL_prod_api_DB_PASSWORD"
+    - export DATABASE_URL="postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME"
+    - export DATABASE_JDBC_URL="jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD"
+    - export DEPLOY_CLOUD_RUN_PROJECT_ID="google-project-id"
+    - export DEPLOY_CLOUD_RUN_REGION="europe-west6"
+    - export GCLOUD_DEPLOY_credentialsKey="$CL_prod_api_GCLOUD_DEPLOY_credentialsKey"
+    - export GCLOUD_RUN_canonicalHostSuffix="$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix"
+    - export DATABASE_URL_2="postgresql://my-user:$CL_prod_db2_DB_PASSWORD@localhost/pan-test-app-prod-db2?host=/cloudsql/projectId:region:instancename"
+    - export _ALL_ENV_VAR_KEYS="[\\"ENV_SHORT\\",\\"APP_DIR\\",\\"ENV_TYPE\\",\\"BUILD_INFO_BUILD_ID\\",\\"BUILD_INFO_BUILD_TIME\\",\\"BUILD_INFO_CURRENT_VERSION\\",\\"HOSTNAME\\",\\"ROOT_URL\\",\\"HOSTNAME_INTERNAL\\",\\"ROOT_URL_INTERNAL\\",\\"CLOUD_SQL_INSTANCE_CONNECTION_NAME\\",\\"DB_NAME\\",\\"DB_USER\\",\\"DB_PASSWORD\\",\\"DATABASE_URL\\",\\"DATABASE_JDBC_URL\\",\\"DEPLOY_CLOUD_RUN_PROJECT_ID\\",\\"DEPLOY_CLOUD_RUN_REGION\\",\\"GCLOUD_DEPLOY_credentialsKey\\",\\"GCLOUD_RUN_canonicalHostSuffix\\",\\"DATABASE_URL_2\\"]"
+    - export DOCKER_REGISTRY="europe-west6-docker.pkg.dev"
+    - export DOCKER_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/api"
+    - export DOCKER_CACHE_IMAGE="europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api"
+    - export DOCKER_IMAGE_TAG="$CI_COMMIT_SHA"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - collapseable_section_start "prepare" "Prepare..."
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_api_GCLOUD_DEPLOY_credentialsKey")
+    - export GCLOUD_PROJECT_NUMBER=$(gcloud projects describe google-project-id --format="value(projectNumber)")
+    - 'echo "GCLOUD_PROJECT_NUMBER: $GCLOUD_PROJECT_NUMBER"'
+    - collapseable_section_end "prepare"
+    - collapseable_section_start "writeenvvars" "Write env vars to file"
+    - |
+      cat > ____envvars.yaml <<EOF
+      ENV_SHORT: |-
+        prod
+      APP_DIR: |-
+        api
+      ENV_TYPE: |-
+        prod
+      BUILD_INFO_BUILD_ID: |-
+        $(printf %s "$(git describe --tags 2>/dev/null || git rev-parse HEAD)" | sed '1!s/^/  /')
+      BUILD_INFO_BUILD_TIME: |-
+        $(printf %s "$CI_JOB_STARTED_AT" | sed '1!s/^/  /')
+      BUILD_INFO_CURRENT_VERSION: |-
+        $(printf %s "$(tag=$(git ls-remote origin "refs/tags/v*[0-9]" 2>/dev/null | cut -f 2- | sort -V | tail -1 | sed 's/refs\\/tags\\/v//'); [ -z "$tag" ] && echo "0.0.0" || echo "$tag")" | sed '1!s/^/  /')
+      HOSTNAME: |-
+        $(printf %s "$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      HOSTNAME_INTERNAL: |-
+        $(printf %s "$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      ROOT_URL_INTERNAL: |-
+        $(printf %s "https://$(printf %s "pan-test-app-prod-api-$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | awk '{print tolower($0)}')" | sed '1!s/^/  /')
+      CLOUD_SQL_INSTANCE_CONNECTION_NAME: |-
+        projectId:region:instancename
+      DB_NAME: |-
+        pan-test-app-prod-db1
+      DB_USER: |-
+        my-user
+      DB_PASSWORD: |-
+        $(printf %s "$CL_prod_api_DB_PASSWORD" | sed '1!s/^/  /')
+      DATABASE_URL: |-
+        postgresql://$DB_USER:$DB_PASSWORD@localhost/$DB_NAME?host=/cloudsql/$CLOUD_SQL_INSTANCE_CONNECTION_NAME
+      DATABASE_JDBC_URL: |-
+        jdbc:postgresql:///$DB_NAME?cloudSqlInstance=$CLOUD_SQL_INSTANCE_CONNECTION_NAME&socketFactory=com.google.cloud.sql.postgres.SocketFactory&user=$DB_USER&password=$DB_PASSWORD
+      DEPLOY_CLOUD_RUN_PROJECT_ID: |-
+        google-project-id
+      DEPLOY_CLOUD_RUN_REGION: |-
+        europe-west6
+      GCLOUD_RUN_canonicalHostSuffix: |-
+        $(printf %s "$CL_prod_api_GCLOUD_RUN_canonicalHostSuffix" | sed '1!s/^/  /')
+      DATABASE_URL_2: |-
+        postgresql://my-user:$CL_prod_db2_DB_PASSWORD@localhost/pan-test-app-prod-db2?host=/cloudsql/projectId:region:instancename
+      _ALL_ENV_VAR_KEYS: |-
+        ["ENV_SHORT","APP_DIR","ENV_TYPE","BUILD_INFO_BUILD_ID","BUILD_INFO_BUILD_TIME","BUILD_INFO_CURRENT_VERSION","HOSTNAME","ROOT_URL","HOSTNAME_INTERNAL","ROOT_URL_INTERNAL","CLOUD_SQL_INSTANCE_CONNECTION_NAME","DB_NAME","DB_USER","DB_PASSWORD","DATABASE_URL","DATABASE_JDBC_URL","DEPLOY_CLOUD_RUN_PROJECT_ID","DEPLOY_CLOUD_RUN_REGION","GCLOUD_DEPLOY_credentialsKey","GCLOUD_RUN_canonicalHostSuffix","DATABASE_URL_2"]
+      EOF
+    - collapseable_section_end "writeenvvars"
+    - collapseable_section_start "deploy" "Deploy to cloud run"
+    - set +e
+    - echo "ensuring Database..."
+    - gcloud sql databases create pan-test-app-prod-db1 --instance=instancename --project projectId
+    - set -e
+    - gcloud run deploy pan-test-app-prod-api --command="yarn,start" --image=europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/api:$DOCKER_IMAGE_TAG --project=google-project-id --region=europe-west6 --set-cloudsql-instances=projectId:region:instancename --labels=customer-name=pan,component-name=api,app-name=test-app,env-type=prod,env-name=prod,build-type=node,cloud-run-service-name=pan-test-app-prod-api --env-vars-file=____envvars.yaml --min-instances=0 --max-instances=100 --cpu-throttling --allow-unauthenticated --ingress=all --cpu-boost
+    - collapseable_section_end "deploy"
+    - collapseable_section_start "cleanup" "Cleanup"
+    - gcloud run revisions list --project=google-project-id --region=europe-west6 --service=pan-test-app-prod-api --limit=unlimited --sort-by=metadata.creationTimestamp --format="value(name)" --filter='(status.conditions.status=False OR status.conditions.status=Unknown)' | tail -n +6 | while read -r revisionname; do gcloud run revisions delete --project=google-project-id --region=europe-west6 --quiet $revisionname ; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +7 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/api@$version --quiet --delete-tags; done
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api@$version --quiet --delete-tags; done
+    - collapseable_section_end "cleanup"
+    - echo 'Uploading SBOM to Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" upload "pan-test-app/api" "$ROOT_URL" "__sbom.json" vex.json || true
+    - echo "CL_GITLAB_ENVIRONMENT_URL=$ROOT_URL" >> gitlab_environment.env
+  environment:
+    name: prod/api
+    url: $CL_GITLAB_ENVIRONMENT_URL
+    on_stop: 'api 🛑 Stop ⚠️ | prod '
+  artifacts:
+    reports:
+      dotenv: gitlab_environment.env
+  rules:
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs:
+    - job: 'api 🔨 app | prod '
+      artifacts: false
+    - job: 'api 🔨 docker | prod '
+      artifacts: false
+    - job: 'api 🧾 sbom | prod '
+      artifacts: true
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+'api 🛑 Stop ⚠️ | prod ':
+  stage: stop prod
+  image: path/to/docker/gcloud:the-version
+  variables:
+    KUBERNETES_CPU_REQUEST: '0.22'
+    KUBERNETES_MEMORY_REQUEST: 200Mi
+    KUBERNETES_MEMORY_LIMIT: 400Mi
+    GIT_STRATEGY: none
+  script:
+    - collapseable_section_start "injectvars" "Injecting variables"
+    - export CLOUDSDK_CORE_DISABLE_PROMPTS="1"
+    - collapseable_section_end "injectvars"
+    - set +e
+    - gcloud auth activate-service-account --key-file=<(echo "$CL_prod_api_GCLOUD_DEPLOY_credentialsKey")
+    - gcloud run services delete pan-test-app-prod-api --project=google-project-id --region=europe-west6
+    - gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/prod/api --quiet --delete-tags
+    - gcloud artifacts docker images list europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api --sort-by=~CREATE_TIME --format="value(version)" | tail -n +2 | while read -r version; do gcloud artifacts docker images delete europe-west6-docker.pkg.dev/google-project-id/catladder-deploy/pan-test-app/caches/api@$version --quiet --delete-tags; done
+    - echo 'Disabling component in Dependency Track'
+    - /dtrackuploader https://dep.panter.swiss/ "$DT_KEY_PROD" disable "pan-test-app/api" "$CI_ENVIRONMENT_URL" || true
+    - set -e
+  environment:
+    name: prod/api
+    action: stop
+  rules:
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+\\.([0-9]+|x)\\.x$/
+      when: on_success
+    - when: manual
+      if: $CI_COMMIT_TAG
+  needs: []
+  retry: *a1
+  interruptible: true
+  allow_failure: true
+create release:
+  stage: release
+  image: path/to/docker/semantic-release:the-version
+  script:
+    - semanticRelease
+    - echo '👉 The project access token might be invald - run \`project-renew-token\` in catladder CLI to fix.'
+  rules:
+    - &a2
+      if: $CI_COMMIT_MESSAGE =~ /^chore\\(release\\).*/
+      when: never
+    - &a3
+      if: $CI_PIPELINE_SOURCE  == "schedule"
+      when: never
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $AUTO_RELEASE == "true"
+      when: on_success
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/
+      when: manual
+⚠️ force create release:
+  stage: release
+  image: path/to/docker/semantic-release:the-version
+  script:
+    - semanticRelease
+    - echo '👉 The project access token might be invald - run \`project-renew-token\` in catladder CLI to fix.'
+  rules:
+    - *a2
+    - *a3
+    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
+      when: manual
+    - if: $CI_COMMIT_BRANCH =~ /^[0-9]+.([0-9]+|x).x$/
+      when: manual
+  needs: []
+"
+`;