phpboyscout/cicd¶

A monorepo of reusable GitLab CI/CD components for the phpboyscout toolchain — released together under one tag stream, run inside the infra-tools image.

Consumers reference each component by URL and pin a tag:

include:
  - component: gitlab.com/phpboyscout/cicd/<name>@vX.Y.Z

Components¶

Gate components¶

• tofu-lint — tofu fmt -check, tflint --recursive, terraform-docs --check drift.
• tofu-security — trivy config, checkov, gitleaks detect.
• tofu-validate — tofu init -backend=false && tofu validate walked across consumer-specified paths.
• zensical-pages — pip-install Zensical from requirements-lock.txt, build the site, deploy to GitLab Pages on deploy_branch.

Plan / apply components¶

• tofu-plan — OIDC-authenticated tofu plan against AWS; produces a reviewable plan artifact + GitLab MR plan widget.
• tofu-apply — consumes a tofu-plan artifact, runs tofu apply; plan_source selects same-pipeline (job) or cross-pipeline (ref) plan retrieval; manual-gated by default.

Token-requiring inputs (state-backend auth, jobs-artifacts API) default to $CI_JOB_TOKEN; consumers override with their own credential.

Start here¶

• Component authoring guide — conventions, intent, the token-input requirement, and workflow for anyone adding or changing a component.
• Decision records — dated specs covering every design decision the components implement.

Related projects¶

• phpboyscout/images/infra-tools — the container image the components run in.
• phpboyscout/terraform-aws-bootstrap — the bootstrap module; consumes these components for its own CI.
• phpboyscout/terraform-aws-security-baseline — the security-baseline module; same.
• phpboyscout/infra — the first concrete user; OIDC plan-on-MR / apply-on-tag flow.