# Topics: 

- Git 

- GitFlow / Github Flow 

- Github Actions 

- GitLab/CICD 

---

### Sources: 

https://www.youtube.com/watch?v=RGOj5yH7evk

https://nvie.com/posts/a-successful-git-branching-model/

https://www.youtube.com/watch?v=R8_veQiYBjI

https://www.youtube.com/watch?v=qP8kir2GUgo&list=PLy7NrYWoggjzSIlwxeBbcgfAdYoxCIrM2&index=10




---

# Git 

Git is version control system. The management of changes to documents, computer programs, large websites, and other collections of information is version control. 

We track our code changes with Git. We sav our initial version of our code into git. When we update the code, we can save it into git again. Then we can look back at all the changes we made over time. 

### Terms: 

    - Directory -> folder

    - Terminal or command line -> Interface for Text Commands

    - CLI -> Command Line Interface 

    - cd -> change directory (it's like double click on a folder using icons)

    - Repository -> Project, or the folder/place where your project is kept 

    - GitHub -> Host your repositories online 

### Git Commands:

    - clone -> Bring a repository that is hosted somewhere like Githib into a folder on your local machine 

    - add -> Track your files and changes in Git

    - commit -> Save your files in Git

    - push -> Upload Git commits to a remote repo, like Github 

    - pull -> Download changes from remote repo to your local machine, the opposite of push 

 
Got to github, select new repository
repository is your project 

In github, we can create a repo and see the commits. 

Now in the local machine, in the terminal: 

```terminal
git --version 
cd Git 
```
we go to the Git folder we created in our local machine 

We created a repo on github and we wanna pull it in our local machine in the Git folder. 

On Github, we copy the SSH clone key and for example it is: `git@github.com:hamed-h98/demo-repo.git`

Then here in the terminal we write: 

```terminal 
git clone git@github.com:hamed-h98/demo-repo.git
```

Then automatically, a folder named `demo_repo` is created in the Git file in our local machine. The `demo_repo` is the name of github folder we created on Github. 

By writing this: 

```terminal
git remote -v
```

It shows that we are controlling github repository. 

`la -ls` lists all the folders in the directory including hidden folders. 

`git status` shows all of the files that are updated, created or deleted but haven't been saved yet. 

If we create a file e.g., html file in the demo_repo folder, and then write the `git status`, we'll see that this html file is untracked. 
So we need to use `git add` command and tell it which file must be tracked. The command, `git add .`, ` . ` is period, and it trackes all the files that are listed. 
We can also write the name of the file we wanna track like `git add index.html`

```terminal
(3.10.13) hamed_h@Mac-164 demo_repo % git add . 
(3.10.13) hamed_h@Mac-164 demo_repo % git status 
On branch main
Your branch is up to date with 'origin/main'.

Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
        modified:   README.md
        new file:   index.html
```

Now we commit the files: 

```terminal 
git commit -m
```

The `-m` is for message and we need to have a message in order to commit the files. That message should be what or why we are making this commit. Also we write a second `-m` as a description of our file. 

`git commit -m "Added index.html" -m "Some description"` 


The commit does not save the files on Github. It's just saving locally. We need to use `git push` to make it live. 

In order to push the file into our github account, we need to prove to github that we are the owner of the account. So we must connect our local machine to our github account. 

We need to use SSH keys to do so. `ssh-keygen` commant generates it locally. Then we specify the type of encryption, and the stength of encryption and at the end we need to include our github email address: `-t rsa -b 4096 -C "email@gmail.com"`

After that we set a name for it, e.g., testkey, then for password we can set a password or just enter and then enter again. 


---

```terminal
(3.10.13) hamed_h@Mac-164 demo_repo % ssh-keygen -t rsa -b 4096 -C "......@gmail.com"
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/hamed_h/.ssh/id_rsa): testkey
Enter passphrase for "testkey" (empty for no passphrase): hamedh98
Enter same passphrase again: 
Your identification has been saved in testkey
Your public key has been saved in testkey.pub
The key fingerprint is:
.
.
.
```

---

If we write `ls | grep testkey`, we'll see there are two keys: testkey and testkey.pub

The testkey.pub is the key for public key which means it's ok for other people to see this key. 

the testkey is our private key and we must keep it secure in our local machine. 

When we wanna use our accout and write a code to change it, we use the private key. Only the private key could've generated the public key. 

`cat testkey.pub` we can print the public key: 


we copy it and go to github, to general setting and then in the "SSH and GPG keys" section, we add this new key. 


---


`origin` this is for location of our git repository. 

`master` branch that we want to push to 

`main` this might be the branch as well. 

In order to find the branch, we type `git branch` 

Then we type this: `git push origin main` to push it in github. 

--- 


Now we make another separate folder to use git for locally changes only. We create a file named demo_repo2 and in the terminal we type `cd ../demo_repo2`

We make a README.md file in it. If we wanna make a git repository, we type `git init` and this is initializing git repository. Then we type `git status` and then `git add .` 

then `git commit -m "Created README.md" -m "description"`

If we want to push this live, we need to clone this git repository. first we need to crerate a connection to a repository. We create en empty repository on github. then we coppy the SSH `git@github.com:hamed-h98/demo_repo2.git` from github, and type this in the terminal: `git remote add origin git@github.com:hamed-h98/demo_repo2.git`
 
Then to check that we type: `git remote -v`, then we type `git push origin main`

We can set something to only write `git push` to set a default. We type `git push -u origin main`


---

### SSH Key Setup for GitHub (macOS)

### Step 1: Delete Old Keys (Optional Clean Start)

```terminal
rm ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
````

### Step 2: Generate a New RSA SSH Key (No Passphrase)

```terminal
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
```

* Press **Enter** to accept the default location
* Press **Enter** twice for no passphrase


### Step 3: Start the SSH Agent

```terminal
eval "$(ssh-agent -s)"
```

### Step 4: Add SSH Key to Agent

```terminal
ssh-add ~/.ssh/id_rsa
```

### Step 5: Add SSH Public Key to GitHub

1. Display your public key:

   ```terminal
   cat ~/.ssh/id_rsa.pub
   ```

2. Copy the entire output (starts with `ssh-rsa ...`)

3. Go to: [https://github.com/settings/keys](https://github.com/settings/keys)

4. Click **New SSH Key**, give it a title (e.g., "MacBook RSA"), and paste the key

### Step 6: Test SSH Connection

```terminal
ssh -T git@github.com
```

Expected output:

```
Hi your-username! You've successfully authenticated...
```

### Optional: Create SSH Config for Auto-Loading Key

Edit or create this file:

```terminal
nano ~/.ssh/config
```

Paste:

```
Host github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_rsa
  IdentitiesOnly yes
  AddKeysToAgent yes
  UseKeychain yes
```

Save and exit with:

* `Control + O`, `Enter`, then `Control + X`

---

You can now push/pull via SSH:

```terminal
git push origin main
git pull origin main
```
---



---

### Adding code in Github interface (github workflow): 

    - write code

    - commit changes (automatically github will add changes), we don't need to push the code cause it's already in the remote repository 

    - Make pull request (PR): if we didn't own the repository, or we if don't have access rights, or if we needed other people to review our code before we merged it with the rest of the code, we do the pull request. v 

### Now if we write the code locally (Local Git workflow):

    - write code 

    - stage changes (git add)

    - commit changes (git commit)

    - push changes (git push)

    - make a pull request (PR)


---


<img src="images/image29.png" alt="Alt text" width="400">


# git Branching 

<img src="images/image30.png" alt="Alt text" width="500">



We have a master branch and the code in this branch is exactly the same. 

If we make updates in the feature branch, those updates can be senn only in the feature branch. We commit to save the changes in the feature branch and then we switch back to master branch. Each branch does not know what changes are made in other braches. 

This is useful when we are trying to ake some changes in our code that may break it or they are not finished it and we save those in feature branch. It's like we are working in a sand box and write all the codes we need, get it correct, and then merge it back to the main branch of code base. 

<img src="images/image31.png" alt="Alt text" width="500">


For example after long code writing, we find a bug in a particular part, then to fix that, we make a feature branch and work on it. we call this branch a Hit Fix Branch. 



To see what branch we are we type `git branch`. To create a new branch, we type `git checkout -b feature` or e.g., `git checkout -b feature-11` or e.g.,  `git checkout -b feature/description`. 
The `feature` is just a name and we can change it in the code. 

Then we can type `git branch` to see how many branches we have and what branch we are currently in. Then, to swithc branch we type `git checkout main`. 










### So here is what we do: 


```terminal
ls
cd Git 
cd demo_repo
git branch
git checkout -b feature-readme-instructions
git branch 
git checkout main
git checkout feature-readme-instructions
```

Do some changes in the README.md file 

```terminal 
git status 
git add README.md
git commit -m "updated readme"
git diff feature-readme-instructions     (shows what changes has been made)
git checkout feature-readme-instructions
git status 
git push --set-upstream origin feature-readme-instructions
```

Now we use pull request and this means: it's basically a request to have your code pulled into another branch. 

We have a feature branch and we want to have our code pulled into the main branch. So we make a PR from feature branch to main branch. 

when we make a PR, anyone can read our code, comment on it, and ask us to make changes or updates. 

We can update the code and push it into github as long as we are in a same branch we are making a PR with. 

Once the PR is merged, we are generally delete our feature or source branch and switch back to the main branch. If we wanted to make new changes, we create a new branch and start the process over. 


We go to github, see the branches, commits on new branch, we can make some comments on each line of the code and see what's new in this branch and then there is a buttom Merge pull request and we confirm the merge. 

The changes are now only on github and are now shown in the local machine in the README file 

To get the changes on local main branch. we type `git pull origin main` 

You may see a bug and this is not working, then consider this: 

```terminal 
# 1. Check for any rebase in progress
git status

# If you see you're in the middle of a rebase:
git rebase --abort

# 2. Save your local changes (optional but safe)
git stash

# 3. Re-sync your local branch with GitHub
git pull origin main --rebase

# 4. Reapply your saved changes
git stash pop

# 5. Resolve any conflicts if prompted
# (edit the conflicted files, then:)
git add <filename>
git rebase --continue

# 6. Push to GitHub
git push origin main
```





---

Now we need to delete the branch: 

```terminal 
git pull origin main --rebase
git branch -d feature-readme-instructions
# if it's not working do: 
git branch -D feature-readme-instructions
```

In real life scenario, we have merge conflicts in git. We are building creating our own branch, other people are creating their own branches and `main` is getting updated from multiple places. So it's possible for multiple people to change the same files and sometime git doesn't know which code you wanna keep or which code you wanna get rid of. So we manually need to set that. 

we create `git checkout -b quick-test` 
we go to index.html and make some changes 
`git status`
`git diff` shows all the changes since the last commit 
`git commit -am`
`-am` means add and message at the same time but it only works for modified files not for newly created files. so you need to see the `git status` and if it's `modified` then use this. 

`git commit -am "added world"`

now we go to the `main` branch and update the line too. 

`git checkout main`
edit the index.html and write <p>there</p>

The two branches are separate and it works. But if we merge two branches: 

`git branch`
`git checkout quick-test`

we get an error for this. It says it's gonna be overwritten if we change branch. 

`git commit -am "added there"`

`git checkout quick-test`

`git diff main`

`git merge main`

Now it'll error and say there is a conflict. 

the easiest way to fix merge conflict is directly from our code. In VSCode, in the image below, we can either `accept current change`, `accept incomming change`, `accept both changes`


<img src="images/image32.png" alt="Alt text" width="500">



we can manually change the code as well. Delete the `Head` and `main` lines in the code (green and blue lines) and save both of the changes: 

```html
<div>Hello</div>
<p>world</p>
<p>there</p>
```




Now we do: 

`git status`
`git commit -am "updated with master" `




# Undoing in Git 

If we accidently commit something in git that we didn't want to do it. We can undo our stages or our commits. 

We go to README and add another line: `have fun`
`git status`
`git add README.md`
`git status`

Now it says the changed is staged. Now what if we didn't mean to stage this file. We use `git reset` command or `git reset README.md`

`git status`

It shows the file is no longer staged. Now if we want to undo a commit: 

`git add README.md`
`git commit -m "added install step"`

It says there is nothing to commit and all changes are commited. 

`git reset HEAD~1`

`HEAD` is poiting to the last commit. 

`~1` is telling git to go one commit further and `HEAD~1` means go back to the commit further and undo what we just commit. 

`git status`

it unstaged and uncommited the last stages. 

`git diff`

`git log` we can see the log of all of the commits. 

```temrinal
(3.10.13) hamed_h@Mac-139 demo_repo % git log
commit 118b2ab5f29c53a69684ffba597ebfdea7cd27bb (HEAD -> quick-test)
Merge: a70cd72 51effbc
Author: Hamed Hosseinnejad <hamed_h@Mac-5.cgocable.net>
Date:   Sun May 18 14:27:26 2025 -0400

    updated with master

commit 51effbcfa9a0ab35986d4e9e7a8ce9f10aafe3a0 (main)
Author: Hamed Hosseinnejad <hamed_h@Mac-2.cgocable.net>
Date:   Sun May 18 14:18:08 2025 -0400

    added there

commit a70cd721a5a6d1df286dd5a6c35c6febf59a7f59
Author: Hamed Hosseinnejad <hamed_h@Mac-2.cgocable.net>
Date:   Sun May 18 14:13:03 2025 -0400

    added world

commit 086a0665bf4c29555437422c373fbb7c02d89c49
Author: Hamed Hosseinnejad <hamed_h@Mac-141.cgocable.net>
Date:   Sun May 18 11:24:56 2025 -0400

    Resolved merge conflict in README.md

commit aca2ca255912bfa5fd1ac3d1100fe0024205cf65 (origin/main, origin/HEAD)
Merge: 3e3431b 21eb6e6
Author: hamed-h98 <107637146+hamed-h98@users.noreply.github.com>
Date:   Sun May 18 11:55:01 2025 -0400

    Merge pull request #1 from hamed-h98/feature-readme-instructions
    
    Feature readme instructions
```
---

If we want to go back to a commit, we can copy one of the hashes above 

`git reset a70cd721a5a6d1df286dd5a6c35c6febf59a7f59`

```terminal 
(3.10.13) hamed_h@Mac-139 demo_repo % git reset a70cd721a5a6d1df286dd5a6c35c6febf59a7f59
Unstaged changes after reset:
M       README.md
M       index.html
```

But still the changes are in the index.html and README.md but they are not saved in git or staged with git any longer. If we want to get rid of the changes: 

For example we copy the hash of `updated README`: 

`git reset --hard b61e3d887ff9af5478bb9c240d9bee903cdfdf77`

`--hard` not only unstage the commit, but completely remove it. 





---

# `Forking`

In github, there is a bottom `Fork` and it's for making a complete copy of the repository. 

If we search a random repo on github, we don't have access to change anything in repo. If we want to make a PR against this repo and request for changs to be added or if want to branch up of the code in this repo and do whatever we want with it, then we `fork` it to our user account. 

Then it'll be under our github and we can do any updates or changes to the code. 

Now if we wanted to get our changesback into the original repo, we must create a pull request in github using its buttom. We can merge it in our branch. 

Generally if we merge a branch, we would delete that cause we are not using it anymore. 



--- 
---
---

# Final Summary and Process: 

- Create a repo on github, add a name for it, copy the SSH 

- Create a file in you local machine that contains your code and your README.md

- in the terminal: 

```terminal
ls
cd your_file
git init 
git remote add origin git@github.com:hamed-h98/Your_Repo_Name.git
git remote set-url origin git@github.com:hamed-h98/Your_Repo_Name.git
git add .
git commit -m "Initial commit with README and main_code.cpp/py"
git branch -M main
git push -u origin main
```
---
Now if we wanted to change your code and update the github: 

In your local machine, update your code, save it. then in the terminal type: 

```terminal
ls
cd your_file 
git status 
git add . 
git commit -m "updated code"
git push 
```


---
---
---


# Git Flow 


<img src="images/image5.png" alt="Alt text" width="700">




<img src="images/image4.png" alt="Alt text" width="700">


### **master Branch:** This branch always contains the production-ready code. Only well-tested, stable code should be merged into the master branch.

### **develop Branch:** The develop branch serves as the integration branch for features. It contains the latest code that will eventually be released. New features and fixes are merged here after being thoroughly tested.

### **Feature Branches (feature/*):** Feature branches are created from the develop branch for working on new features or changes. Once the feature is complete, the branch is merged back into develop.

### **Release Branches (release/*):** When the develop branch is ready for a new release, a release branch is created. This branch is used for final testing and bug fixing before merging into master and develop.

### **Hotfix Branches (hotfix/*):** Hotfix branches are created from master to address urgent bugs in the production code. Once the fix is complete, the branch is merged into both master and develop to ensure that the fix is included in future releases.

---

# Github Flow 

The git flow is quite slow and has a lot of process so the **Github Flow** is then created and is simpler and it's better for CI/CD


<img src="images/image6.png" alt="Alt text" width="700">





# Github Actions 

Github actions is a platform to automate developer workflows 

CI/CD pipelines is just one of the many workflows that we can automate with github actions 

When a library in github has a bug, someone can create an issue on github that something is not working. 

The issue must be specified if it's minor, major, urgent, is it reproducable. We can assign it to a contributer or to ourselves and so on. 

One of the contributers can fixes the issue and create a pull request, so that we can merge it into the next release of the library. 

So we review the pull request, we fix the bug, and merge it to the master branch.

After that the pull request is merged into the master branch, we want to build a pipeline to test our code, build and deployment. 


CI/CD pipeline:

> Merge code -> Test -> Build -> Deployment 


We also may release notes, or update the version number. 


All these things are workflows of what we have to do as a maintainer of such repository. 

The bigger the project gets, and the more contributers you get, and the more features and issues they fix, and the more pull requests they create, and the more people use the project, the more organizational effort it is going to be. 

So instead of doing all these, we want to automate as much as possible for those management tasks so that we can focus on new projects and coding. For this purpose, github actions was created. 


With github actions, everytime something happens IN our repo or TO our repo, we can configure automatic actions to get executed in response. 

These things that happen in our repo or to our repo are Github Events. 

So github events are: 

- PR created 
- issue created 
- contributer joined 
- PR merged into master by us 
- other apps or tools that we might have integrated in our github, can produce such events that we can reposnd to with automatic actions 

So we listen to these events, and we trigger workflow (sort, lable, assign to contributer, reproduce). All these things can be automated with github actions. Each of these tasks that we automatrically triggers, is a separate Action. 

### How GitHub Actions Automate These Workflows

#### Listen to Event

GitHub **listens for specific events** such as:

* `PR created`
* `PR merged`
* `Issue created`
* `Contributor joined`
* Events from **other apps**

These are all **GitHub Events**.

#### Trigger Workflow

When an event occurs, **GitHub Actions** can automatically trigger a workflow to:

| Task        | Triggered Action |
| ----------- | ---------------- |
| `Sort`      | 🔁 Action        |
| `Label`     | 🔁 Action        |
| `Assign it` | 🔁 Action        |
| `Reproduce` | 🔁 Action        |

> This allows GitHub to automate CI/CD, issue management, and more based on repository activity.

writing a comment, putting a lable on an issue, assigning it to someone, are Actions, and the chain of actions, or combinations of actions, make up workflow. 

The most common workflow for our repository is CI/CD pipeline. 

> Commit code, Test -> Build -> Push -> Deploy 

Deploy means deploying the application on a deployment server 


![image.png](attachment:image.png)




---

#### This github action for CI/CD, uses a same tool instead of third-party integration. So we use a same tool for CI/CD pipeline. 


#### We won't be needing extra devops person who is dedicating for setting up and maintaining CI/CD pipeline in our project. 


<img src="images/imagecopy.png" alt="Alt text" width="700">



#### Instead of installing all these applications like Java, Maven, Docker, installing pluggins and configuring them, we say I need an environment which has node, docker both available, with a version we want, we can simply connect to the target environment and deploy the application there. 

#### We now do this as an example: 


<img src="/Users/hamed_h/Downloads/RA_Python/Git//images/image_copy.png" alt="Alt text" width="600">


We create a test repository, call it my-project, then after creating it, we have an Actions bottum on top. It lets us automate our workflow. 

There are lots of templates in the Actions section and we can choose whatever matches to our target. 

![image.png](attachment:image.png)




# GitLab

Source:  
https://www.youtube.com/watch?v=qP8kir2GUgo&list=PLy7NrYWoggjzSIlwxeBbcgfAdYoxCIrM2&index=10

### GitLab is a web-based DevOps platform that provides tools for source code management (SCM), CI/CD, issue tracking, and more — all in one place. It’s similar to GitHub, but with more built-in DevOps features and often used in enterprise and private environments.

> ### GitLab = Git + GitHub + Jenkins + Jira + Docker registry, all in one platform.


### Building basic CI/CD pipeline 


<img src="images/image7.png" alt="Alt text" width="700">


<img src="images/image8.png" alt="Alt text" width="600">


### CI/CD: Continuously Integration / Continuously Deployment/Delivery 

### Automatically and continously:

### code changes -> testing -> Building -> Releasing code changes to the deployment environment 


<img src="images/image9.png" alt="Alt text" width="600">






<img src="images/image10.png" alt="Alt text" width="600">


<img src="images/image11.png" alt="Alt text" width="600">

#### If your team is already working with gitlab, CI/CD is a natural extension 

#### One of the most used CI/CD tools in the industry is Jenkins

#### GitLab CI/CD is just one of other CI/CD tools 

#### With gitlab, pipeline configuration is part of our application code. 

But Jenkins is just a CI/CD tool. Self-hosting on it is an option. 

But gitlab is self-hosted or SaaS (managed) 


<img src="images/image12.png" alt="Alt text" width="600">



<img src="images/image13.png" alt="Alt text" width="600">


#### We have gitlab runners which are separate machines connect to gitlab server machine and execute the pipelines. 


<img src="images/image14.png" alt="Alt text" width="600">

#### www.gitlab.com is a managed instance that offers multiple managed runners already out of the box. 

#### So these runners are available to all users on www.gitlab.com 

<img src="images/image15.png" alt="Alt text" width="600">



#### We may need to connect to our own gitlab runner, or setup our own gitlab instance, so we can create partially or competely self-managed gitlab setup as well (e.g., www.gitlab.mycompany.com)

<img src="/Users/hamed_h/Downloads/RA_Python/Git/images/image16.png" alt="Alt text" width="600">


---

### Here we do a demo project: 

We build a CI/CD pipeline for a python app. 

<img src="/Users/hamed_h/Downloads/RA_Python/Git/images/image17.png" alt="Alt text" width="600">


#### The python code is from this repo: 

https://github.com/benc-uk/python-demoapp

We put it on gitlab: 

https://gitlab.com/nanuchi/gitlab-cicd-crash-course


We don't need to understand the code behind, we just want to take the application and deploy it using CI/CD pipeline. 

We first clone the repo locally to see how it runs locally and how to execute the test. We want to run the test on the pipeline. 


So first we copy the clone url (http) from the gitlab repo which is: 

```terminal 
ls
cd Git
git clone https://gitlab.com/nanuchi/gitlab-cicd-crash-course.git
ls
cd gitlab-cicd-crash-course
```








Executing test is core part of CI/CD pipeline. It verifies that the new code changes didn't break anything. 

If tests fail, he pipeline fails and new changes won't be deployed. 

In the `src` folder, in `app`, in `tests` we have two test files. 

When you build a pipeline for an app, you only need to know how to execute the tests. 

We have a json configuration file in the test folder to execute those tests. 

To execute the test, we have `makefile` that includes couple of comments and one of them is test. 

#### Makefile:
    - A special file containing shell commands that you create and name. 

By writing `make test` in the terminal we can execute the tests. 

<img src="images/image18.png" alt="Alt text" width="900">





> Note that since this local machine is Apple Silicon, I modified the `conftest.py` in the tests file like this: 

```python 
import platform
import sys

# Mock cpuinfo on Apple Silicon (Mac M1/M2) to avoid compatibility crash
if platform.system() == "Darwin" and platform.machine() == "arm64":
    from unittest.mock import MagicMock
    sys.modules["cpuinfo"] = MagicMock()

from . import create_app
import pytest

app = create_app()

@pytest.fixture
def client():
    with app.test_client() as client:
        yield client
```

---



<img src="images/image19.png" alt="Alt text" width="600">


The python dependencies (packages) for the library we downloaded from a repo is in the folder `requirements.txt`: 

```txt
appdirs==1.4.4
attrs==25.3.0
black==20.8b1
click==8.2.1
flake8==3.9.0
Flask==2.1.0
gunicorn==20.1.0
iniconfig==2.1.0
itsdangerous==2.2.0
Jinja2==3.1.6
MarkupSafe==3.0.2
mccabe==0.6.1
mypy_extensions==1.1.0
packaging==25.0
pathspec==0.12.1
pluggy==1.0.0.dev0
psutil==5.8.0
py==1.11.0
py-cpuinfo==7.0.0
pycodestyle==2.7.0
pyflakes==2.3.1
pytest==6.2.2
regex==2024.11.6
toml==0.10.2
typed-ast==1.5.5
typing_extensions==4.13.2
Werkzeug==2.0.3
```

#### We can run the requirements by typing: `pip install -r requirements.txt`


--- 

So the dependencies must be downloaded using `pip install`, then tests are executed using `pytest`

All these happen when we type `make test` in the terminal. 



<img src="images/image20.png" alt="Alt text" width="700">


In python the package manager or build tool is `pip`, for Java, it's `maven` or `gradle` for instance. 


We have a command `make run` and this starts the application on a port. We can set a port. for example we can type `export PORT=5004`, then `make run` 








Note that since this is apple silicon, I changed the run.py file in the src folder like this: 

```python
import os
import platform
import sys

# Fix for Apple Silicon: prevent py-cpuinfo crash
if platform.system() == "Darwin" and platform.machine() == "arm64":
    from unittest.mock import MagicMock
    sys.modules["cpuinfo"] = MagicMock()

from app import create_app

app = create_app()

if __name__ == "__main__":
    port = int(os.environ.get("PORT", 5000))
    app.jinja_env.auto_reload = True
    app.config["TEMPLATES_AUTO_RELOAD"] = True
    app.run(host="0.0.0.0", port=port)

```
---


Now if we type `make run`, we'll get this: 


```terminal 
(.venv) (.venv) (base) hamed_h@Hameds-MacBook-Air gitlab-cicd-crash-course % make run
. src/.venv/bin/activate \
        && python src/run.py
 * Serving Flask app 'app' (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on all addresses.
   WARNING: This is a development server. Do not use it in a production deployment.
 * Running on http://172.17.3.19:5004/ (Press CTRL+C to quit)
```

#### And then if we go to the http link that is provided, we'll see: 

<img src="images/image21.png" alt="Alt text" width="600">

---

<img src="images/image22.png" alt="Alt text" width="500">

---


So this is the application we want to release using CI/CD pipeline on a deployment server. 

Now we build a simple CI/CD pipeline on this demp app. We wanna build a gitlab CI/Cd pipeline. 

We have `configuration as code` and `pipeline as code`

Thw whole pipeline will be written in code and hosted in the application git repository itself in yaml file. 

So whole CI/CD configuration is written in YAML file. The code must be called `.gitlab-ci.yml`

So in the project repo on gitlab, we add a yaml file directly. 


<img src="images/image23.png" alt="Alt text" width="600">





<img src="images/image24.png" alt="Alt text" width="600">


<img src="images/image25.png" alt="Alt text" width="600">


<img src="images/image26.png" alt="Alt text" width="400">


<img src="images/image27.png" alt="Alt text" width="300">


In the `.gitlab-ci.yml` we type: 

```YAML
run_tests: 
    script: 
        - make test 
```

Now the question is where on which environment is the job executed. Is it on Windows, Linux or macOS machine. 

Pipeline jobs are executed on gitlab runners. Gitlab runners can be installed on different environments. It could be an operating system. This is called a shell executer. 

- Executer determines the environment each job runs in. 

- shell is the simplest executer. 

- Commands are executed on operating system. 

- On the shell of the server, where Gitlab is installed. 

For example, for Jenkins, we have a server on linux machine and we execute shell commands on them as part of job directly on the operating system. 

But another common execution environment on gitlab is Docker container. 

So instead of executing the job directly on the operating system, (e.g., a linux machine), we execute the jobs inside containers. So the gitlab runner is installed in some linux machine, and on that machine, gitlab runner creates docker containers to run the jobs. 

The managed runners from gitlab that we get available out of the box, use docker container as execution environment. 

So gitlab's managed runners use Docker Container 

Containers, run based on a certain Docker image. We can't run a container without an image. 

Depending on which image we use, we have different tools available inside the container. 

For example if we use mysql mage to start a container, then we'll have mysql plus other tools available inside the container. 

If we have node.js image, then we're gonna have node.js, npm available inside the container. 

If we use basic alpine image, then we'll have basic linux commands available inside the container. 




By default, gitlab managed runners use Ruby image to start the container that will run the jobs. 

For our case, this is not gonna work cause for our test execution (python tests), we need a container (or image) that has python to make pip available. So we need to use python image to execute job. 

We can specify the Docker image that the job should run in. 

We go to [hub.docker.com](https://hub.docker.com/) and search python, then we must select a tag that is aligned the requirements of app e.g., 3.9-slim-bullseye⁠

With this image, we make python and pip available on the machine where the job is executed. 

So we update the yml: 

```YAML
run tests: 
    image: python:3.9-slim-bullseye⁠
    script: 
        - make test 

```

However, we still don't have the make command. We need that inside the piython container to be able to execute the `make test` command. 

We can install the make command inside the python container, before the script gets executed. We use `before_script`: 

```YAML
run tests: 
    image: python:3.9-slim-bullseye⁠
    before_script:
        - apt-get update && atp-get install make
    script: 
        - make test 

```

Always update package information (apt-get update), before actually installing a tool, so you don't install an outdated tool. 

We also have `after_script` which is the commands that run after each job, including failed jobs. 

Then we commit the changes in gitlab and it'll detect that we have added a pipeline configuration and it'll automatically execute the pipeline in the background. 

Now on gitlab, on CI/CD section, we can manage CI/CD parts of the project: 

<img src="images/image33.png" alt="Alt text" width="400">


<img src="images/image34.png" alt="Alt text" width="600">


<img src="images/image35.png" alt="Alt text" width="700">


<img src="images/image36.png" alt="Alt text" width="700">


#### Checkout twingate website 

https://www.twingate.com/



## Build and push Docker image 

Gitlab -> CI/CD -> Editor -> .gitlab-ci.yml

```YAML
run tests: 
    image: python:3.9-slim-bullseye⁠
    before_script:
        - apt-get update && atp-get install make
    script: 
        - make test 

```

Now we must create a Docker image and push it to DockerHub private repository. So we need to create an account on DockerHub and one private repository is free. Then we copy the address of image registery from our private repository. Now we must push the image to the private repository. We need to login to that repository first since this is provate repository, we don't want others to have its credentials. 

So we need repository credentials for this repository to be available on gitlab. So that the gitlab runner can log in to the registery before it pushes the image. The credentials are username and password of our dockerhub account. We should not hardcode those credentials. 

<img src="images/image37.png" alt="Alt text" width="600">

So instead, we create a secret type of variables that are available in our pipeline. 

> gitlab -> settings -> we can separate access of users if we are an administrator. 

<img src="images/image37.png" alt="Alt text" width="600">




> GitLab -> settings -> CI/CD -> Variables 

Project variables: 

- sorted outside of the git repository (not in the .gitlab-ci.yml)
- Ideal for tokens and passwords, which shoud not be included in the erepository for security reasons. 

This will be available inside the pipeline code. So we can reference those variables. 

<img src="images/image39.png" alt="Alt text" width="600">


<img src="images/image40.png" alt="Alt text" width="600">


The value is the Docker username. 

Masked variables: variables containing secrets should always be masked. 

With this, you avoid the risk of exposing the value of the variable, e.g., when outputing it in a job log like "echo $VARIABLE"




Then we create registery pass, again masked variable. 


<img src="images/image41.png" alt="Alt text" width="600">



and we paste password in the value 

Now we can reference our variables inside our pipeline configuration. 

Then on Gitlab, we go back to the editor, and for the YAML file we type: 

From Dockerfile in our application, we want to make a docker image. We have a Dockerfile in our app file. 

<img src="images/image42.png" alt="Alt text" width="600">

<img src="images/image43.png" alt="Alt text" width="600">



```YAML
run tests: 
    image: python:3.9-slim-bullseye⁠
    before_script:
        - apt-get update && atp-get install make
    script: 
        - make test 
build_image:
    variables: 
        IMAGE_NAME: nanjanashia/demo-app
        IMAGE_TAG: python-app-1.0
    before_script:
        - docker login -u $REGISTERY_USER -p $REGISTERY_PASS
    script: 
        - docker build -t $IMAGE_NAME:$IMAGE_TAG .
        - docker push $IMAGE_NAME:$IMAGE_TAG
```

If we are logging in some other registery like AWS ecl, then we must specify registery in this: 

`docker login -u $REGISTERY_USER -p $REGISTERY_PASS registery`

But for the dockerhub, it's default and we don't need to specify registery. 

we can also put the variables in the beginning of the YAML code. 

We need docker available inside a docker container. This is called Docker in Docker. So for that we search Docker image in the Docker website and we take one of the latest tags. 


```YAML
variables: 
        IMAGE_NAME: nanjanashia/demo-app
        IMAGE_TAG: python-app-1.0
run tests: 
    image: python:3.9-slim-bullseye⁠
    before_script:
        - apt-get update && atp-get install make
    script: 
        - make test 
build_image:    
    image: docker: 28.2.1-cli
    before_script:
        - docker login -u $REGISTERY_USER -p $REGISTERY_PASS
    script: 
        - docker build -t $IMAGE_NAME:$IMAGE_TAG .
        - docker push $IMAGE_NAME:$IMAGE_TAG
```

But we need to define serivces for the Docker image. Services is additional container that'll start at the same time as the job container, and the job container can use that service during the build time. 


<img src="images/image44.png" alt="Alt text" width="600">


If a test execution requires a service like a database service like mysql, then we can start a mysql service or container during job execution in addition to the python container and the service atribute will make sure that these continers are liked together so they run in the same network and they can talk to eachother directly. 


<img src="images/image45.png" alt="Alt text" width="600">

.


Here we have Docker container with Docker client inside, and we want to start another Docker container with Docker Daemon inside. So that the client can connect to that daemon and execute the commands. 

<img src="images/image46.png" alt="Alt text" width="400">

The image for Docker Daemon is has the tag of `dind` next to the tag number. The `dind` means docker in docker. 
We must use the same version of tag for Docker Daemon. For example for Docker tag we have `28.2.1-cli` and for Docker Daemon we have `28.2.1.dind`. These two will be linked to eachother and they will be able to communicate with eachother. 

To make sure these two can communicate to eachother, we must use docker certificates. So these two must have the same certificate so can authenticate with each other and talk to each other. So these two containers must share the certificate directly. We can do that by defining variable called `DOCKER_TLS_CERTDIR: "/certs"`. This will tell docker to create certficate in this location and this certificate will be shared between service container and job container. 

So this: 
```YAML
build_image:    
    image: docker: 28.2.1-cli
    serivces: 
        - docker: 28.2.1-dind
    variables: 
        DOCKER_TLS_CERTDIR: "/certs"
```
gives us the complete docker client and server in the same job execution environment. 

So the update code is: 

```YAML
variables: 
        IMAGE_NAME: nanjanashia/demo-app
        IMAGE_TAG: python-app-1.0
run tests: 
    image: python:3.9-slim-bullseye⁠
    before_script:
        - apt-get update && atp-get install make
    script: 
        - make test 
build_image:    
    image: docker: 28.2.1-cli
    serivces: 
        - docker: 28.2.1-dind
    before_script:
        - docker login -u $REGISTERY_USER -p $REGISTERY_PASS
    script: 
        - docker build -t $IMAGE_NAME:$IMAGE_TAG .
        - docker push $IMAGE_NAME:$IMAGE_TAG
```

---

### Execute Pipeline:



We commit the changes in gitlab and select view pipeline on gitlab. 

<img src="images/image47.png" alt="Alt text" width="400">




Then we can see the image in our Docker repository in Dockerhub: 

<img src="images/image48.png" alt="Alt text" width="500">


#### But the problem here is both jobs get executed the same time. If we add deploy job, it'll also run in parallel to these two above jobs (i.e., build image, run test)


<img src="images/image50.png" alt="Alt text" width="500">




But we want to run the jobs in order: 

<img src="images/image51.png" alt="Alt text" width="600">







We force this order in which the jobs will execute in the pipeline using stages. Stages are used to organize the pipeline by grouping related jobs that can run in parallel together. 

<img src="images/image52.png" alt="Alt text" width="600">




For example if you have different tests in your application, they can all run in parallel by being in the same stage. 

<img src="images/image53.png" alt="Alt text" width="600">



For example in the editor, we want to do the `run_tests` at one stage and then `build_image` in the next stage. So build_image will wait for the run_tests to be executed, and only if the run_tests was successful, it'll execute the build_image job. 

So the code will be updated as:


```YAML
variables: 
        IMAGE_NAME: nanjanashia/demo-app
        IMAGE_TAG: python-app-1.0

stages: 
    - test 
    - build 
    
run tests: 
    stage: test
    image: python:3.9-slim-bullseye⁠
    before_script:
        - apt-get update && atp-get install make
    script: 
        - make test 
build_image:    
    stage: build
    image: docker: 28.2.1-cli
    serivces: 
        - docker: 28.2.1-dind
    before_script:
        - docker login -u $REGISTERY_USER -p $REGISTERY_PASS
    script: 
        - docker build -t $IMAGE_NAME:$IMAGE_TAG .
        - docker push $IMAGE_NAME:$IMAGE_TAG
```

---


<img src="images/image54.png" alt="Alt text" width="600">





<img src="images/image55.png" alt="Alt text" width="600">


### Deploy to Server

We want to push the built docker image to ubuntu server and run the docker application there. So for this we need a deployment server. 

#### Create Ubuntu Server on DigitalOcean Platform:


<img src="images/image56.png" alt="Alt text" width="600">



So in the DigitalOcean website, we create an account 

<img src="images/image57.png" alt="Alt text" width="600">





So in settings -> security, we can access the SSH key. 

<img src="images/image58.png" alt="Alt text" width="600">




So we need to create a new SSH key locally. 

I terminal: 

```bash
ssh-keygen
# Then it'll show the default ssh key location. 
users/hamedh98/.ssh/digital_ocean_key
[enter]
[enter]
ls users/hamedh98/.ssh | grep digital 
# this'll show two digital keys 
```

We upload the public key in the platform and we're gonna be able to connect to any server created on the platform and using the private key. 


```bash
cat users/hamedh98/.ssh/digital_ocean_key.pub
```
then we copy the output to new SSH key in digitalocean website and we call it deployment-server-key

Then on DigitalOcean website we go to `Droplets` and create a deployment server. 

> Droplet -> create new droplet -> ubuntu -> basic plan -> regular with SSD 

<img src="images/image59.png" alt="Alt text" width="600">




<img src="images/image60.png" alt="Alt text" width="600">


We now need to install Docker on the server. 
For this, we copy the public IP address of our droplet (i.e., ipv4) and then in our local machine in terminal: 

```bash
ssh -i ~/.ssh/digital_ocean_key root@161.35.223.117 #example of ip address 
```

With this command, we'll connect to the server. 

Then we are connected to the server and we install docker: 

```bash
docker
apt update 
apt install docker.io
docker ps
exit 
```



### Deploy App

<img src="images/image61.png" alt="Alt text" width="600">


> Gitlab -> CI/CD -> pipeline 

Gitlab must deploy a Docker image to the droplet server. It must be connected to the server to deploy the docker image. 

Gitlab Runner needs SSH for the deployment server. 

Gitlab Runner will start a container fo the deploy job and inside the container we execute the SSH command to connect to the remote server. 

Just like we created secret variables for docker hub private repository, we create a secret variable for the private key in the CI/CD setting. 

> Gitlab -> Setting -> CI/CD -> Variables -> Add variable -> call it SSH_KEY, for the value we first type this in the terminal: 

```bash
cat ~/.ssh/digital_ocean_key
```

Print the output and paste it in the Value. 

Type must be file

In the value section, we must add a new line in order that the currect private key format is created by Gitlab. 



<img src="images/image63.png" alt="Alt text" width="600">





> Gitlab -> Editor:

Here, `-o` means option, and we want to make it automatic, not manual. 
```
- ssh -o StrictHostKeyChecking=no -i $SSH_KEY root@161.35.223.117
```


```
[host_port] : [container_port]
-p = build port 5000 of the container to port 5000 of the host machine 
```

<img src="images/image64.png" alt="Alt text" width="600">


`ssh -o StrictHostKeyChecking=no -i $SSH_KEY root@161.35.223.117 "docker run -p 5000:5000 $IMAGE_NAME:$IMAGE_TAG"`

This command will be executed on the droplet server and it will pull the image that we specify in the Docker Registery from the private registery to the deployment server. 
 
To do that, we need to authenticate registery to be able to pull the image. So we need to Docker login to pull the image. 

<img src="images/image65.png" alt="Alt text" width="600">


So we add `docker login -u $REGISTERY_USER -p $REGISTERY_PASS` to the 
`ssh -o StrictHostKeyChecking=no -i $SSH_KEY root@161.35.223.117 "docker run -p 5000:5000 $IMAGE_NAME:$IMAGE_TAG"`
and we add `&&` to it since the user/pass are going to execute inside the SSH so we can handle multiple SSH commands together. 
resulting in: 

```bash
ssh -o StrictHostKeyChecking=no -i $SSH_KEY root@161.35.223.117 "
    docker login -u $REGISTERY_USER -p $REGISTERY_PASS &&
    docker run -p 5000:5000 $IMAGE_NAME:$IMAGE_TAG
"
```

For this one: `docker run -p 5000:5000 $IMAGE_NAME:$IMAGE_TAG`, at the first time, it succeeds and it'll start the docker container on the server. But on the second execution or any following execution, it'll try to create and start a new container on the same host port (i.e., 5000), and this is going to fail because port is already in use. 

So before each Docker run command, we need to stop and remore any existing/running containers on port 5000, so that new one can be created. 

`docker ps = list containers` 
`--all or -a = Show all containers (running containers) `
`--quiet or -q = only display container IDs`
`|` piping command 
So it'll be: 
`docker ps -aq |`
then we add 
`xargs`, which takes the previous argument (i.e., `docker ps -aq`) for `docker stop command. So it'll be: 
`docker ps -aq | xargs docker stop`
we also need to use `docker rm` where `rm` is remove command 
`docker ps -aq | xargs docker stop | xargs docker rm`
So this'll stop any containers using their IDs and remove them. 

So the update script is: 

```bash
ssh -o StrictHostKeyChecking=no -i $SSH_KEY root@161.35.223.117 "
    docker login -u $REGISTERY_USER -p $REGISTERY_PASS &&
    docker ps -aq | xargs docker stop | xargs docker rm &&
    docker run -p 5000:5000 $IMAGE_NAME:$IMAGE_TAG
"
```



<img src="images/image66.png" alt="Alt text" width="800">

This means only owner can read or write and others can't and this is a restricted access. By default, Gitlab gives everyone read/write permissions when it creates a temporery file from the file type of variable. So we need to restrict access permissions to the SSH key file before the scripts will run. 


`chmod` means change mode, and `chmode 400` means change to mode temporery file to access 400 where: 

<img src="images/image67.png" alt="Alt text" width="400">


So `400` means read without write and `00` means no access for anything else. So it'll be: 


```bash
deploy: 
    stage: deploy
    before_script:
        - chmod 400 $SSH_KEY
    script: 
```

We also need to run the docker background in the detach mode. Because otherwise it'll block our terminal or job's terminal and it'll be endless wait So: 

`--detach or -d = Run container in background`

So we add `-d` to `docker run -d -p 5000:5000 $IMAGE_NAME:$IMAGE_TAG`

With `-d`, it'll send the command in the background and will complete the job. 

```bash
deploy: 
    stage: deploy 
    before_script:
        - chmod 400 $SSH_KEY
    script: 
        - ssh -o StrictHostKeyChecking=no -i $SSH_KEY root@161.35.223.117 "
            docker login -u $REGISTERY_USER -p $REGISTERY_PASS &&
            docker ps -aq | xargs docker stop | xargs docker rm &&
            docker run -d -p 5000:5000 $IMAGE_NAME:$IMAGE_TAG
        "
```

---

So the updated script will be: 


```YAML
variables: 
        IMAGE_NAME: nanjanashia/demo-app
        IMAGE_TAG: python-app-1.0

stages: 
    - test 
    - build 
    - deploy
    
run tests: 
    stage: test
    image: python:3.9-slim-bullseye⁠
    before_script:
        - apt-get update && atp-get install make
    script: 
        - make test 
build_image:    
    stage: build
    image: docker: 28.2.1-cli
    serivces: 
        - docker: 28.2.1-dind
    before_script:
        - docker login -u $REGISTERY_USER -p $REGISTERY_PASS
    script: 
        - docker build -t $IMAGE_NAME:$IMAGE_TAG .
        - docker push $IMAGE_NAME:$IMAGE_TAG

deploy: 
    stage: deploy 
    before_script:
        - chmod 400 $SSH_KEY
    script: 
        - ssh -o StrictHostKeyChecking=no -i $SSH_KEY root@161.35.223.117 "
            docker login -u $REGISTERY_USER -p $REGISTERY_PASS &&
            docker ps -aq | xargs docker stop | xargs docker rm &&
            docker run -d -p 5000:5000 $IMAGE_NAME:$IMAGE_TAG
        "
```


<img src="images/image68.png" alt="Alt text" width="600">


#### Validate that the application is running: 

```bash
ls -la ~/.ssh/digital_ocean_key root@161.35.223.117
docker ps # checking if the docker container is running 
```
---

<img src="images/image69.png" alt="Alt text" width="800">



We want to access this web application from a browser, so: 

> DigitalOcean -> Droplets -> ipv4 (public IP address) (copy) 

on the browser type: 

`161.35.223.117:5000`

then we can see the applicaition. 

<img src="images/image70.png" alt="Alt text" width="700">


## Delete the droplet so you don't get charged for the server resources. 




