CI/CD Pipeline
Architecture
graph LR
DEV[Developer] -->|git push| GL[GitLab.com]
GL -->|webhook| RUNNER["EC2 Runner<br/>prod-nhc-gitlab-runner"]
RUNNER -->|docker build| ECR[ECR Registry]
RUNNER -->|SSM RunCommand| EC2["Target EC2"]
EC2 -->|docker pull| ECR
GitLab Runner
| Property |
Value |
| Instance |
prod-nhc-gitlab-runner |
| Type |
t3.small (2 vCPU / 2 GB + 4 GB swap) |
| Disk |
50 GB (Docker layer cache) |
| Executor |
Docker |
| Network |
Private subnet, outbound via NAT |
| Inbound Rules |
None (runner polls GitLab outbound) |
The runner is registered to GitLab.com and executes CI/CD pipelines for all Nova Home Care repositories.
Deployment Flow
- Developer pushes to feature branch
- GitLab CI runs tests, SAST scans, and docs validation
- On merge to
main, the deploy job:
- Builds a Docker image
- Pushes to ECR (
794248400165.dkr.ecr.us-east-2.amazonaws.com)
- SSM RunShellScript pulls and restarts the container on the target EC2
- GitLab Pages job deploys this documentation site
ECR Repositories
| Repository |
Application |
novahomecareapi |
Django API |
novahomecareportal |
Nova Portal (Next.js) |
wp-cms |
WordPress CMS |
foursites |
Foursites (4× Astro sites) |
Security Scanning
The infra repo pipeline includes:
| Job |
Tool |
Purpose |
secret-detection |
GitLab |
Detect committed secrets |
kics-iac-sast |
KICS |
Scan OpenTofu for misconfigurations |
semgrep-sast |
Semgrep |
General static analysis |
docs-build |
MkDocs |
Validate documentation builds |