Plesty Documentation

CI-Only Gates (12–14)

The three gates that run exclusively in GitLab CI — docs deploy, secret scan, and build and release.

These gates run only in GitLab CI. They are never triggered by plesty check locally. They require project-level secrets (CI_BOT_TOKEN, PYPI_TOKEN) that are not available in a local development environment.

Gate 12 — Docs Deploy

Builds the Sphinx documentation and pushes the output to the docs-build branch. GitLab Pages serves this branch automatically.

Requirements:

  • CI_BOT_TOKEN must be set as a masked + protected CI/CD variable
  • The token must have Maintainer role with read_repository + write_repository scopes
  • The docs-build branch must exist (created automatically on first push)

Setup:

  1. Go to Settings → Access Tokens in your GitLab project
  2. Create a token named CI_BOT_TOKEN, role Maintainer, scopes read_repository + write_repository
  3. Go to Settings → CI/CD → Variables
  4. Add CI_BOT_TOKEN as Masked + Protected

Without a Maintainer-role token, git ls-remote returns 403 even with read_repository scope — the deploy step cannot determine whether to create the docs-build branch.

Gate 13 — Secret Detection

Runs GitLab SAST (Static Application Security Testing) secret detection to scan for accidentally committed credentials, API keys, and tokens.

This gate runs automatically on every pipeline. It produces no action other than failing the pipeline if a secret pattern is detected. No setup required — it is included in the plesty-standard-ci component.

Tip: If you accidentally commit a secret, rotate it immediately and then rewrite git history to remove the committed value. The pipeline will not pass until the secret is gone from the diff.

Gate 14 — Build & Release

Builds the Python wheel and uploads it to PyPI. This gate is conditional — it only runs when a tag matching v* is pushed.

Requirements:

  • PYPI_TOKEN must be set as a masked + protected CI/CD variable
  • The tag must match the pattern v* (e.g., v0.2.1)
  • plesty check --standard quantum must pass before tagging

Trigger:

git tag v0.2.1
git push origin v0.2.1

The pipeline runs all gates in sequence. Gate 14 only executes if all earlier gates pass. After Gate 14 succeeds, the package appears on PyPI under plesty-<module-name>==<version>.

The full CI pipeline

stages:
  - check
  - security
  - deploy
  - release

include:
  - component: $CI_SERVER_FQDN/plesty/plesty-ci/plesty-standard-ci@exp
    inputs:
      standard: quantum
      extra_branch: exp
      access_token: $CI_BOT_TOKEN
CI stage Gates run
check Gates 1–11 + d1 (the full plesty check suite)
security Gate 13 (secret detection)
deploy Gate 12 (docs build + push to docs-build)
release Gate 14 (build wheel + upload to PyPI, v* tag only)