Add GitLab mirror parity: CI + image registry + install overrides (#237)

Brings the GitLab side to full parity with GitHub so users who prefer
gitlab.com get the same source, the same images, and the same install
paths. Today, GitLab users can clone the source but the Helm chart and
docker-compose paths only worked against GHCR.

What's new:

  .gitlab-ci.yml
    Multi-arch (amd64 + arm64) Docker builds on every push to main,
    pushed to the project's GitLab Container Registry as:
      registry.gitlab.com/bigbodycobain/shadowbroker/backend:latest
      registry.gitlab.com/bigbodycobain/shadowbroker/frontend:latest
    Plus a :$CI_COMMIT_SHORT_SHA tag for traceability. Uses
    $CI_JOB_TOKEN — no credentials need to be configured.

    Also adds a 'mirror-to-github' job that pushes main back to GitHub
    via fast-forward-only `git push`. Skipped silently if the
    GITHUB_MIRROR_TOKEN CI/CD variable isn't set. Setup instructions
    are in the file header.

  docker-compose.gitlab.yml
    Override file that swaps the backend/frontend image: lines to the
    GitLab registry. Used as:
      docker compose -f docker-compose.yml -f docker-compose.gitlab.yml up -d
    Verified with `docker compose config` — merges cleanly and emits
    registry.gitlab.com/... image references.

  helm/chart/values-gitlab.yaml
    Helm values override that points the chart at the GitLab registry.
    Used alongside the default values.yaml:
      helm install ... -f helm/chart/values.yaml -f helm/chart/values-gitlab.yaml

  README.md
    Documents both install paths (GitHub default, GitLab override) for
    both docker compose and Helm. Notes that both registries publish
    identical images (same source, same CI matrix).

No credentials needed for the GitLab→GitLab side. The optional reverse
mirror requires a GitHub PAT (public_repo scope) added as the GitLab
CI/CD variable GITHUB_MIRROR_TOKEN — instructions in the .gitlab-ci.yml
header.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

.gitlab-ci.yml

@@ -0,0 +1,121 @@
+# GitLab CI/CD for Shadowbroker
+#
+# Mirror of .github/workflows/docker-publish.yml — keeps the GitLab install
+# path (image registry + source) at parity with GitHub so users who prefer
+# GitLab get the same experience.
+#
+# What this does on every push to main:
+#   1. Builds multi-arch (amd64 + arm64) Docker images for the backend and
+#      frontend, pushes them to the project's GitLab Container Registry:
+#        registry.gitlab.com/bigbodycobain/shadowbroker/backend:latest
+#        registry.gitlab.com/bigbodycobain/shadowbroker/frontend:latest
+#      Both also get a :$CI_COMMIT_SHORT_SHA tag for traceability.
+#   2. Reverse-mirrors main back to GitHub (only if commits land directly
+#      on GitLab) so the two sources stay in sync.
+#
+# Auth notes:
+#   - The image build/push uses $CI_JOB_TOKEN, which GitLab provides
+#     automatically. No credentials need to be configured.
+#   - The reverse mirror requires a GitHub personal access token stored
+#     as the GitLab CI/CD variable GITHUB_MIRROR_TOKEN (Protected + Masked).
+#     Scope: public_repo (or repo for private). If the variable isn't
+#     set the mirror job is skipped — image builds still run.
+
+stages:
+  - build
+  - mirror
+
+variables:
+  # Use the dind service for buildx multi-arch builds.
+  DOCKER_HOST: tcp://docker:2376
+  DOCKER_TLS_CERTDIR: "/certs"
+  DOCKER_DRIVER: overlay2
+  # QEMU is what lets a single x86 runner build arm64 images. dind doesn't
+  # install it by default; we install via tonistiigi/binfmt below.
+  BUILDX_VERSION: "v0.14.1"
+  # Repository-relative paths.
+  BACKEND_IMAGE: $CI_REGISTRY_IMAGE/backend
+  FRONTEND_IMAGE: $CI_REGISTRY_IMAGE/frontend
+
+# Shared template: bootstraps buildx + QEMU on the dind service so a single
+# runner can produce both amd64 and arm64 manifests in one push.
+.buildx-setup: &buildx-setup
+  image: docker:24
+  services:
+    - name: docker:24-dind
+      command: ["--tls=true"]
+  before_script:
+    - docker info
+    - docker login -u "$CI_REGISTRY_USER" -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
+    - docker run --privileged --rm tonistiigi/binfmt --install all
+    - docker buildx create --use --name multiarch --driver docker-container
+
+# ── Backend image ────────────────────────────────────────────────────────
+build-backend:
+  <<: *buildx-setup
+  stage: build
+  script:
+    - >
+      docker buildx build
+      --platform linux/amd64,linux/arm64
+      --file backend/Dockerfile
+      --tag $BACKEND_IMAGE:latest
+      --tag $BACKEND_IMAGE:$CI_COMMIT_SHORT_SHA
+      --push
+      .
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main" && $CI_PIPELINE_SOURCE == "push"
+    - if: $CI_COMMIT_BRANCH == "main" && $CI_PIPELINE_SOURCE == "schedule"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      changes:
+        - backend/**/*
+        - .gitlab-ci.yml
+
+# ── Frontend image ───────────────────────────────────────────────────────
+build-frontend:
+  <<: *buildx-setup
+  stage: build
+  script:
+    - cd frontend
+    - >
+      docker buildx build
+      --platform linux/amd64,linux/arm64
+      --tag $FRONTEND_IMAGE:latest
+      --tag $FRONTEND_IMAGE:$CI_COMMIT_SHORT_SHA
+      --push
+      .
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main" && $CI_PIPELINE_SOURCE == "push"
+    - if: $CI_COMMIT_BRANCH == "main" && $CI_PIPELINE_SOURCE == "schedule"
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      changes:
+        - frontend/**/*
+        - .gitlab-ci.yml
+
+# ── Reverse mirror to GitHub ─────────────────────────────────────────────
+# Pushes refs/heads/main to github.com/BigBodyCobain/Shadowbroker.
+# Fast-forward-only — if GitLab main and GitHub main have diverged, this
+# fails loudly rather than silently overwriting either side.
+#
+# Only runs if GITHUB_MIRROR_TOKEN is set as a CI/CD variable. See the
+# header comment of this file for setup instructions.
+mirror-to-github:
+  stage: mirror
+  image: alpine:3.20
+  needs: []
+  before_script:
+    - apk add --no-cache git openssh-client ca-certificates
+  script:
+    - git config --global user.email "ci-mirror@gitlab.com"
+    - git config --global user.name "GitLab CI Mirror"
+    - >
+      git clone --depth=50 --branch main
+      "https://oauth2:${CI_JOB_TOKEN}@gitlab.com/${CI_PROJECT_PATH}.git"
+      repo
+    - cd repo
+    - >
+      git push
+      "https://x-access-token:${GITHUB_MIRROR_TOKEN}@github.com/BigBodyCobain/Shadowbroker.git"
+      "${CI_COMMIT_SHA}:refs/heads/main"
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main" && $GITHUB_MIRROR_TOKEN

README.md

@@ -61,6 +61,8 @@ ShadowBroker includes an optional Shodan connector for operator-supplied API acc
 
 ## ⚡ Quick Start (Docker)
 
+### From GitHub (default — uses GHCR images)
+
 ```bash
 git clone https://github.com/bigbodycobain/Shadowbroker.git
 cd Shadowbroker
@@ -68,6 +70,17 @@ docker compose pull
 docker compose up -d
 ```
 
+### From GitLab (uses GitLab Container Registry)
+
+```bash
+git clone https://gitlab.com/bigbodycobain/Shadowbroker.git
+cd Shadowbroker
+docker compose -f docker-compose.yml -f docker-compose.gitlab.yml pull
+docker compose -f docker-compose.yml -f docker-compose.gitlab.yml up -d
+```
+
+Both paths produce identical containers — same source, same CI, same images byte-for-byte. Pick whichever ecosystem you already use.
+
 Open `http://localhost:3000` to view the dashboard! *(Requires [Docker Desktop](https://www.docker.com/products/docker-desktop/) or Docker Engine)*
 
 > **Backend port already in use?** The browser only needs port `3000`, but the backend API is also published on host port `8000` for local diagnostics. If another app already uses `8000`, create or edit `.env` next to `docker-compose.yml` and set `BACKEND_PORT=8001`, then run `docker compose up -d`.
@@ -136,8 +149,13 @@ helm repo update
 
 **2. Install the Chart:**
 ```bash
-# Install from the local helm/chart directory
+# Default — pulls images from GHCR
 helm install shadowbroker ./helm/chart --create-namespace --namespace shadowbroker
+
+# GitLab registry variant
+helm install shadowbroker ./helm/chart --create-namespace --namespace shadowbroker \
+  -f helm/chart/values.yaml \
+  -f helm/chart/values-gitlab.yaml
 ```
 
 **3. Key Features:**

docker-compose.gitlab.yml

@@ -0,0 +1,18 @@
+# Compose override that points the backend and frontend at the GitLab
+# Container Registry instead of GHCR. Use this if you prefer pulling
+# images from gitlab.com.
+#
+# Usage:
+#   docker compose -f docker-compose.yml -f docker-compose.gitlab.yml pull
+#   docker compose -f docker-compose.yml -f docker-compose.gitlab.yml up -d
+#
+# Both registries publish the same images on every push to main:
+#   - .github/workflows/docker-publish.yml  → ghcr.io  (default)
+#   - .gitlab-ci.yml                        → registry.gitlab.com  (this file)
+
+services:
+  backend:
+    image: registry.gitlab.com/bigbodycobain/shadowbroker/backend:latest
+
+  frontend:
+    image: registry.gitlab.com/bigbodycobain/shadowbroker/frontend:latest

helm/chart/values-gitlab.yaml

@@ -0,0 +1,30 @@
+# Helm values override that points the chart at the GitLab Container
+# Registry instead of GHCR. Use this if you prefer pulling images from
+# gitlab.com.
+#
+# Usage:
+#   helm install shadowbroker ./helm/chart \
+#     --create-namespace --namespace shadowbroker \
+#     -f helm/chart/values.yaml \
+#     -f helm/chart/values-gitlab.yaml
+#
+# Both registries publish the same images on every push to main:
+#   - .github/workflows/docker-publish.yml  → ghcr.io                  (default)
+#   - .gitlab-ci.yml                        → registry.gitlab.com      (this file)
+
+shadowbroker:
+  controllers:
+
+    backend:
+      containers:
+        main:
+          image:
+            repository: registry.gitlab.com/bigbodycobain/shadowbroker/backend
+            tag: latest
+
+    frontend:
+      containers:
+        main:
+          image:
+            repository: registry.gitlab.com/bigbodycobain/shadowbroker/frontend
+            tag: latest