.gitlab-ci.yml

image: docker:stable

services:
  - name: docker:19.03.15-dind
    command: [ "--mtu=1500" ]

workflow:
  rules:
    - if: "$CI_MERGE_REQUEST_ID || $CI_COMMIT_TAG =~ /\\-rc.*/"
      variables:
        DEPLOY_VARIABLE: alpha
        NOTIFY_CHANNEL: ${KCHAT_WHOOK_URL}/986f3435-6c53-4648-a86c-33c64fc14daf
    - if: "$CI_COMMIT_TAG"
      variables:
        DEPLOY_VARIABLE: production
        NOTIFY_CHANNEL: ${KCHAT_WHOOK_URL}/986f3435-6c53-4648-a86c-33c64fc14daf
    - if: $CI_PIPELINE_SOURCE == "schedule"
    - when: never

include:
  - project: 'docker-public/renovate'
    ref: master
    file: '/renovate.yaml'

stages:
  - test
  - build_front
  - cypress
  - build_docker_image
  - docker_test
  - deploy_docker_image

variables:
  DOCKER_HOST: tcp://localhost:2375
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: ""
  npm_config_cache: "$CI_PROJECT_DIR/.npm"
  CYPRESS_CACHE_FOLDER: "$CI_PROJECT_DIR/cache/Cypress"
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  CS_MAJOR_VERSION: 2
  CI_APPLICATION_REPOSITORY: ${CI_REGISTRY_IMAGE}
  CI_APPLICATION_TAG: latest

.base:
  rules:
    - if: '$CI_MERGE_REQUEST_ID || $CI_COMMIT_TAG'
      when: on_success
    - when: never

.base-dind:
  extends: .base
  tags:
    - docker-executor
    - kubernetes
    - shared

.base-shell:
  extends: .base
  tags:
    - docker-executor
    - kubernetes
    - shared

.rules_docker: &rules_docker
  rules:
    - if: '$CI_COMMIT_TAG'
      changes:
        - docker/*
      when: on_success
    - when: never

# build
build_front:
  extends: .base-dind
  image: node:18.20.4
  stage: build_front
  rules:
    - if: $DEPLOY_VARIABLE == "production"
      when: on_success
      allow_failure: false
    - if: $DEPLOY_VARIABLE == "alpha"
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: never
    - when: on_success
  environment:
    name: $DEPLOY_VARIABLE
  before_script:
    - export ENVIRONMENT=${DEPLOY_VARIABLE}
    - npm i --cache .npm --prefer-offline --no-audit
  script:
    - |
      export VITE_WEB_COMPONENT_API_ENDPOINT=$WEB_COMPONENT_API_ENDPOINT_PREPROD
      export VITE_WEB_COMPONENT_ENDPOINT=$WEB_COMPONENT_ENDPOINT_PREPROD

      if [ -z "$CI_MERGE_REQUEST_ID" ]
      then
        case "$CI_COMMIT_TAG" in
          *rc*)
            echo "BUILDING PREPROD!"
            ;;
          *)
            export VITE_WEB_COMPONENT_API_ENDPOINT=$WEB_COMPONENT_API_ENDPOINT_PROD
            export VITE_WEB_COMPONENT_ENDPOINT=$WEB_COMPONENT_ENDPOINT_PROD
            echo "BUILDING PROD!"
            ;;
        esac
      else
        echo "BUILDING MERGE REQUEST!"
      fi
    - npm run build
  artifacts:
    paths:
      - dist/
    expire_in: 1 days
    when: always
  cache:
    key: "${CI_COMMIT_REF_SLUG}"
    paths:
      - .npm
      - cache/Cypress
      - node_modules/

# Cypress
cypress_chrome:
  stage: cypress
  extends: .base-dind
  image: cypress/browsers:node-20.13.0-chrome-124.0.6367.155-1-ff-125.0.3-edge-124.0.2478.80-1
  rules:
    - if: '$CI_MERGE_REQUEST_ID || $CI_COMMIT_TAG =~ /-rc/'
      when: on_success
    - when: never
  before_script:
    - printenv
    - npm i --cache .npm --prefer-offline
  script:
    - npm run test-chrome
  artifacts:
    when: always
    paths:
      - cypress/videos/*.mp4
      - cypress/screenshots/*/*.png
    expire_in: 10 days

# DOCKER
build_docker_image:
  stage: build_docker_image
  extends: .base-shell
  rules:
    - if: '$CI_COMMIT_TAG'
      when: on_success
    - when: never
  artifacts:
    paths:
      - dist/
    expire_in: 1 days
    when: always
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  script:
    - docker build --pull --build-arg CI_COMMIT_TAG=${CI_COMMIT_TAG} -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG} -f docker/Dockerfile .
    - docker push ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}
    - docker tag ${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG} ${CI_REGISTRY_IMAGE}:latest
    - docker push ${CI_REGISTRY_IMAGE}:latest

container_scanning:
  stage: docker_test
  extends: .base-dind
  image: $SECURE_ANALYZERS_PREFIX/klar:$CS_MAJOR_VERSION
  !!merge <<: *rules_docker
  variables:
    CLAIR_DB_IMAGE_TAG: "latest"
    CLAIR_DB_IMAGE: "$SECURE_ANALYZERS_PREFIX/clair-vulnerabilities-db:$CLAIR_DB_IMAGE_TAG"
    GIT_STRATEGY: none
  allow_failure: true
  services:
    - name: $CLAIR_DB_IMAGE
      alias: clair-vulnerabilities-db
  script:
    - docker pull ${CI_REGISTRY_IMAGE}:latest
    - /analyzer run
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json
  dependencies: [ ]