.gitlab-ci.yml

include:
   - template: Terraform/Base.gitlab-ci.yml
#  This doesn't seem to work.
#   - template: Security/Dependency-Scanning.gitlab-ci.yml

variables:
   # This will suppress any download for dependencies and plugins or upload messages which would clutter the console log.
   # `showDateTime` will show the passed time in milliseconds. You need to specify `--batch-mode` to make this work.
   MAVEN_OPTS: "-Dmaven.repo.local=.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Dorg.slf4j.simpleLogger.showDateTime=true -Djava.awt.headless=true  -Dsurefire.rerunFailingTestsCount=2 -Denv.buildServer=true"
   # As of Maven 3.3.0 instead of this you may define these options in `.mvn/maven.config` so the same config is used
   # when running from the command line.
   # `installAtEnd` and `deployAtEnd` are only effective with recent version of the corresponding plugins.
   MAVEN_CLI_OPTS: "--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true -Denv.buildServer=true -U --settings .mvn/settings.xml"
   # Used during gitflow interaction.
   MAJOR_RELEASE_DIGIT: 0
   MINOR_RELEASE_DIGIT: 1
   PATCH_RELEASE_DIGIT: 2

   # https://docs.gitlab.com/ee/ci/large_repositories/#shallow-cloning
   GIT_DEPTH: 10

   TF_STATE_NAME_DEV: dev
   TF_STATE_NAME_PROD: prod
   MAVEN_SETTINGS_PATH: ".m2/settings.xml"

.git_template: &git_setup |
   git remote set-url --push origin "https://oauth2:${GITLAB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git"
   git config user.name "vyne-cd"
   git config user.email vyne-cd@vyne.co


stages:
   - build
   - test
   - publish
   - deploy
   - verify
   - release

#default:
#   tags:
#      - docker

.build-jvm:
   stage: build
   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/maven:3.9.6-eclipse-temurin-21
#   tags:
#      - docker-heavy
   cache:
      paths:
         - .m2/repository
   script:
      # Do the "docker login" manually as there's no Docker CLI installed on maven images
      - |
         mkdir /root/.docker/
         cat > /root/.docker/config.json << EOF
         {
             "auths": {
                 "https://index.docker.io/v1/": {
                     "username": "vynecd",
                     "password": "${DOCKER_HUB_PASSWORD}",
                     "auth": "$(echo -n 'vynecd:${DOCKER_HUB_PASSWORD}' | base64)"
                 }
             }
         }
         EOF
      - 'if [ -z "${GITLAB_TOKEN}" ]; then echo "var is blank"; else echo "var is set"; fi'
      - 'if [ -z "${CI_SERVER_HOST}" ]; then echo "var is blank"; else echo "var is set"; fi'
      - 'if [ -z "${CI_PROJECT_PATH}" ]; then echo "var is blank"; else echo "var is set"; fi'
      - 'mvn $MAVEN_CLI_OPTS -version'
      - 'mvn $MAVEN_CLI_OPTS -DbuildNumber=$CI_PIPELINE_ID $MAVEN_EXTRA_ARGS $MAVEN_GOALS'

      #   Read the POM, grab the version, and set to an env variable
      #   https://stackoverflow.com/a/52241594
      # Run the actual command twice.  The first time ensures that any downloads are
      # already completed, so that when we try to grep the output string, we get a tidy predictable output
      - mvn --non-recursive help:evaluate -Dexpression=project.version
      - mvn --non-recursive help:evaluate -Dexpression=project.version | grep -v '\[.*' > build-version.txt
      # Get the 3rd party license report for usage later
      - mvn license:aggregate-add-third-party
   artifacts:
      paths:
         - build-version.txt
         - target/generated-sources/license/THIRD-PARTY.txt
         # Be careful!  The each of these jar files can get big.
         # If the total size of all jar files being stored in artifacts
         # exceeds 1GB then builds can fail.
         #         - "cask/target/cask.jar"
#         - "schema-server/target/schema-server.jar"
#         - "vyne-analytics-server/target/vyne-analytics-server.jar"
         - "query-node-native/target/query-node-native.jar"
#         - "vyne-query-service/target/vyne.zip"
         - "station/target/orbital.zip"
#         - "test-cli/target/*.zip"
         - "voyager/target/voyager.jar"
      expire_in: 1 hours
      reports:
         junit:
            # Note:This won't actually work, b/c of https://gitlab.com/gitlab-org/gitlab-runner/issues/2620
            # However, leaving this here to pick up later
            - "*/target/surefire-reports/TEST-*.xml"

.build-ui:
   stage: build
   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/node:18.18
   before_script:
      - npm config set cache .npm/cache --global
      - npm --global cache verify
      - npm get cache
      - export NODE_OPTIONS="--max-old-space-size=8192"
   cache:
      paths:
         - .npm/cache
#   tags:
#      - docker-heavy

build-vyne-ui:
   extends: .build-ui
   script:
      - cd orbital-ui
      - npm ci
      - npm run-script build-prod
      # Capture 3rd party licenses for checks later
      - npx license-checker --out ../licenses.csv --csv
   artifacts:
      paths:
         - station/target/classes/static
         - licenses.csv
      expire_in: 1 hours

build-voyager-ui:
   extends: .build-ui
   script:
      - cd orbital-ui
      - npm ci
      - npm run-script build-prod-voyager
   artifacts:
      paths:
         - "voyager/target/classes/static"
      expire_in: 1 hours


build-jvm-branch:
   stage: build
   except:
      - tags
      - develop
      - master
   extends: .build-jvm
   variables:
      MAVEN_GOALS: 'clean install'
      MAVEN_EXTRA_ARGS: ''

build-jvm-develop:
   stage: build
   only:
      - develop
      - release/*
   except:
      - tags
   extends: .build-jvm
   variables:
      MAVEN_GOALS: 'clean deploy'
      # We skip tests on develop and master, as the tests have already run on the branch
      MAVEN_EXTRA_ARGS: '-P snapshot-release -DskipTests'


build-jvm-master:
   stage: build
   only:
      - master
      - tags
   extends: .build-jvm
   variables:
      MAVEN_GOALS: 'clean deploy'
      # We skip tests on develop and master, as the tests have already run on the branch
      MAVEN_EXTRA_ARGS: '-P release -DskipTests'

release-major:
   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/maven:3.9.6-eclipse-temurin-21
   variables:
      GIT_STRATEGY: clone
   dependencies: [ ]
   stage: release
   script:
      - *git_setup
      - 'mvn gitflow:release -B -DversionDigitToIncrement=$MAJOR_RELEASE_DIGIT -DskipTestProject=true'
   only:
      - develop
   when: manual

release-minor:
   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/maven:3.9.6-eclipse-temurin-21
   variables:
      GIT_STRATEGY: clone
   dependencies: [ ]
   stage: release
   script:
      - *git_setup
      - 'mvn gitflow:release -B -DversionDigitToIncrement=$MINOR_RELEASE_DIGIT -DskipTestProject=true'
   only:
      - develop
   when: manual

release-patch:
   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/maven:3.9.6-eclipse-temurin-21
   variables:
      GIT_STRATEGY: clone
   dependencies: [ ]
   stage: release
   script:
      - *git_setup
      - 'mvn gitflow:release -B -DversionDigitToIncrement=$PATCH_RELEASE_DIGIT -DskipTestProject=true'
   only:
      - develop
   when: manual

regression-test:
   stage: verify
   resource_group: docker_release
   variables:
      VYNE_DOCKER_TAG: latest
   script:
      - mvn clean install -DskipTests -Dskip.npm
      - cd regression-tests
      - mvn -Dtest=TaxonomyRegressionTest -Drun.mode=docker -Dvyne.tag=${VYNE_DOCKER_TAG} test
   when: manual
   artifacts:
      when: always
      reports:
         junit:
            - target/surefire-reports/TEST-*.xml


# This creates the multi-platform Docker images
.publish-docker:
   stage: deploy
   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/jdrouet/docker-with-buildx:20.10.17-0.8.2
   variables:
      DOCKER_BUILDKIT: 1
      BUILDKIT_PROGRESS: plain
      PROGRESS_NO_TRUNC: 1
   services:
      - docker:dind
   script:
      - docker login -u vynecd -p $DOCKER_HUB_PASSWORD
      - PROJECT_VERSION=$(cat build-version.txt)
      - docker buildx create --use
      - docker run --privileged --rm tonistiigi/binfmt --install all # Install the required emulators in order to build ARM images
      - |
         if [[ -n "$CI_COMMIT_TAG" ]]; then
            tag="$CI_COMMIT_TAG"
            versionTag="$CI_COMMIT_TAG"
         elif [[ "$CI_COMMIT_BRANCH" == "master" ]]; then
           tag="latest"
           versionTag="$PROJECT_VERSION"
         elif [[ "$CI_COMMIT_BRANCH" == "develop" ]]; then
            tag="next"
            versionTag="$PROJECT_VERSION-BETA-$CI_COMMIT_SHORT_SHA"
         elif [[ "$CI_COMMIT_BRANCH" =~ ^release\/ ]]; then
            stripped_branch=${CI_COMMIT_BRANCH#release/}
            tag="$stripped_branch-next"
            versionTag="$PROJECT_VERSION-BETA-$CI_COMMIT_SHORT_SHA"
         else
            tag="$CI_COMMIT_BRANCH-next"
            versionTag="$PROJECT_VERSION-BETA-$CI_COMMIT_SHORT_SHA"
         fi
         echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
         echo "Running on branch '$CI_COMMIT_BRANCH': version = $versionTag"
         echo "Running with base image tag: ${base_image_tag}"
      - cd $projectDir
      - >
         docker buildx build
         --platform linux/arm64/v8,linux/amd64
         --push
         --build-arg BASE_IMAGE_TAG=${base_image_tag}
         -t "${registry}${registry_orbital}/${microservice_orbital}:${tag}${tag_suffix}"
         -t "${registry}${registry_orbital}/${microservice_orbital}:${versionTag}${tag_suffix}"
         .

.tag-docker-image-as-latest:
   stage: deploy
   image: docker:latest
   services:
      - docker:dind
   rules:
      - if: $CI_COMMIT_TAG
        when: manual
   script:
      - docker login -u vynecd -p $DOCKER_HUB_PASSWORD
      - docker pull ${registry}${registry_orbital}/${microservice_orbital}:$CI_COMMIT_TAG
      - docker tag ${registry}${registry_orbital}/${microservice_orbital} latest
      - docker push ${registry}${registry_orbital}/${microservice_orbital}:latest
      - docker pull ${registry}${registry_orbital}/${microservice_orbital}:$CI_COMMIT_TAG-jammy
      - docker tag ${registry}${registry_orbital}/${microservice_orbital} latest-jammy
      - docker push ${registry}${registry_orbital}/${microservice_orbital}:latest-jammy

.publish-to-docker-hub:
   extends: .publish-docker
   rules:
      -  if: $CI_PIPELINE_SOURCE == "merge_request_event"
         when: never
      -  if: ($CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_BRANCH == "master")
         when: always
      -  if: $CI_COMMIT_TAG
         when: always
#         Always publish if we're on a release branch
      -  if: $CI_COMMIT_BRANCH =~ /^release\//
      -  if: ($CI_COMMIT_BRANCH != "develop" && $CI_COMMIT_BRANCH != "master")
         when: manual
         allow_failure: true
   variables:
      registry_orbital: orbitalhq

.publish-to-gitlab-container-registry:
   extends: .publish-docker
   rules:
      -  if: $CI_PIPELINE_SOURCE == "merge_request_event"
         when: never
      -  if: ($CI_COMMIT_BRANCH == "develop" || $CI_COMMIT_BRANCH == "master")
      #         Always publish if we're on a release branch
      -  if: $CI_COMMIT_BRANCH =~ /^release\//
      -  if: ($CI_COMMIT_BRANCH != "develop" && $CI_COMMIT_BRANCH != "master")
         when: manual
         allow_failure: true
   variables:
      registry_orbital: $CI_REGISTRY_IMAGE
   before_script:
      - echo "$CI_REGISTRY_PASSWORD" | docker login --username $CI_REGISTRY_USER --password-stdin $CI_REGISTRY

publish-orbital-to-docker-hub:
   extends: .publish-to-docker-hub
   variables:
      projectDir: station
      microservice_orbital: orbital
      base_image_tag: alpine

tag-orbital-as-latest:
   extends: .tag-docker-image-as-latest
   variables:
      microservice_orbital: orbital
      registry_orbital: orbitalhq

publish-orbital-to-docker-hub-mac-m2:
   extends: .publish-to-docker-hub
   variables:
      projectDir: station
      microservice_orbital: orbital
      tag_suffix: -jammy # jammy is the name of ubuntu we use
      base_image_tag: jammy # jammy is the name of ubuntu we use

publish-query-node-to-docker-hub:
   extends: .publish-to-docker-hub
   variables:
      projectDir: query-node-native
      microservice_orbital: query-node

tag-query-node-as-latest:
   extends: .tag-docker-image-as-latest
   variables:
      microservice_orbital: query-node
      registry_orbital: orbitalhq

publish-voyager-to-gitlab-container-registry:
   extends: .publish-to-gitlab-container-registry
   variables:
      projectDir: voyager
      microservice_orbital: voyager

.publish-docker-gitlab:
   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/jdrouet/docker-with-buildx:20.10.8-0.6.3
   stage: publish
   except:
      - tags
   variables:
      DOCKER_BUILDKIT: 1
      BUILDKIT_PROGRESS: plain
      PROGRESS_NO_TRUNC: 1
   before_script:
      - docker info
      - docker buildx create --use
      - docker login -u vynecd -p $DOCKER_HUB_PASSWORD
      - echo "$CI_REGISTRY_PASSWORD" | docker login --username $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
      - |
         if [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
           tag="latest"
         else
           tag="$CI_COMMIT_REF_SLUG"
         fi
         echo "Running on branch '$CI_COMMIT_BRANCH': tag = $tag"
   script:
      - cd $projectDir
      - pwd
      - >
         docker buildx build
         --platform linux/arm64/v8,linux/amd64
         --push
         -t "${CI_REGISTRY}/vyne/vyne/${microservice}:${tag}"
         -t "${CI_REGISTRY}/vyne/vyne/${microservice}:${CI_COMMIT_SHORT_SHA}" .

.terraform-deploy:
  extends: .terraform:deploy
  stage: deploy
  before_script:
     - echo ${TF_ROOT}
     - cd ${TF_ROOT}
     - gitlab-terraform plan
     - gitlab-terraform plan-json

terraform-deploy-dev-voyager:
   extends: .terraform-deploy
   stage: deploy
   environment:
      name: $TF_STATE_NAME_DEV
   variables:
      TF_ROOT: ${CI_PROJECT_DIR}/voyager/terraform/environments/orbital_$TF_STATE_NAME_DEV
      TF_STATE_NAME: voyager_$TF_STATE_NAME_DEV
      TF_VAR_environment: $TF_STATE_NAME_DEV
      TF_VAR_taxi_playground_docker_image_id: $CI_COMMIT_SHORT_SHA
   when: manual

terraform-deploy-prod-voyager:
   extends: .terraform-deploy
   stage: deploy
   environment:
      name: $TF_STATE_NAME_PROD
   variables:
      TF_ROOT: ${CI_PROJECT_DIR}/voyager/terraform/environments/orbital_$TF_STATE_NAME_PROD
      TF_STATE_NAME: voyager_$TF_STATE_NAME_PROD
      TF_VAR_environment: $TF_STATE_NAME_PROD
      TF_VAR_taxi_playground_docker_image_id: $CI_COMMIT_SHORT_SHA
   when: manual

.container_scanning:
   image:
      name: docker.io/aquasec/trivy:latest
      entrypoint: [""]
   stage: verify
   only:
      - develop
   variables:
      # No need to clone the repo, we exclusively work on artifacts.  See
      # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
      GIT_STRATEGY: none
#      Required if reading from Gitlab registry:
      TRIVY_USERNAME: "$CI_DEPENDENCY_PROXY_USER"
      TRIVY_PASSWORD: "$CI_DEPENDENCY_PROXY_PASSWORD"
#      TRIVY_AUTH_URL: "$CI_REGISTRY"
      FULL_IMAGE_NAME: $imageName
      TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
      TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
   script:
#      - docker login -u $CI_DEPENDENCY_PROXY_USER -p $CI_DEPENDENCY_PROXY_PASSWORD $CI_DEPENDENCY_PROXY_SERVER
      - trivy --version
      # cache cleanup is needed when scanning images with the same tags, it does not remove the database
      - time trivy clean --scan-cache
      # update vulnerabilities db
      - time trivy image --download-db-only --no-progress --cache-dir .trivycache/
      # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
      - time trivy image --scanners vuln --exit-code 0 --cache-dir .trivycache/ --no-progress --output "$CI_PROJECT_DIR/vulnerabilities.txt" "$FULL_IMAGE_NAME"
      # Prints full report
      - time trivy image --scanners vuln --exit-code 0 --cache-dir .trivycache/ --no-progress "$FULL_IMAGE_NAME"
      # Fail on critical vulnerabilities
      - time trivy image --scanners vuln --exit-code 1 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress "$FULL_IMAGE_NAME"
   cache:
      paths:
         - .trivycache/
   # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
   artifacts:
      when:                          always
      reports:
         container_scanning:          vulnerabilities.txt

scan-orbital:
   extends: .container_scanning
   variables:
      imageName: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/orbitalhq/orbital:next

trigger-connect-build:
   stage: deploy
   only:
      - develop
   trigger:
      project: vyne/hazelcast-orbital
      branch: develop

validate-license-compliance:
   stage: verify
   image: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/node:18.18
   script:
      - node processLicenses.js