stages:
  - test
  - build
  - security
  - deploy

variables:
  BASE_IMAGE_NAME: $CI_REGISTRY_IMAGE
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: ""

cache:
  key: "${CI_COMMIT_REF_SLUG}"
  paths:
    - .cache/pip
    - .cache/trivy
  policy: pull-push

image: docker:28.0

services:
  - docker:28.0-dind

.trivy-fs-template: &trivy-fs-scan
  stage: security
  image: aquasec/trivy:latest
  variables:
    TRIVY_CACHE_DIR: .cache/trivy
    TRIVY_NO_PROGRESS: "true"
    TRIVY_TIMEOUT: "10m0s"
  cache:
    paths:
      - $TRIVY_CACHE_DIR
    policy: pull-push
  before_script:
    - mkdir -p $TRIVY_CACHE_DIR
  script:
    - trivy fs --format cyclonedx --output fs-sbom.json . || true
    - trivy fs --format sarif --output gl-sast-fs-report.json . || true
  allow_failure: true
  artifacts:
    reports:
      sast: gl-sast-fs-report.json
    paths:
      - fs-sbom.json
      - gl-sast-fs-report.json
    expire_in: 1 week
    when: always
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $SAST_DISABLED
      when: never

.trivy-image-template: &trivy-image-scan
  stage: security
  image: aquasec/trivy:latest
  variables:
    TRIVY_CACHE_DIR: .cache/trivy
    TRIVY_NO_PROGRESS: "true"
    TRIVY_TIMEOUT: "10m0s"
  cache:
    paths:
      - $TRIVY_CACHE_DIR
    policy: pull-push
  before_script:
    - mkdir -p $TRIVY_CACHE_DIR
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - trivy image --format cyclonedx --output image-sbom-${IMAGE_TYPE}.json $IMAGE_NAME:$CI_COMMIT_SHA || true
    - trivy image --format sarif --output gl-sast-image-${IMAGE_TYPE}-report.json $IMAGE_NAME:$CI_COMMIT_SHA || true
  allow_failure: true
  artifacts:
    reports:
      sast: gl-sast-image-${IMAGE_TYPE}-report.json
    paths:
      - image-sbom-${IMAGE_TYPE}.json
      - gl-sast-image-${IMAGE_TYPE}-report.json
    expire_in: 1 week
    when: always
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $SAST_DISABLED
      when: never

.webhook-template: &webhook-config
  stage: deploy
  image: curlimages/curl:latest
  script:
    - |
      curl -s -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer $WEBHOOK_SECRET_TOKEN" \
        -H "Webhook-Identifier: $WEBHOOK_BYPASS_TOKEN" \
        "$WEBHOOK_URL"
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success

.build-template: &build-config
  stage: build
  image: docker:28.0
  services:
    - docker:28.0-dind
  variables:
    DOCKER_BUILDKIT: 1
    BUILDKIT_INLINE_CACHE: 1
  before_script:
    - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY
  script:
    - |
      docker buildx create --use
      docker buildx build . \
        -t $IMAGE_NAME:latest \
        -t $IMAGE_NAME:$CI_COMMIT_REF_SLUG \
        -t $IMAGE_NAME:$CI_COMMIT_SHA \
        -f $CONTAINERFILE --target $BUILDTARGET --push \
        --cache-from type=registry,ref=$IMAGE_NAME-cache \
        --cache-to type=registry,ref=$IMAGE_NAME-cache,mode=max,oci-mediatypes=true,image-manifest=true,compression=zstd \
        --build-arg BUILDKIT_INLINE_CACHE=1
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: always
    - if: $CI_COMMIT_TAG
      when: always
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      when: manual
      allow_failure: true

sast-filesystem:
  <<: *trivy-fs-scan

sast-image-runtime:
  <<: *trivy-image-scan
  variables:
    IMAGE_NAME: $BASE_IMAGE_NAME/backend
    IMAGE_TYPE: runtime
  dependencies:
    - build-runtime

sast-image-tests:
  <<: *trivy-image-scan
  variables:
    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
    IMAGE_TYPE: tests
  dependencies:
    - build-tests

sast-image-migrations:
  <<: *trivy-image-scan
  variables:
    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
    IMAGE_TYPE: migrations
  dependencies:
    - build-migrations

build-runtime:
  <<: *build-config
  variables:
    IMAGE_NAME: $BASE_IMAGE_NAME/backend
    CONTAINERFILE: Containerfile
    BUILDTARGET: runtime

build-tests:
  <<: *build-config
  variables:
    IMAGE_NAME: $BASE_IMAGE_NAME/backend-tests
    CONTAINERFILE: Containerfile
    BUILDTARGET: tests

build-migrations:
  <<: *build-config
  variables:
    IMAGE_NAME: $BASE_IMAGE_NAME/backend-migrations
    CONTAINERFILE: Containerfile
    BUILDTARGET: migrations

webhook-backend-deploy:
  <<: *webhook-config
  variables:
    WEBHOOK_URL: $WEBHOOK_URL_BACKEND
  dependencies:
    - build-runtime

webhook-migrations-deploy:
  <<: *webhook-config
  variables:
    WEBHOOK_URL: $WEBHOOK_URL_MIGRATIONS
  dependencies:
      - build-migrations

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG