---

stages:
  - deps
  - build
  - fickit
  - sast
  - qa
  - image
  - container_scanning

cache:
  paths:
    - .go/pkg/mod/
    - qa/ui/node_modules/
    - frontend/ui/node_modules/

include:
  - '.gitlab-ci/build.yml'
  - '.gitlab-ci/image.yml'
  - template: SAST.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml

.scanners-matrix:
  parallel:
    matrix:
      - IMAGE_NAME: [checker, admin, evdist, frontend-ui, nginx, dashboard, repochecker, qa, receiver, generator, remote-challenge-sync-airbus]

container_scanning:
  stage: container_scanning
  extends:
    - .scanners-matrix
  variables:
    DOCKER_SERVICE: localhost
    DOCKERFILE_PATH: Dockerfile-${IMAGE_NAME}
    CI_APPLICATION_REPOSITORY: ${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}/${IMAGE_NAME}
    CI_APPLICATION_TAG: latest
    GIT_STRATEGY: fetch
  before_script:
    - 'echo "Scanning: ${IMAGE_NAME}"'
  rules:
    - if: '$CI_COMMIT_BRANCH == "master"'

sast:
  stage: sast
  interruptible: true
  needs: []
  before_script:
    - rm -rf .go/

secret_detection:
  stage: sast
  interruptible: true
  needs: []

dependency_scanning:
  stage: qa
  interruptible: true
  needs: []

get-deps:
  stage: deps
  image: golang:alpine3.18
  before_script:
    - export GOPATH="$CI_PROJECT_DIR/.go"
    - mkdir -p .go
  script:
    - apk --no-cache add git
    - go get -v -d ./...

vet:
  stage: sast
  needs: ["build-qa-ui"]
  dependencies:
    - build-qa-ui
  image: golang:alpine3.18
  before_script:
    - export GOPATH="$CI_PROJECT_DIR/.go"
    - mkdir -p .go
  script:
    - apk --no-cache add build-base
    - go vet -v -buildvcs=false -tags gitgo ./...
    - go vet -v -buildvcs=false ./...

fickit:
  stage: fickit
  interruptible: true
  needs: ["build-admin","build-checker","build-dashboard","build-evdist","build-generator","build-qa","build-receiver","build-repochecker"]
  image: nemunaire/linuxkit
  tags: ['docker']
  before_script:
    - mkdir -p ~/.docker
    - echo "{\"auths\":{\"${CI_REGISTRY}\":{\"username\":\"${CI_REGISTRY_USER}\",\"password\":\"${CI_REGISTRY_PASSWORD}\"}}}" > ~/.docker/config.json
  script:
    - dockerd & sleep 5

    - linuxkit pkg push -force -org "${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}" fickit-pkg/boot/
    - linuxkit pkg push -force -org "${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}" fickit-pkg/kexec/
    - linuxkit pkg push -force -org "${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}" fickit-pkg/mariadb-client/
    - linuxkit pkg push -force -org "${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}" fickit-pkg/mdadm/
    - linuxkit pkg push -force -org "${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}" fickit-pkg/rsync/
    - linuxkit pkg push -force -org "${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}" fickit-pkg/syslinux/
    - linuxkit pkg push -force -org "${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}" fickit-pkg/unbound/

    - sed -i "s@nemunaire/fic-@${CI_REGISTRY_IMAGE}/master/@;s@nemunaire/@${CI_REGISTRY_IMAGE}/${CI_COMMIT_REF_SLUG}/@" fickit-backend.yml fickit-boot.yml fickit-frontend.yml fickit-prepare.yml fickit-update.yml

    - linuxkit build -format kernel+squashfs fickit-backend.yml
    - linuxkit build -format kernel+squashfs fickit-frontend.yml
    - linuxkit build -format kernel+initrd fickit-boot.yml
    - linuxkit build -format kernel+initrd fickit-prepare.yml
    - linuxkit build -format kernel+initrd fickit-update.yml
  artifacts:
    expire_in: 8 hours
    paths:
      - fickit-backend-squashfs.img
      - fickit-frontend-squashfs.img
      - fickit-boot-kernel
      - fickit-boot-initrd.img
      - fickit-prepare-initrd.img
      - fickit-update-initrd.img