.gitlab-ci.yml

include:
  - local: .gitlab/common.yaml
  - local: .gitlab/tests.yaml
  - local: .gitlab/tests_build.yaml

default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://gl.wallarm.com
  image: europe-docker.pkg.dev/wallarm-infra/wallarm-cloud-europe/wallarm-node/node-gitlab-runner/common:v0.5.0
  tags: [node-c05r1-stable-amd]

stages:
  - build
  - test
  - scan
  - publish

variables:
  VAULT_SERVER_URL: https://vault-common.i.gcp.wallarm.space
  VAULT_AUTH_ROLE: gitlab-ci_node-team_wallarm-node
  VAULT_AUTH_PATH: jwt-gitlab
  GIT_SUBMODULE_STRATEGY: recursive
  IMAGE_NAME: node
  UPSTREAM_CI_COMMIT_REF_NAME: main
  AIO_VERSION:
    value: "6.11.2"
    description: "AIO upstream version"
  X_CI_BUILD_KIND:
    description: either develop or production
    value: develop
    options:
      - develop
      - production
      - release-candidate
      - tools:register-tests

workflow:
  rules:
    - if: $CI_COMMIT_TAG =~ /^([0-9]+\.[0-9]+\.[0-9]+).*$/
      variables:
        X_CI_BUILD_KIND: production
        IMAGE_TAG: $CI_COMMIT_TAG
    - if: $CI_PIPELINE_SOURCE == "pipeline"
      variables:
        IMAGE_TAG: $AIO_VERSION
      when: always
    - if: '$CI_MERGE_REQUEST_ID'
      when: always
    - if: $CI_PIPELINE_SOURCE == "web"
      when: always
    - when: never


### BUILD IMAGE (FOR FEATURE BRANCHES)

BUILD_AIO_DOCKER_UPSTREAM:
  stage: build
  tags: [node-c4r8-stable-dind-amd]
  image: europe-docker.pkg.dev/wallarm-infra/wallarm-cloud-europe/wallarm-node/node-gitlab-runner/docker:v0.6.3
  extends:
    - .before-docker-build
  rules:
    - if: '$X_CI_BUILD_KIND =~ /^(develop|production|release-candidate)$/ && $CI_PIPELINE_SOURCE == "pipeline"'
  variables:
    SKIP_AIO_DOWNLOAD: true
    NODE_DOCKER_IMAGE: ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG}
  script:
    - echo $UPSTREAM_CI_PIPELINE_REF_NAME
    - echo $UPSTREAM_CI_COMMIT_REF_NAME
    - echo $AIO_VERSION
    - ls -la apps/aio/artifacts/final/
    - mkdir -p build/linux/amd64/opt/wallarm
    - sh apps/aio/artifacts/final/wallarm-${AIO_VERSION}.x86_64-musl.sh --keep --noexec --target build/linux/amd64/opt/wallarm
    - mkdir -p build/linux/arm64/opt/wallarm
    - sh apps/aio/artifacts/final/wallarm-${AIO_VERSION}.aarch64-musl.sh --keep --noexec --target build/linux/arm64/opt/wallarm
    - make docker-image-build
  needs:
    - project: wallarm-node/meganode
      ref: $UPSTREAM_CI_PIPELINE_REF_NAME
      job: 'BUILD_MEGANODE: [x86_64, node-c6r12-stable-dind-amd, musl]'
      artifacts: true
    - project: wallarm-node/meganode
      ref: $UPSTREAM_CI_PIPELINE_REF_NAME
      job: 'BUILD_MEGANODE: [aarch64, node-c6r12-stable-dind-arm, musl]'
      artifacts: true
  artifacts:
    reports:
      dotenv: variables.env

BUILD_AIO_DOCKER:
  stage: build
  tags: [node-c4r8-stable-dind-amd]
  image: europe-docker.pkg.dev/wallarm-infra/wallarm-cloud-europe/wallarm-node/node-gitlab-runner/docker:v0.6.3
  variables:
    IMAGE_TAG: ${CI_COMMIT_SHORT_SHA}
    NODE_DOCKER_IMAGE: ${CI_REGISTRY_IMAGE}/${IMAGE_NAME}:${IMAGE_TAG}
  extends:
    - .before-docker-build
  rules:
    - if: '$X_CI_BUILD_KIND =~ /^(develop|production|release-candidate)$/ && $CI_PIPELINE_SOURCE != "pipeline"'
  script:
    - make docker-image-build
  artifacts:
    reports:
      dotenv: variables.env

# Vulnerability scan with report

DOCKER_SCOUT_SCAN_ARTIFACT:
  stage: scan
  image: europe-docker.pkg.dev/wallarm-infra/wallarm-cloud-europe/wallarm-node/node-gitlab-runner/docker:v0.6.3
  needs:
    - job: BUILD_AIO_DOCKER_UPSTREAM
      optional: true
    - job: BUILD_AIO_DOCKER
      optional: true
  variables:
    DOCKER_SCOUT_ARGS: "--exit-code --only-severity critical,high --ignore-suppressed"
  rules:
    - if: $X_CI_BUILD_KIND =~ /^(develop)$/
      allow_failure: true
    - if: $X_CI_BUILD_KIND =~ /^(production|release-candidate)$/
      allow_failure: true # temporary 
  extends:
    - .before-scout-scan
  script:
    - docker-scout config organization wallarm
    - make docker-scout-scan

PUSH_DOCKER:
  stage: publish
  rules:
    - if: $X_CI_BUILD_KIND =~ /^(production|release-candidate)$/
  image: europe-docker.pkg.dev/wallarm-infra/wallarm-cloud-europe/wallarm-node/node-gitlab-runner/docker:v0.6.3
  extends:
    - .before-scout-scan
  script:
    - echo "Pushing docker"
    - make docker-push

SIGN_DOCKER:
  stage: publish
  tags: [node-c2r4-stable-dind-amd]
  image: europe-docker.pkg.dev/wallarm-infra/wallarm-cloud-europe/wallarm-node/node-gitlab-runner/docker:v0.6.3
  needs:
    - job: PUSH_DOCKER
    - job: BUILD_AIO_DOCKER_UPSTREAM
      optional: true
    - job: BUILD_AIO_DOCKER
      optional: true
  rules:
    - if: $X_CI_BUILD_KIND == "production"
  extends:
    - .before-sign-docker
  secrets:
    COSIGN_PASSWORD: {vault: "pipelines/cosign/password@node-team", file: false}
    COSIGN_PRIVATE: {vault: "pipelines/cosign/private_key@node-team", file: false}
  script:
    - |
      set -euo pipefail
      export IMAGE="docker.io/wallarm/${IMAGE_NAME}:${IMAGE_TAG}"

      docker pull -q ${IMAGE}
      export IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE)
      export IMAGE_URI=$(echo $IMAGE_DIGEST | sed -e 's/\@sha256:/:sha256-/')
      
      export SBOM_SPDX="${CI_PROJECT_DIR}/sbom_${IMAGE_TAG}_spdx.json"
      export PROVENANCE_PREDICATE="${CI_PROJECT_DIR}/provenance_${IMAGE_TAG}.json"
      syft -o spdx-json ${IMAGE} > ${SBOM_SPDX}
      export IMAGE_SHA="${IMAGE_DIGEST##*:}"
      export BUILD_FINISHED="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
      apk add --no-cache python3 >/dev/null 2>&1 || apk add --no-cache python3
      python3 build-scripts/generate_provenance.py
      cosign attest --yes --key env://COSIGN_PRIVATE --type spdxjson --predicate ${SBOM_SPDX} ${IMAGE_DIGEST}
      cosign attest --yes --key env://COSIGN_PRIVATE --type slsaprovenance1 --predicate ${PROVENANCE_PREDICATE} ${IMAGE_DIGEST}
      cosign sign --recursive --yes --key env://COSIGN_PRIVATE ${IMAGE_DIGEST}
  artifacts:
    expire_in: 30 days
    paths:
      - $CI_PROJECT_DIR/*.json


UPDATE_VERSION:
  stage: publish
  image: europe-docker.pkg.dev/wallarm-infra/wallarm-cloud-europe/wallarm-node/node-gitlab-runner/gitlab:v0.5.0
  needs:
    - job: SIGN_DOCKER
  rules:
    - if: $X_CI_BUILD_KIND == "production"
  extends:
    - .x-get-credentials
  script:
    - |
      COMPONENT_VERSION=$AIO_VERSION

      PR_BRANCH="update/aio-docker/${COMPONENT_VERSION}"
      GITLAB_REPO_URL="https://${GITLAB_TOKEN_NAME}:${GITLAB_TOKEN}@${GITLAB_HOST}/${GITLAB_REPO}"

      git clone ${GITLAB_REPO_URL}
      cd packages_versions
      git checkout -b ${PR_BRANCH}
      git config --local user.name 'project_808_bot'
      git config --local user.email 'project808_bot@noreply.${GITLAB_HOST}'
      cd packages_versions

      COMPONENT_NAME=wallarm-nginx-docker
      jq '.body."'"$COMPONENT_NAME"'" += ["'"$COMPONENT_VERSION"'"]' latest.json > latest.new.json
      VERSIONS=$(jq '.body."'"$COMPONENT_NAME"'" | sort_by( split("[^0-9]+") | map(tonumber? // 0) )' latest.new.json)
      jq --argjson versions "$VERSIONS" '.body["'"$COMPONENT_NAME"'"] = $versions' latest.new.json > latest.json
      git add latest.json
      COMMIT_MESSAGE="Bump ${COMPONENT_NAME} version to ${COMPONENT_VERSION}"
      git commit -m "${COMMIT_MESSAGE}"

      git push ${GITLAB_REPO_URL} ${PR_BRANCH}

      glab auth login --hostname ${GITLAB_HOST} --token ${GITLAB_TOKEN}

      echo "Creating merge request ..."
      glab mr create \
        --fill \
        --yes \
        --label meganode \
        --source-branch ${PR_BRANCH} \
        --repo https://${GITLAB_HOST}/${GITLAB_REPO}

      echo "Approving merge request ..."
      glab mr approve \
        ${PR_BRANCH} \
        --repo https://${GITLAB_HOST}/${GITLAB_REPO}

      # Sometimes merging is failed without delay
      echo "Sleep ..."
      sleep 20

      echo "Merging ..."
      glab mr merge \
        ${PR_BRANCH} \
        --yes \
        --remove-source-branch \
        --when-pipeline-succeeds=false \
        --repo https://${GITLAB_HOST}/${GITLAB_REPO}