.gitlab-ci.yml

include:
  - template: Jobs/Code-Quality.gitlab-ci.yml
  - template: Jobs/Secret-Detection.gitlab-ci.yml
  - template: Jobs/SAST.gitlab-ci.yml
  - template: Jobs/Container-Scanning.gitlab-ci.yml
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml

cache:
  key: one-key-to-rule-them-all

variables:
  DOCKER_BUILDX_PLATFORM: "linux/amd64,linux/arm64"

build:docker:
  image: docker:dind
  interruptible: true
  stage: build
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
        - app/**/*
        - Dockerfile
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  tags: [ docker ]
  before_script:
    - docker buildx inspect
    - docker buildx create --use
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH/$CI_COMMIT_REF_NAME:$CI_COMMIT_SHA
    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE --push .
    - docker buildx imagetools inspect $IMAGE
    - echo "CS_IMAGE=$IMAGE" > container_scanning.env
  artifacts:
    reports:
      dotenv: container_scanning.env

build:apt:
  image: debian:bookworm-slim
  interruptible: true
  stage: build
  rules:
    - if: $CI_COMMIT_TAG
      variables:
        VERSION: $CI_COMMIT_REF_NAME
    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
        - app/**/*
        - .DEBIAN/**/*
        - .gitlab-ci.yml
      variables:
        VERSION: "0.0.1"
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      variables:
        VERSION: "0.0.1"
  before_script:
    - echo -e "VERSION=$VERSION\nCOMMIT=$CI_COMMIT_SHA" > version.env
    # install build dependencies
    - apt-get update -qq && apt-get install -qq -y build-essential
    # create build directory for .deb sources
    - mkdir build
    # copy install instructions
    - cp -r .DEBIAN build/DEBIAN
    - chmod -R 0775 build/DEBIAN
    # copy app into "/usr/share/fastapi-dls" as "/usr/share/fastapi-dls/app" & copy README.md and version.env
    - mkdir -p build/usr/share/fastapi-dls
    - cp -r app build/usr/share/fastapi-dls
    - cp README.md version.env build/usr/share/fastapi-dls
    # create conf file
    - mkdir -p build/etc/fastapi-dls
    - cp .DEBIAN/env.default build/etc/fastapi-dls/env
    # create service file
    - mkdir -p build/etc/systemd/system
    - cp .DEBIAN/fastapi-dls.service build/etc/systemd/system/fastapi-dls.service
    # cd into "build/"
    - cd build/
  script:
    # set version based on value in "$CI_COMMIT_REF_NAME"
    - sed -i -E 's/(Version\:\s)0.0/\1'"$VERSION"'/g' DEBIAN/control
    # build
    - dpkg -b . build.deb
    - dpkg -I build.deb
  artifacts:
    expire_in: 1 week
    paths:
      - build/build.deb

build:pacman:
  image: archlinux:base-devel
  interruptible: true
  stage: build
  rules:
    - if: $CI_COMMIT_TAG
      variables:
        VERSION: $CI_COMMIT_REF_NAME
    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
        - app/**/*
        - .PKGBUILD/**/*
        - .gitlab-ci.yml
      variables:
        VERSION: "0.0.1"
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
      variables:
        VERSION: "0.0.1"
  before_script:
    #- echo -e "VERSION=$VERSION\nCOMMIT=$CI_COMMIT_SHA" > version.env
    # install build dependencies
    - pacman -Syu --noconfirm git
    # create a build-user because "makepkg" don't like root user
    - useradd --no-create-home --shell=/bin/false build && usermod -L build
    - 'echo "build ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'
    - 'echo "root ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers'
    - chown -R build:build .
    # move .PKGBUILD contents to root directory
    - mv .PKGBUILD/* .
  script:
    - pwd
    # download dependencies
    - source PKGBUILD && pacman -Syu --noconfirm --needed --asdeps "${makedepends[@]}" "${depends[@]}"
    # build
    - sudo --preserve-env -u build makepkg -s
  artifacts:
    expire_in: 1 week
    paths:
      - "*.pkg.tar.zst"

test:
  image: python:3.11-slim-bullseye
  stage: test
  rules:
    - if: $CI_COMMIT_BRANCH
    - if: $CI_COMMIT_TAG
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  variables:
    DATABASE: sqlite:///../app/db.sqlite
  before_script:
    - pip install -r requirements.txt
    - pip install pytest httpx
    - mkdir -p app/cert
    - openssl genrsa -out app/cert/instance.private.pem 2048
    - openssl rsa -in app/cert/instance.private.pem -outform PEM -pubout -out app/cert/instance.public.pem
    - cd test
  script:
    - python -m pytest main.py --junitxml=report.xml
  artifacts:
    reports:
      dotenv: version.env
      junit: ['**/report.xml']

.test:linux:
  stage: test
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
        - app/**/*
        - .DEBIAN/**/*
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  needs:
    - job: build:apt
      artifacts: true
  variables:
    DEBIAN_FRONTEND: noninteractive
  before_script:
    - apt-get update -qq && apt-get install -qq -y jq curl
  script:
    # test installation
    - apt-get install -q -y ./build/build.deb --fix-missing
    - openssl req -x509 -newkey rsa:2048 -nodes -out /etc/fastapi-dls/webserver.crt -keyout /etc/fastapi-dls/webserver.key -days 7 -subj "/C=DE/O=GitLab-CI/OU=Test/CN=localhost"
    # copy example config from GitLab-CI-Variables
    #- cat ${EXAMPLE_CONFIG} > /etc/fastapi-dls/env
    # start service in background
    - cd /usr/share/fastapi-dls/app
    - uvicorn main:app
      --host 127.0.0.1 --port 443
      --app-dir /usr/share/fastapi-dls/app
      --ssl-keyfile /etc/fastapi-dls/webserver.key
      --ssl-certfile /etc/fastapi-dls/webserver.crt
      --proxy-headers &
    - FASTAPI_DLS_PID=$!
    - echo "Started service with pid $FASTAPI_DLS_PID"
    - cat /etc/fastapi-dls/env
    # testing service
    - if [ "`curl --insecure -s https://127.0.0.1/-/health | jq .status`" != "up" ]; then echo "Success"; else "Error"; fi
    # cleanup
    - kill $FASTAPI_DLS_PID
    - apt-get purge -qq -y fastapi-dls
    - apt-get autoremove -qq -y && apt-get clean -qq

test:debian:
  extends: .test:linux
  image: debian:bookworm-slim

test:ubuntu:
  extends: .test:linux
  image: ubuntu:23.04

test:archlinux:
  image: archlinux:base
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      changes:
        - app/**/*
        - .PKGBUILD/**/*
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
  needs:
    - job: build:pacman
      artifacts: true
  script:
    - pacman -Sy
    - pacman -U --noconfirm *.pkg.tar.zst

code_quality:
  rules:
    - if: $CODE_QUALITY_DISABLED
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

secret_detection:
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  before_script:
    - git config --global --add safe.directory $CI_PROJECT_DIR

semgrep-sast:
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

test_coverage:
  extends: test
  allow_failure: true
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
  script:
    - pip install pytest pytest-cov
    - coverage run -m pytest main.py
    - coverage report
    - coverage xml
  coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: '**/coverage.xml'

container_scanning:
  dependencies: [ build:docker ]
  rules:
    - if: $CONTAINER_SCANNING_DISABLED
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

gemnasium-python-dependency_scanning:
  rules:
    - if: $DEPENDENCY_SCANNING_DISABLED
      when: never
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

.deploy:
  rules:
    - if: $CI_COMMIT_TAG

deploy:docker:
  extends: .deploy
  image: docker:dind
  stage: deploy
  tags: [ docker ]
  before_script:
    - echo "Building docker image for commit $CI_COMMIT_SHA with version $CI_COMMIT_REF_NAME"
    - docker buildx inspect
    - docker buildx create --use
  script:
    - echo "========== GitLab-Registry =========="
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - IMAGE=$CI_REGISTRY/$CI_PROJECT_PATH
    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .
    - echo "========== Docker-Hub =========="
    - docker login -u $PUBLIC_REGISTRY_USER -p $PUBLIC_REGISTRY_TOKEN
    - IMAGE=$PUBLIC_REGISTRY_USER/$CI_PROJECT_NAME
    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:$CI_COMMIT_REF_NAME --push .
    - docker buildx build --progress=plain --platform $DOCKER_BUILDX_PLATFORM --build-arg VERSION=$CI_COMMIT_REF_NAME --build-arg COMMIT=$CI_COMMIT_SHA --tag $IMAGE:latest --push .

deploy:apt:
  # doc: https://git.collinwebdesigns.de/help/user/packages/debian_repository/index.md#install-a-package
  extends: .deploy
  image: debian:bookworm-slim
  stage: deploy
  needs:
    - job: build:apt
      artifacts: true
  before_script:
    - apt-get update -qq && apt-get install -qq -y curl lsb-release
    # create distribution initial
    - CODENAME=`lsb_release -cs`
    # create repo if not exists
    - 'if [ "`curl -s -o /dev/null -w "%{http_code}" --header "JOB-TOKEN: $CI_JOB_TOKEN" -s ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/debian_distributions/${CODENAME}/key.asc`" != "200" ]; then curl --request POST --header "JOB-TOKEN: $CI_JOB_TOKEN" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/debian_distributions?codename=${CODENAME}"; fi'
  script:
    # Naming format: <name>_<version>-<release>_<arch>.deb
    # Version is the version number of the app being packaged
    # Release number is the version number of the *packaging* itself.
    # The release number might increment if the package maintainer
    # updated the packaging, while the version number of the application
    # being packaged did not change.
    - BUILD_NAME=build/build.deb  # inherited by build-stage
    - PACKAGE_NAME=`dpkg -I ${BUILD_NAME} | grep "Package:" | awk '{ print $2 }'`
    - PACKAGE_VERSION=`dpkg -I ${BUILD_NAME} | grep "Version:" | awk '{ print $2 }'`
    - PACKAGE_ARCH=amd64
    #- EXPORT_NAME="${PACKAGE_NAME}_${PACKAGE_VERSION}-0_${PACKAGE_ARCH}.deb"
    - EXPORT_NAME="${PACKAGE_NAME}_${PACKAGE_VERSION}_${PACKAGE_ARCH}.deb"
    - mv ${BUILD_NAME} ${EXPORT_NAME}
    - 'echo "PACKAGE_NAME:    ${PACKAGE_NAME}"'
    - 'echo "PACKAGE_VERSION: ${PACKAGE_VERSION}"'
    - 'echo "PACKAGE_ARCH:    ${PACKAGE_ARCH}"'
    - 'echo "EXPORT_NAME:     ${EXPORT_NAME}"'
    # https://docs.gitlab.com/14.3/ee/user/packages/debian_repository/index.html
    - URL="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/debian/${EXPORT_NAME}"
    - 'echo "URL:             ${URL}"'
    #- 'curl --request PUT --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${EXPORT_NAME} ${URL}'
    # using generic-package-registry until debian-registry is GA
    # https://docs.gitlab.com/ee/user/packages/generic_packages/index.html#publish-a-generic-package-by-using-cicd
    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${EXPORT_NAME} "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${PACKAGE_NAME}/${PACKAGE_VERSION}/${EXPORT_NAME}"'

deploy:pacman:
  extends: .deploy
  image: archlinux:base-devel
  stage: deploy
  needs:
    - job: build:pacman
      artifacts: true
  script:
    - source .PKGBUILD/PKGBUILD
    # fastapi-dls-1.0-1-any.pkg.tar.zst
    - BUILD_NAME=${pkgname}-${CI_COMMIT_REF_NAME}-${pkgrel}-any.pkg.tar.zst
    - PACKAGE_NAME=${pkgname}
    - PACKAGE_VERSION=${CI_COMMIT_REF_NAME}
    - PACKAGE_ARCH=any
    - EXPORT_NAME=${BUILD_NAME}
    - 'echo "PACKAGE_NAME:    ${PACKAGE_NAME}"'
    - 'echo "PACKAGE_VERSION: ${PACKAGE_VERSION}"'
    - 'echo "PACKAGE_ARCH:    ${PACKAGE_ARCH}"'
    - 'echo "EXPORT_NAME:     ${EXPORT_NAME}"'
    - 'curl --header "JOB-TOKEN: $CI_JOB_TOKEN" --upload-file ${EXPORT_NAME} "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${PACKAGE_NAME}/${PACKAGE_VERSION}/${EXPORT_NAME}"'

release:
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  stage: .post
  needs: [ test ]
  rules:
    - if: $CI_COMMIT_TAG
  script:
    - echo "Running release-job for $CI_COMMIT_TAG"
  release:
    name: $CI_PROJECT_TITLE $CI_COMMIT_TAG
    description: Release of $CI_PROJECT_TITLE version $CI_COMMIT_TAG
    tag_name: $CI_COMMIT_TAG
    ref: $CI_COMMIT_SHA
    assets:
      links:
        - name: 'Package Registry'
          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/-/packages'
        - name: 'Container Registry'
          url: 'https://git.collinwebdesigns.de/oscar.krause/fastapi-dls/container_registry/40'