.gitlab-ci.yml

---

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
      when: never
    - if: $CI_COMMIT_BRANCH
    - if: $CI_COMMIT_REF_PROTECTED == "true"

stages:
  - test
  - build
  - release

variables:
  DOCKER_HOST: tcp://docker:2376
  DOCKER_TLS_CERTDIR: /certs
  VERSION: 0.2.0
  CONTAINER_OPERATOR: ${CI_REGISTRY}/slurm-operator:${VERSION}
  CONTAINER_WEBHOOK: ${CI_REGISTRY}/slurm-operator-webhook:${VERSION}
  CI_JOB_USER: gitlab-ci-token

.docker:
  image: docker:27.5.0
  services:
    - docker:27.5.0-rc.1-dind
  before_script:
    - set -euo pipefail
    - docker info
    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
    - apk update && apk upgrade
    - apk add --no-cache git go helm
    - export PATH=$PATH:$HOME/go/bin/
    - go env -w GOPRIVATE=github.com/SlinkyProject/*

test:
  stage: test
  extends: .docker
  script:
    - set -euo pipefail
    - apk update && apk upgrade
    - apk add --no-cache go make bash shellcheck shfmt pre-commit
    - go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
    - go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest
    - go install golang.org/x/vuln/cmd/govulncheck@latest
    - pre-commit run --verbose --all-files --show-diff-on-failure
  coverage: /total:\s+\(statements\)\s+\d+.\d+%/
  artifacts:
    expire_in: 7 days
    paths:
      - cover.html
      - govulnreport.txt

include:
  - template: Jobs/Secret-Detection.gitlab-ci.yml
secret_detection:
  stage: test
  allow_failure: false
  artifacts:
    when: on_failure
    expire_in: 7 days
    paths:
      - gl-secret-detection-report.json

build:
  stage: build
  extends: .docker
  script:
    - set -euo pipefail
    - |
      for dockerfile in $(find ./build -name "Dockerfile" -type f); do
        kind="$(basename "$(dirname "$dockerfile")")"
        image="${CI_REGISTRY_IMAGE}/${kind}:${VERSION}"
        docker build --pull -t $image -f $dockerfile .
        docker push $image
      done
    - |
      for chart in $(find ./helm -name "Chart.yaml" -type f -exec dirname {} \;); do
        helm package --dependency-update ${chart};
      done
  rules:
    - if: $CI_COMMIT_REF_PROTECTED != "true"
      changes:
        - Dockerfile
        - ./**/*.go
        - go.mod
        - go.sum
        - helm/**/*

push:
  stage: build
  extends: .docker
  script:
    - set -euo pipefail
    - |
      for dockerfile in $(find ./build -name "Dockerfile" -type f); do
        kind="$(basename "$(dirname "$dockerfile")")"
        image="${CI_REGISTRY_IMAGE}/${kind}:${VERSION}"
        docker build -t $image -f $dockerfile .
        docker push $image
      done
    - helm plugin install https://github.com/chartmuseum/helm-push
    - helm repo add --username ${CI_JOB_USER} --password ${CI_JOB_TOKEN} ${CI_PROJECT_NAME} ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
    - helm repo update
    - |
      for chart in $(find ./helm -name "Chart.yaml" -type f -exec dirname {} \;); do
        export CHART_NAME=$(basename $chart);
        export CHART_VERSION=$(grep ^version ${chart}/Chart.yaml | awk '{print $2}');
        export CHART_ARTIFACT=${CHART_NAME}-${CHART_VERSION}.tgz;
        helm package --dependency-update ${chart};
        helm cm-push ./${CHART_ARTIFACT} ${CI_PROJECT_NAME};
      done
  rules:
    - if: $CI_COMMIT_REF_PROTECTED == "true"
      changes:
        - Dockerfile
        - ./**/*.go
        - go.mod
        - go.sum
        - helm/**/*

release-oci:
  stage: release
  extends: .docker
  script:
    - set -euo pipefail
    - |
      if [ -z $DOCKER_REGISTRY_PASSWORD ] || [ -z $DOCKER_REGISTRY ] || [ -z $DOCKER_REGISTRY_USER ]; then
        echo "Runner lacks login info. Either environment variables are not defined, or runner is on an unprotected branch/tag.";
        exit 1;
      fi
    - echo "$DOCKER_REGISTRY_PASSWORD" | docker login $DOCKER_REGISTRY -u $DOCKER_REGISTRY_USER --password-stdin
    - |
      for dockerfile in $(find ./build -name "Dockerfile" -type f); do
        kind="$(basename "$(dirname "$dockerfile")")"
        image="${kind}:${VERSION}"
        source_image="${CI_REGISTRY_IMAGE}/${image}"
        target_image="${DOCKER_REGISTRY}/${image}"
        docker pull ${source_image}
        docker tag ${source_image} ${target_image}
        docker push ${target_image}
      done
    - helm repo add --username ${CI_JOB_USER} --password ${CI_JOB_TOKEN} ${CI_PROJECT_NAME} ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
    - helm repo update
    - |
      for chart in $(find ./helm -name "Chart.yaml" -type f -exec dirname {} \;); do
        export CHART_NAME=$(basename $chart);
        export CHART_VERSION=$(grep ^version ${chart}/Chart.yaml | awk '{print $2}');
        export CHART_ARTIFACT=${CHART_NAME}-${CHART_VERSION}.tgz;
        helm pull ${CI_PROJECT_NAME}/${CHART_NAME};
        helm push ./${CHART_ARTIFACT} oci://${DOCKER_REGISTRY}/charts;
      done
  rules:
    - if: $CI_COMMIT_REF_PROTECTED == "true"
      when: manual

.git:
  image: alpine:latest
  before_script:
    - apk update && apk upgrade
    - apk add --no-cache git
    - git version
    - |
      if [ -z $CI_AUTH_TOKEN ]; then
        echo "Runner lacks auth token. Either environment variables are not defined, or runner is on an unprotected branch/tag.";
        exit 1;
      fi
    - git remote set-url origin ${CI_PROJECT_URL/gitlab.com/oauth2:${CI_AUTH_TOKEN}@gitlab.com}.git
    - git remote -v
    - |
      if [ -z "$(echo "$VERSION" | grep -Eo "^[0-9]+\.[0-9]+\.[0-9]+$")" ]; then
        echo "VERSION is not semver: `$VERSION`"
        exit 1
      fi

release-tag:
  stage: release
  extends: .git
  script:
    - set -euo pipefail
    - tag_version="v${VERSION}"
    - echo "tag_version=${tag_version}"
    - git tag ${tag_version}
    - git push origin ${tag_version}
  rules:
    - if: $CI_COMMIT_REF_PROTECTED == "true"
      when: manual

release-branch:
  stage: release
  extends: .git
  script:
    - set -euo pipefail
    - major_minor="$(echo ${VERSION} | grep -Eo "^[0-9]+\.[0-9]+")"
    - branch_name="release-${major_minor}"
    - echo "branch_name=${branch_name}"
    - git branch ${branch_name}
    - git push --set-upstream origin ${branch_name}
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: manual