.gitlab-ci.yml

stages:
  - test
  - build
  - analyze

image: $CI_REGISTRY/alphabill/gitlab-ci-image:main

.go-dependency:
  before_script:
    # Configure go caching
    - mkdir -p .go

    # Configure SSH agent
    - eval "$(ssh-agent -s)"
    - chmod 600 ${ALPHABILL_PRIVATE_KEY}
    - ssh-add ${ALPHABILL_PRIVATE_KEY}

    # Add SSH keys
    - ssh-keyscan ${CI_SERVER_SHELL_SSH_HOST} > ci/known_hosts
    - mkdir -p ~/.ssh
    - chmod 600 ~/.ssh
    - cp ci/known_hosts ~/.ssh/known_hosts

    # Configure SSH mirror repository
    - printf "[url \"ssh://git@${CI_SERVER_SHELL_SSH_HOST}/${CI_PROJECT_NAMESPACE}/\"]\n    insteadOf = https://github.com/alphabill-org/\n" > ci/.gitconfig
    - cp ci/.gitconfig ~/.gitconfig

.go-cache:
  variables:
    GOPATH: "$CI_PROJECT_DIR/.go:/root/go"
  before_script:
    - mkdir -p .go
  cache:
    key:
      files:
        - go.sum
    paths:
      - .go/pkg/mod/

vet:
  stage: test
  extends:
    - .go-cache
    - .go-dependency
  needs: []
  script:
    - go vet ./...

test:
  stage: test
  extends:
    - .go-cache
    - .go-dependency
  needs:
    # tests are expensive compared to vet so do not start tests unless vet job succeeded
    - vet
  script:
    - gotestsum --junitfile report.xml --format standard-quiet -- ./... -race -count=1 -parallel=1 -coverprofile test-coverage.out
    - go tool cover -func test-coverage.out
    - gocover-cobertura < test-coverage.out > test-coverage-cobertura.xml
  coverage: '/\(statements\)(?:\s+)?(\d+(?:\.\d+)?%)/'
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: test-coverage-cobertura.xml
      junit: report.xml
    paths:
      - test-coverage.out
    when: always

build-docker:
  stage: build
  extends: .go-dependency
  image: docker:latest
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  script:
    - docker login -u ${CI_REGISTRY_USER} -p ${CI_REGISTRY_PASSWORD} ${CI_REGISTRY}
    - docker build --ssh default --push --tag ${IMAGE_TAG} --file cli/alphabill/Dockerfile .
  needs: []

build:
  stage: build
  extends:
    - .go-cache
    - .go-dependency
  script:
    - make build
  artifacts:
    paths:
      - build
  needs: []

gosec:
  stage: analyze
  script:
    - make gosec
  artifacts:
    paths:
      - gosec_report.json
  needs: []

sonarqube-check:
  stage: analyze
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
    GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: >
    if [ "$CI_OPEN_MERGE_REQUESTS" == "" ]; then
      # Merge request not available, running Sonar without it.
      sonar-scanner
    else
      # Place the CI_OPEN_MERGE_REQUESTS in between single quotes, because ! is special character for bash.
      QUOTED_CI_OPEN_MERGE_REQUESTS="'${CI_OPEN_MERGE_REQUESTS}'"

      # Takes part between last ! and ' character. Job rules makes sure that $CI_OPEN_MERGE_REQUESTS is not empty.
      MERGE_REQUEST_ID=`echo ${QUOTED_CI_OPEN_MERGE_REQUESTS} | rev | cut -d'!' -f1 | cut -d"'" -f2 | rev`

      sonar-scanner -Dsonar.pullrequest.key=${MERGE_REQUEST_ID} -Dsonar.pullrequest.branch=${CI_COMMIT_BRANCH} -Dsonar.pullrequest.base=${CI_DEFAULT_BRANCH}
    fi
  allow_failure: true
  needs: ["gosec", "test"]

trivy:
  stage: analyze
  script:
    # build report
    - trivy --cache-dir .trivycache/ fs --exit-code 0 --no-progress --format template --template "@/html.tpl" -o trivy-report.html .
    # print report
    - trivy --cache-dir .trivycache/ fs --exit-code 1 --no-progress --severity "HIGH,CRITICAL" .
  cache:
    paths:
      - .trivycache/
  artifacts:
    paths:
      - trivy-report.html
    when: always
  needs: []

nancy:
  stage: analyze
  extends:
    - .go-cache
    - .go-dependency
  when: manual
  script:
    - go list -json -m all | nancy sleuth
  needs: []