.gitlab-ci.yml

# Change pip's cache directory to be inside the project directory since we can
# only cache local items.
variables:
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  PYTHON_VERSION: "3-alpine"
  PACKAGE_NAME: ProdManager
  SCAN_KUBERNETES_MANIFESTS: "true"
  SAST_EXCLUDED_PATHS: "tests, venv, ProdManager/static/external"
  SECRET_DETECTION_EXCLUDED_PATHS: "venv"
  DOCKER_DRIVER: overlay2

default:
  interruptible: true

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_REF_PROTECTED == "true"
    - if: '$CI_COMMIT_TAG'

include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/SAST-IaC.gitlab-ci.yml
  - template: DAST.gitlab-ci.yml
  - template: DAST-API.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml
  - template: Security/License-Scanning.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Verify/Browser-Performance.gitlab-ci.yml

# Pip's cache doesn't store the python packages
# https://pip.pypa.io/en/stable/topics/caching/
#
# If you want to also cache the installed packages, you have to install
# them in a virtualenv and cache it as well.
.python_cache: &python_cache
  key: ${CI_COMMIT_REF_SLUG}-python
  paths:
    - .cache/pip
    - venv/

.node_cache: &node_cache
  key: ${CI_COMMIT_REF_SLUG}-node
  paths:
    - .npm/

stages:
  - test
  - build
  - validate
  - deploy


.python-tests:
  stage: test
  image: python:$PYTHON_VERSION
  cache:
    <<: *python_cache
  before_script:
    - apk add build-base
    - python --version  # For debugging
    - python -m venv venv
    - source venv/bin/activate
    - pip install --upgrade -r requirements.txt -r requirements.dev.txt

test:
  extends: .python-tests
  rules:
    - if: ! $CI_COMMIT_REF_PROTECTED
      allow_failure: true
  services:
    - redis:latest
  variables:
    TEST_REDIS_HOSTNAME: redis
    TEST_REDIS_PORT: 6379
  script:
    - flask db upgrade
    - >
      PYTHONPATH=.
      python3 ProdManager/demo/init.py
    - >
      python3 -m pytest
      -v
      -n 4
      --cov=${PACKAGE_NAME}
      --junitxml=result.xml
      --html=report.html
      tests/${PACKAGE_NAME}/
    - coverage html
    - coverage xml
  coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
  artifacts:
    when: always
    paths:
      - coverage.xml
      - result.xml
      - htmlcov
      - report.html
      - assets
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml
      junit: result.xml

lint:
  extends: .python-tests
  rules:
    - if: ! $CI_COMMIT_REF_PROTECTED
      allow_failure: true
  script:
    - >
      pylint
      ${PACKAGE_NAME}/*
      | tee pylint-report.txt
  artifacts:
    when: always
    paths:
      - pylint-report.txt

.image-tag: &image-tag |
  if [[ ! -z "$CI_COMMIT_TAG" ]]; then
    export tag="$CI_COMMIT_TAG"
  elif [[ "$CI_COMMIT_BRANCH" == "$CI_DEFAULT_BRANCH" ]]; then
    export tag="latest"
  else
    export tag="$CI_COMMIT_REF_SLUG"
  fi

image-build:
  stage: build
  image: docker:latest
  services:
    - docker:dind
  variables:
    DOCKER_BUILDKIT: 1
  before_script:
    - >
      docker login
      -u "$CI_REGISTRY_USER"
      -p "$CI_REGISTRY_PASSWORD"
      $CI_REGISTRY
    - *image-tag
  # Default branch leaves tag empty (= latest tag)
  # All other branches are tagged with the escaped branch name (commit ref slug)
  script:
    - >
      docker image build
      --pull
      --tag "$CI_REGISTRY_IMAGE:${tag}"
      --file="docker/Dockerfile"
      .
    - docker image push "$CI_REGISTRY_IMAGE:${tag}"
    - docker tag "$CI_REGISTRY_IMAGE:${tag}" "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
    - docker image push "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"

build_doc:
  stage: build
  extends: .python-tests
  needs: []
  script:
    - apk add -u git
    - mkdocs build --verbose 
  artifacts:
    paths:
      - site/

version_check:
  stage: validate
  extends: .python-tests
  stage: validate
  cache:
    <<: *python_cache
  needs: []
  script:
    - PYTHONPATH=. python3 tests/version.py
  only:
    - tags

container_scanning:
  stage: validate
  variables:
    CS_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    GIT_STRATEGY: fetch
    CS_DOCKERFILE_PATH: docker/Dockerfile
    CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: 'false'

.database_upgrade:
  extends: .python-tests
  stage: validate
  cache:
    <<: *python_cache
  needs: []
  script:
    - flask db upgrade
    - PYTHONPATH=. python3 ProdManager/demo/init.py

database_upgrade_postgresql:
  extends: .database_upgrade
  services:
    - postgres:latest
  variables:
    POSTGRES_DB: prodmanager
    POSTGRES_USER: prodmanager
    POSTGRES_PASSWORD: changeit
    POSTGRES_HOST_AUTH_METHOD: trust
    PM_DATABASE_URI: postgresql://prodmanager:changeit@postgres/prodmanager

database_upgrade_sqlite:
  extends: .database_upgrade

openapi_specs:
  stage: validate
  needs: []
  image: node:latest
  cache:
    <<: *node_cache
  before_script:
    - npm install -g @apidevtools/swagger-cli
  script:
    - >
      swagger-cli validate
      --debug
      ProdManager/static/meta/openapi.yaml

container_runtime:
  stage: validate
  image: alpine:latest
  services:
    - name: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
      alias: prod-manager
      variables:
        PM_DEMO: "true"
        PM_DISABLE_HELLO: "true"
  before_script:
    - >
      apk add
      --update
      curl
  script:
    - >
      curl -s
      http://prod-manager:8080/health
    - >
      curl -s
      http://prod-manager:8080/
      | (! grep -q "Internal error")

kubernetes_manifests:
  stage: validate
  image:
    name: garethr/kubeval:latest
    entrypoint: ["/bin/sh", "-l", "-c"]
  needs: []
  parallel:
    matrix:
      - KUBE_VERSION: "1.24.9"
      - KUBE_VERSION: "1.25.8"
      - KUBE_VERSION: "1.26.3"
  variables:
    KUBEVAL_SCHEMA_LOCATION: "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master"
  before_script:
    - kubeval --version
  script:
    - >
      kubeval
      --force-color
      --strict
      --kubernetes-version $KUBE_VERSION
      deploy/kubernetes/*.yml

.dast:
  dependencies:
    - openapi_specs
  variables:
    DAST_SPIDER_MINS: 5
  services:
    - name: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
      alias: prod-manager
      variables:
        PM_DEMO: "true"
        PM_DISABLE_HELLO: "true"

dast:
  stage: validate
  extends: .dast
  variables:
    DAST_PATHS_FILE: url_file.txt
    DAST_BROWSER_SCAN: "true"
    DAST_FULL_SCAN_ENABLED: "true"
    DAST_WEBSITE: http://prod-manager:8080
    DAST_AUTH_URL: http://prod-manager:8080/login
    DAST_AUTH_VERIFICATION_SELECTOR: "id:logout"
    DAST_AUTH_REPORT: "true"
    DAST_USERNAME: it
    DAST_USERNAME_FIELD: secret
    DAST_PASSWORD: change
    DAST_PASSWORD_FIELD: secret
  before_script:
    - |
      cat << EOF > $DAST_PATHS_FILE
      /
      /scope
      /service
      /monitor
      /incident
      /maintenance
      /announcement
      /about
      /login
      EOF
  artifacts:
    paths: [gl-dast-debug-auth-report.html]
    when: always

dast_api:
  stage: validate
  extends: .dast
  variables:
    DAST_DEBUG: "true"
    DAST_API_PROFILE: Quick
    DAST_API_OPENAPI: ProdManager/static/meta/openapi.yaml
    DAST_API_TARGET_URL: http://prod-manager:8080
    DAST_API_OVERRIDES_FILE: .gitlab/ci_api_overrides.json

upload_image:
  stage: deploy
  image:
    name: quay.io/skopeo/stable:latest
    entrypoint: ["/bin/bash", "-l", "-c"]
  only:
    - develop
    - tags
  before_script:
    - >
      skopeo login
      --username "$CI_REGISTRY_USER"
      --password "$CI_REGISTRY_PASSWORD"
      $CI_REGISTRY
    - >
      skopeo login
      --username "$SCW_ACCESS_KEY"
      --password "$SCW_SECRET_KEY"
      $CONTAINER_REGISTRY
    - *image-tag
  script:
    - >
      skopeo copy
      "docker://$CI_REGISTRY_IMAGE:${tag}"
      docker://$CONTAINER_REGISTRY/prod-manager:${tag}

.deploy:
  stage: deploy
  image:
    name: scaleway/cli:latest
    entrypoint: ["/bin/bash", "-l", "-c"]
  timeout: 5 minutes
  needs:
    - upload_image
  before_script:
    - >
      apk add
      --update
      jq
    - *image-tag
    - mkdir -p $HOME/.config/scw
    - touch $HOME/.config/scw/config.yaml
  script:
    - >
      /scw container
      container update
      $SCW_CONTAINER_ID
      registry-image=$CONTAINER_REGISTRY/prod-manager:${tag}
      | grep -E '^(Name|Status|RegistryImage|Region)\s'
    - >
      /scw container
      container deploy
      $SCW_CONTAINER_ID
      | grep -E '^(Name|Status|RegistryImage|Region)\s'
    - |
      while [ $(/scw container container get $SCW_CONTAINER_ID -o json | jq -r '.status') = "pending" ]; do
        echo "Waiting for the container to deploy"
        sleep 5
      done
    - test $(/scw container container get $SCW_CONTAINER_ID -o json | jq -r '.status') = "ready"

deploy_develop:
  extends: .deploy
  environment:
    name: develop
    action: start
  only:
    - develop

deploy_demo:
  extends: .deploy
  environment:
    name: demo
    action: start
  only:
    - tags

deploy_sandbox:
  extends: .deploy
  environment:
    name: sandbox
    action: start
  only:
    - tags

browser_performance:
  stage: deploy
  variables:
    URL: $CI_ENVIRONMENT_URL
    SITESPEED_OPTIONS: "-d 2"
  only: []

browser_performance_develop:
  extends: browser_performance
  needs:
    - deploy_develop
  environment:
    name: develop
    action: verify
  only:
    - develop

browser_performance_demo:
  extends: browser_performance
  needs:
    - deploy_demo
  environment:
    name: demo
    action: verify
  only:
    - tags

browser_performance_sandbox:
  extends: browser_performance
  needs:
    - deploy_sandbox
  environment:
    name: sandbox
    action: verify
  only:
    - tags

pages:
  stage: deploy
  image: busybox
  dependencies:
    - build_doc
  environment:
    name: doc
    action: start
    url: https://prod-manager.tiwabbit.fr
  only:
    - tags
  script:
    - mv site/ public/
  artifacts:
    paths:
      - public/