stages:
  - build
  - test
  - deploy

# https://docs.gitlab.com/user/application_security/sast/
include:
  - template: Jobs/Dependency-Scanning.latest.gitlab-ci.yml
  - template: Jobs/Container-Scanning.latest.gitlab-ci.yml
  - template: Jobs/SAST.latest.gitlab-ci.yml
  - template: Jobs/Secret-Detection.latest.gitlab-ci.yml
  # https://docs.gitlab.com/user/application_security/dependency_scanning/experiment_libbehave_dependency/
  - component: $CI_SERVER_FQDN/TransFem-org/libbehave/libbehave@v0.2.4

.common: &common
  # "only" has been removed, so we use rules.
  # This runs in MR pipelines *or* push to develop/stable
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_PIPELINE_SOURCE == 'push' && ($CI_COMMIT_BRANCH == 'develop' || $CI_COMMIT_BRANCH == 'stable')

# Cache node_modules and share build artifacts for the pipeline.
# This shares the same cache definition, but it's the only place that actually *pushes* to the cache.
# https://docs.gitlab.com/ci/caching/
# https://github.com/pnpm/pnpm/issues/1174#issuecomment-996719439
# https://github.com/pnpm/pnpm/issues/1174#issuecomment-1641267133
build: &build
  <<: *common
  stage: build
  image:
    name: docker.io/node:22
    pull_policy: if-not-present
  variables:
    POSTGRES_PASSWORD: 'ci'
    COREPACK_DEFAULT_TO_LATEST: '0'
  # Arm64 is recommended for CI
  tags:
    - arm64
  before_script:
    - apt-get update && apt-get install -y git wget curl build-essential python3 ffmpeg libcairo2-dev libpango1.0-dev libpangocairo-1.0
    - 'echo "clusterLimit: $(nproc)" >> .config/ci.yml'
    - cp .config/ci.yml .config/default.yml
    - cp .config/ci.yml .config/test.yml
    - corepack enable
    - corepack install
    - git submodule update --init
    - pnpm config set store-dir .pnpm-store
    - pnpm install --frozen-lockfile
  script:
    - pnpm run build
  cache:
    - &cache-pnpm
      key:
        files:
          - pnpm-lock.yaml
      paths:
        - .pnpm-store/
        - node_modules/
        - packages/backend/node_modules/
        - packages/frontend/node_modules/
        - packages/frontend-embed/node_modules/
        - packages/frontend-shared/node_modules/
        - packages/megalodon/node_modules/
        - packages/misskey-bubble-game/node_modules/
        - packages/misskey-js/node_modules/
        - packages/misskey-js/generator/node_modules/
        - packages/misskey-reversi/node_modules/
        - packages/sw/node_modules/
        # Not sure if this really works
        - '**/node_modules/'
      policy: pull-push
      when: on_success
    - &cache-build
      key: "$CI_COMMIT_REF_SLUG"
      paths:
        - built/
        - packages/backend/built/
        - packages/backend/test_federation/built/
        - packages/megalodon/lib/
        - packages/misskey-bubble-game/built/
        - packages/misskey-js/built/
        - packages/misskey-reversi/built/
      policy: pull-push
      when: on_success

.test_common: &test_common
  <<: *common
  <<: *build
  stage: test
  script: []
  cache:
    -
      <<: *cache-pnpm
      policy: pull
    -
      <<: *cache-build
      policy: pull

lint:
  <<: *test_common
  script:
    - pnpm run build
    - pnpm run eslint

backend_tests:
  <<: *test_common
  services:
    - postgres:15
    - redis
  script:
    - >-
      pnpm run build \
        --filter=backend \
        --filter=megalodon \
        --filter=misskey-js
    - pnpm run migrate
    - pnpm run test --filter=backend

frontend_tests:
  <<: *test_common
  script:
    - >-
      pnpm run build \
        --filter=frontend \
        --filter=frontend-embed \
        --filter=frontend-shared \
        --filter=megalogon \
        --filter=misskey-js
    - pnpm run test --filter=frontend --filter=misskey-js

.deploy_common: &deploy_common
  stage: deploy
  # Only run when pushing to stable, develop, or tags
  rules:
    - if: $CI_PIPELINE_SOURCE != 'push'
      when: never
    - if: $CI_COMMIT_BRANCH == 'develop'
    - if: $CI_COMMIT_BRANCH == 'stable'
    - if: $CI_COMMIT_TAG

get_image_tag:
  <<: *deploy_common
  image:
    name: docker.io/alpine:latest
    pull_policy: if-not-present
  script:
    - apk add jq
    - |
      if test -n "$CI_COMMIT_TAG"; then
        tag="$CI_COMMIT_TAG"
      elif test "$CI_COMMIT_BRANCH" == "stable"; then
        tag="latest"
      elif test "$CI_COMMIT_BRANCH" == "develop"; then
        tag="develop"
      else
        tag="$CI_COMMIT_BRANCH"
      fi
      version=$(cat package.json | jq -r '.version')
    - echo "REGISTRY_PUSH_TAG=$tag" >> build.env
    - echo "REGISTRY_PUSH_VERSION=$version" >> build.env
  artifacts:
    reports:
      dotenv: build.env

build_image:
  <<: *deploy_common
  needs:
    - job: get_image_tag
      artifacts: true
  parallel:
    matrix:
      - ARCH: amd64
      - ARCH: arm64
  tags:
    - ${ARCH}
  image:
    name: gcr.io/kaniko-project/executor:debug
    pull_policy: if-not-present
    entrypoint: [""]
  script:
    - >-
      /kaniko/executor \
        --context "${CI_PROJECT_DIR}" \
        --dockerfile "${CI_PROJECT_DIR}/Dockerfile" \
        --single-snapshot \
        --destination "${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-${ARCH}"

merge_image_manifests:
  <<: *deploy_common
  needs:
    - job: build_image
      artifacts: false
    - job: get_image_tag
      artifacts: true
  image:
    name: mplatform/manifest-tool:alpine
    pull_policy: if-not-present
    entrypoint: [""]
  script:
    - >-
      manifest-tool \
        --username=${CI_REGISTRY_USER} \
        --password=${CI_REGISTRY_PASSWORD} \
        push from-args \
        --platforms linux/amd64,linux/arm64 \
        --tags ${REGISTRY_PUSH_VERSION} \
        --template ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_VERSION}-ARCH \
        --target ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}

.sast_common: &sast_common
  <<: *common
  stage: test
  # SAST tools only support x64
  tags:
    - amd64
  variables:
    # https://docs.gitlab.com/user/application_security/sast/gitlab_advanced_sast
    GITLAB_ADVANCED_SAST_ENABLED: 'true'

    # https://docs.gitlab.com/user/application_security/sast/#vulnerability-filters
    # https://stackoverflow.com/a/71111784
    SAST_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt'
    DS_EXCLUDED_PATHS: 'spec,test,test-d,test-federation,test-server,tests,tmp,cypress,coverage,node_modules,build,built,built-js,*.min.js,megalodon/lib,libopenmpt,packages/*/src' # save time: skip source directories

    # https://docs.gitlab.com/user/application_security/dependency_scanning/migration_guide_to_sbom_based_scans/
    DS_ENFORCE_NEW_ANALYZER: 'true'
    DS_MAX_DEPTH: -1
    # https://docs.gitlab.com/user/application_security/dependency_scanning/static_reachability/
    DS_STATIC_REACHABILITY_ENABLED: true

    # https://docs.gitlab.com/user/application_security/detect/security_configuration/#use-security-scanning-tools-with-merge-request-pipelines
    AST_ENABLE_MR_PIPELINES: 'true'

# https://docs.gitlab.com/user/application_security/container_scanning/#scanning-archives-built-in-a-previous-job
# https://docs.gitlab.com/user/application_security/detect/security_configuration/#error-chosen-stage-test-does-not-exist
container_scanning:
  <<: *sast_common
  <<: *deploy_common
  variables:
    AST_ENABLE_MR_PIPELINES: 'false'
    CS_IMAGE: ${CI_REGISTRY_IMAGE}:${REGISTRY_PUSH_TAG}
  needs:
    - job: merge_image_manifests
      artifacts: true

dependency_scanning:
  <<: *sast_common

sast:
  <<: *sast_common

gitlab-advanced-sast:
  <<: *sast_common

secret_detection:
  <<: *sast_common

libbehave-experiment:
  <<: *sast_common