.gitlab-ci.yml

# SPDX-FileCopyrightText: 2022 Georg-August-Universität Göttingen
#
# SPDX-License-Identifier: CC0-1.0

---
workflow:
  rules:
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG

stages:
  - test
  - release
  - build
  - deploy

variables:
  harbor_registry: "harbor.gwdg.de"
  harbor_repo: "sub-fe"
  project_name: "repdav"

lint dockerfile:
  stage: test
  image: hadolint/hadolint:latest-debian
  before_script:
    - mkdir -p reports
  script:
    - hadolint --format gitlab_codeclimate Dockerfile > reports/hadolint-$(md5sum Dockerfile | cut -d" " -f1).json
  artifacts:
    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
    when: always
    reports:
      codequality:
        - "reports/*"
    paths:
      - "reports/*"
  rules:
    - if: $CI_MERGE_REQUEST_IID
      changes:
        - Dockerfile

release:
  stage: release
  image: docker.io/node:18.12
  before_script:
    - npm ci --unsafe-perm
  script:
    - npx semantic-release
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

build container image:
  stage: build
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint: [""]
  script:
    # always succeed and don't print error message
    - tag=$(git tag --contains $CI_COMMIT_SHORT_SHA 2>&1) || true
    # use tag for version if not empty; else commit sha
    - "[[ -n $tag ]] && export version=$tag || export version=$CI_COMMIT_SHORT_SHA"
    - mkdir -p /kaniko/.docker
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"auth\":\"$(echo -n ${CI_REGISTRY_USER}:${CI_REGISTRY_PASSWORD} | base64 | tr -d '\n')\"},\"$harbor_registry\":{\"auth\":\"$HARBOR_ROBOT_TOKEN64\"}}}" > /kaniko/.docker/config.json
    - /kaniko/executor
      --context $CI_PROJECT_DIR
      --dockerfile $CI_PROJECT_DIR/Dockerfile
      --build-arg build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
      --build-arg vcs_ref=${CI_COMMIT_SHORT_SHA}
      --build-arg version=${version}
      --destination $CI_REGISTRY_IMAGE/$project_name:$version
      --destination $harbor_registry/$harbor_repo/$project_name:$version
  rules:
    # prevent job creation on release commits to $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_COMMIT_MESSAGE =~ /^chore\(release\):/
      when: never
    - if: $CI_MERGE_REQUEST_IID
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_COMMIT_TAG

generate app sbom:
  stage: deploy
  image: docker.io/node:18.12
  before_script:
    - npm ci --ignore-scripts
    - npm run build
  script:
    - npx cdxgen
      --type nodejs
      --required-only
      --server-url https://deps.sub.uni-goettingen.de
      --api-key ${DEPS_UPLOAD_TOKEN}
      --project-name ${project_name}
      --project-version ${CI_COMMIT_TAG}
  rules:
    - if: $CI_COMMIT_TAG

generate container sbom:
  stage: deploy
  image: docker.io/alpine:3.16
  before_script:
    - apk add curl
    - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
  script:
    - syft --output cyclonedx-json --file bom.json
      $CI_REGISTRY_IMAGE/${project_name}:${CI_COMMIT_TAG}
    - 'curl -X POST "https://deps.sub.uni-goettingen.de/api/v1/bom"
      --header "accept: application/json"
      --header "X-Api-Key: ${DEPS_UPLOAD_TOKEN}"
      --header "Content-Type: multipart/form-data"
      --form "autoCreate=true"
      --form "projectName=${project_name}-container"
      --form "projectVersion=${CI_COMMIT_TAG}"
      --form "bom=@bom.json"'
  rules:
    - if: $CI_COMMIT_TAG