.gitlab-ci.yml

stages:
  - Tests
  - Documentation
  - Release
  - Build Release
  - Other

variables:
  project_name: "$CI_PROJECT_NAME"
  SEMANTIC_RELEASE_PACKAGE: "$CI_PROJECT_NAME"
  SECURE_ANALYZERS_PREFIX: "registry.gitlab.com/gitlab-org/security-products/analyzers"
  SAST_EXCLUDED_ANALYZERS: ""
  SAST_EXCLUDED_PATHS: "spec, test, tests, tmp"
  SCAN_KUBERNETES_MANIFESTS: "false"
  SECRETS_ANALYZER_VERSION: "3"
  SECRET_DETECTION_EXCLUDED_PATHS: ""

services:
  - name: griefed/gitlab-ci-cd:2.2.11
    alias: docker

workflow:
  rules:
    - if: '$CI_MERGE_REQUEST_EVENT_TYPE == "detached"'
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
      when: never
    - when: always

sast:
  stage: Tests
  artifacts:
    reports:
      sast: gl-sast-report.json
  rules:
    - when: never
  variables:
    SEARCH_MAX_DEPTH: 4
  script:
    - echo "$CI_JOB_NAME is used for configuration only, and its script should not be executed"
    - exit 1

.sast-analyzer:
  extends: sast
  allow_failure: true
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  script:
    - /analyzer run

eslint-sast:
  extends: .sast-analyzer
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/eslint:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $SAST_EXCLUDED_ANALYZERS =~ /eslint/
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.html'
        - '**/*.js'
        - '**/*.jsx'
        - '**/*.ts'
        - '**/*.tsx'

nodejs-scan-sast:
  extends: .sast-analyzer
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/nodejs-scan:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $SAST_EXCLUDED_ANALYZERS =~ /nodejs-scan/
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/package.json'

semgrep-sast:
  extends: .sast-analyzer
  image:
    name: "$SAST_ANALYZER_IMAGE"
  variables:
    SAST_ANALYZER_IMAGE_TAG: 2
    SAST_ANALYZER_IMAGE: "$SECURE_ANALYZERS_PREFIX/semgrep:$SAST_ANALYZER_IMAGE_TAG"
  rules:
    - if: $SAST_DISABLED
      when: never
    - if: $SAST_EXCLUDED_ANALYZERS =~ /semgrep/
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.py'
        - '**/*.js'
        - '**/*.jsx'
        - '**/*.ts'
        - '**/*.tsx'
        - '**/*.c'
        - '**/*.go'

.secret-analyzer:
  stage: Tests
  image: "$SECURE_ANALYZERS_PREFIX/secrets:$SECRETS_ANALYZER_VERSION"
  services: []
  allow_failure: true
  # `rules` must be overridden explicitly by each child job
  # see https://gitlab.com/gitlab-org/gitlab/-/issues/218444
  artifacts:
    reports:
      secret_detection: gl-secret-detection-report.json

secret_detection:
  extends: .secret-analyzer
  rules:
    - if: $SECRET_DETECTION_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
  script:
    - if [ -n "$CI_COMMIT_TAG" ]; then echo "Skipping Secret Detection for tags. No code changes have occurred."; exit 0; fi
    - if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then echo "Running Secret Detection on default branch."; /analyzer run; exit 0; fi
    - git fetch origin $CI_DEFAULT_BRANCH $CI_COMMIT_REF_NAME
    - git log --left-right --cherry-pick --pretty=format:"%H" refs/remotes/origin/$CI_DEFAULT_BRANCH...refs/remotes/origin/$CI_COMMIT_REF_NAME > "$CI_COMMIT_SHA"_commit_list.txt
    - export SECRET_DETECTION_COMMITS_FILE="$CI_COMMIT_SHA"_commit_list.txt
    - /analyzer run
    - rm "$CI_COMMIT_SHA"_commit_list.txt

Gradle Test:
  image: griefed/baseimage-ubuntu-jdk-8:2.0.21
  stage: Tests
  before_script:
    - echo "**** Running in $CI_JOB_ID ****"
    - echo "**** Java location ****"
    - which java
    - echo "**** Java version ****"
    - java -version
    - echo "**** Allowing execution of gradlew ****"
    - chmod +x gradlew
  script:
    - echo "**** Building Project ****"
    - ./gradlew about installQuasar cleanFrontend assembleFrontend copyDist build --info --no-daemon
    - echo "**** Listing build directory ****"
    - LC_COLLATE=C ls -ahl --group-directories-first --color=auto build/jacoco/test
    - LC_COLLATE=C ls -ahl --group-directories-first --color=auto build/libs
    - echo "**** Retrieving test coverage ****"
    - cat build/jacoco/test/html/index.html | grep -o 'Total[^%]*%'
  coverage: '/Total.*?([0-9]{1,3})%/'

Docker Test:
  stage: Tests
  image: ghcr.io/griefed/gitlab-ci-cd:2.2.10
  before_script:
    - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
    - docker buildx create --use --name grfdbuilder
  script:
    - docker buildx build --no-cache --platform linux/amd64,linux/arm/v7,linux/arm64
      --build-arg BRANCH_OR_TAG=$CI_COMMIT_REF_NAME
      --build-arg HOSTER=$CI_SERVER_HOST
      --file Dockerfile .
  rules:
    - if: '$CI_SERVER_HOST == "git.griefed.de"' # Remove once GitLab no longer throws javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake

Gradle Dependency-Checks:
  image: griefed/baseimage-ubuntu-jdk-8:2.0.21
  stage: Other
  allow_failure: true
  before_script:
    - echo "**** Running in $CI_JOB_ID ****"
    - echo "**** Java location ****"
    - which java
    - echo "**** Java version ****"
    - java -version
    - echo "**** Allowing execution of gradlew ****"
    - chmod +x gradlew
  script:
    - echo "**** Checking for dependency updates ****"
    - ./gradlew dependencyUpdates --info
  artifacts:
    paths:
      - build/dependencyUpdates/report.txt
    expire_in: 1 week

Generate Release:
  stage: Release
  needs:
    - job: Gradle Test
      artifacts: false
    - job: Docker Test
      artifacts: false
    - job: eslint-sast
      artifacts: false
    - job: nodejs-scan-sast
      artifacts: false
    - job: semgrep-sast
      artifacts: false
    - job: secret_detection
      artifacts: false
  image: ghcr.io/griefed/gitlab-ci-cd:2.2.10
  script:
    - npx semantic-release
  rules:
    - if: '$CI_COMMIT_BRANCH == "alpha" && $CI_COMMIT_TITLE !~ /^RELEASE:.+$/ && $CI_SERVER_HOST == "git.griefed.de"'
    - if: '$CI_COMMIT_BRANCH == "beta" && $CI_COMMIT_TITLE !~ /^RELEASE:.+$/ && $CI_SERVER_HOST == "git.griefed.de"'
    - if: '$CI_COMMIT_BRANCH == "main" && $CI_COMMIT_TITLE !~ /^RELEASE:.+$/ && $CI_SERVER_HOST == "git.griefed.de"'

Build Release:
  image: griefed/baseimage-ubuntu-jdk-8:2.0.21
  stage: Build Release
  before_script:
    - echo "**** Running in $CI_JOB_ID ****"
    - echo "**** Java location ****"
    - which java
    - echo "**** Java version ****"
    - java -version
    - echo "**** Allowing execution of gradlew ****"
    - chmod +x gradlew
  script:
    - echo "**** Building Project ****"
    - ./gradlew about installQuasar cleanFrontend assembleFrontend copyDist build -Pversion=${CI_COMMIT_TAG}  --info --no-daemon -x test
    - echo "**** Listing build directory ****"
    - LC_COLLATE=C ls -ahl --group-directories-first --color=auto
      build
    - LC_COLLATE=C ls -ahl --group-directories-first --color=auto
      build/libs
    - echo "**** Uploading packages ****"
    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build/libs/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}.jar
    "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${CI_PROJECT_NAME}/${CI_COMMIT_TAG}/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}.jar"'
    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build/libs/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}-javadoc.jar
    "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${CI_PROJECT_NAME}/${CI_COMMIT_TAG}/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}-javadoc.jar"'
    - 'curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file build/libs/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}-sources.jar
    "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${CI_PROJECT_NAME}/${CI_COMMIT_TAG}/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}-sources.jar"'
    - echo "**** Create asset links ****"
    - 'curl --request POST --header "PRIVATE-TOKEN: ${GITLAB_TOKEN}" --data tag_name="${CI_COMMIT_TAG}"
    --data name="${CI_PROJECT_NAME}-${CI_COMMIT_TAG}.jar" --data url="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${CI_PROJECT_NAME}/${CI_COMMIT_TAG}/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}.jar"
    --data link_type="package" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases/${CI_COMMIT_TAG}/assets/links"'
    - 'curl --request POST --header "PRIVATE-TOKEN: ${GITLAB_TOKEN}" --data tag_name="${CI_COMMIT_TAG}"
    --data name="${CI_PROJECT_NAME}-${CI_COMMIT_TAG}-javadoc.jar" --data url="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${CI_PROJECT_NAME}/${CI_COMMIT_TAG}/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}-javadoc.jar"
    --data link_type="package" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases/${CI_COMMIT_TAG}/assets/links"'
    - 'curl --request POST --header "PRIVATE-TOKEN: ${GITLAB_TOKEN}" --data tag_name="${CI_COMMIT_TAG}"
    --data name="${CI_PROJECT_NAME}-${CI_COMMIT_TAG}-sources.jar" --data url="${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/${CI_PROJECT_NAME}/${CI_COMMIT_TAG}/${CI_PROJECT_NAME}-${CI_COMMIT_TAG}-sources.jar"
    --data link_type="package" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/releases/${CI_COMMIT_TAG}/assets/links"'
  rules:
    - if: "$CI_COMMIT_TAG =~ /^\\d+\\.\\d+\\.\\d+(-beta|-alpha)\\.\\d+$/"
    - if: "$CI_COMMIT_TAG =~ /^\\d+\\.\\d+\\.\\d+$/"

Build Docker Release:
  stage: Build Release
  image: griefed/gitlab-ci-cd:2.2.11
  before_script:
    - docker login -u "$DOCKERHUB_USER" -p "$DOCKERHUB_TOKEN" docker.io
    - docker login -u "$DOCKERHUB_USER" -p "$GITHUB_TOKEN" ghcr.io
    - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
    - docker buildx create --use --name grfdbuilder
  script:
    - docker buildx build --push --no-cache --platform linux/amd64,linux/arm/v7,linux/arm64
      --tag "ghcr.io/$DOCKERHUB_USER/$DOCKERHUB_REPO:$CI_COMMIT_TAG"
      --tag "ghcr.io/$DOCKERHUB_USER/$DOCKERHUB_REPO:latest"
      --tag "index.docker.io/$DOCKERHUB_USER/$DOCKERHUB_REPO:$CI_COMMIT_TAG"
      --tag "index.docker.io/$DOCKERHUB_USER/$DOCKERHUB_REPO:latest"
      --build-arg BRANCH_OR_TAG=$CI_COMMIT_TAG
      --build-arg HOSTER=$CI_SERVER_HOST
      --build-arg VERSION=$CI_COMMIT_TAG
      --file Dockerfile .
  rules:
    - if: '$CI_COMMIT_TAG =~ /^\d+\.\d+\.\d+$/'

Build Docker PreRelease:
  stage: Build Release
  image: griefed/gitlab-ci-cd:2.2.11
  before_script:
    - docker login -u "$DOCKERHUB_USER" -p "$DOCKERHUB_TOKEN" docker.io
    - docker login -u "$DOCKERHUB_USER" -p "$GITHUB_TOKEN" ghcr.io
    - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
    - docker buildx create --use --name grfdbuilder
  script:
    - docker buildx build --push --no-cache --platform linux/amd64,linux/arm/v7,linux/arm64
      --tag "ghcr.io/$DOCKERHUB_USER/$DOCKERHUB_REPO:$CI_COMMIT_TAG"
      --tag "index.docker.io/$DOCKERHUB_USER/$DOCKERHUB_REPO:$CI_COMMIT_TAG"
      --build-arg BRANCH_OR_TAG=$CI_COMMIT_TAG
      --build-arg HOSTER=$CI_SERVER_HOST
      --build-arg VERSION=$CI_COMMIT_TAG
      --file Dockerfile .
  rules:
    - if: "$CI_COMMIT_TAG =~ /^\\d+\\.\\d+\\.\\d+(-beta|-alpha)\\.\\d+$/"

coverage:
  stage: Other
  image: registry.gitlab.com/haynes/jacoco2cobertura:1.0.9
  allow_failure: true
  script:
    - python /opt/cover2cover.py build/jacoco/test/jacocoTestReport.xml $CI_PROJECT_DIR/backend/main/java/ > build/cobertura.xml || true
    - python /opt/source2filename.py build/cobertura.xml || true
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: build/cobertura.xml

pages:
  image: griefed/baseimage-ubuntu-jdk-8:2.0.21
  stage: Documentation
  variables:
    project_name: $CI_PROJECT_NAME
    SEMANTIC_RELEASE_PACKAGE: $CI_PROJECT_NAME
  before_script:
    - which java
    - chmod +x gradlew
    - ./gradlew clean
  script:
    - ./gradlew javaDoc --info -x test
    - cp -Rf build/docs/javadoc public
    - LC_COLLATE=C ls -ahl --group-directories-first --color=auto
      public
  only:
    - main
  artifacts:
    paths:
      - public
    expire_in: 1 week