.gitlab-ci.yml

image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.10"

stages:
  - setup
  - static_analysis
  - test
  - build
  - integration_test
  - security_analysis
  - publish

variables:
  POETRY_CACHE_DIR: "$CI_PROJECT_DIR/.cache/poetry"

.poetry cache:
  stage: setup
  script:
    - time poetry install --no-ansi --sync
  cache:
    key:
      prefix: "py"
      files:
        - poetry.lock
    policy: pull-push
    paths:
      - .cache/poetry/
  except:
    - main
    - tags

poetry cache py3.8:
  extends: .poetry cache
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.8"
  cache:
    key:
      prefix: "py38"
      files:
        - poetry.lock

poetry cache py3.9:
  extends: .poetry cache
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.9"
  cache:
    key:
      prefix: "py39"
      files:
        - poetry.lock

poetry cache py3.10:
  extends: .poetry cache
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.10"
  script:
    # we use this cache to run all checks, so install everything
    - time poetry install --no-ansi --sync --with tests --with lint --with dev
  cache:
    key:
      prefix: "py310"
      files:
        - poetry.lock

poetry cache py3.11:
  extends: .poetry cache
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.11"
  cache:
    key:
      prefix: "py311"
      files:
        - poetry.lock

poetry cache py3.12:
  extends: .poetry cache
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.12"
  cache:
    key:
      prefix: "py312"
      files:
        - poetry.lock

poetry cache py3.13-pre:
  extends: .poetry cache
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.13-pre"
  script:
    # ToDo: there's no blake3 wheel yet for 3.13, remove this when there's one.
    # Check if we need to install everything or just check for changes in the package lock
    - set -euo pipefail
    - if poetry env info -p; then
        echo "We have a cached venv";
      else
        echo "No cache, installing everything...";
        apt-get update && apt-get install -y curl;
        curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > rustup.sh;
        sh rustup.sh -v -y;
        source $HOME/.cargo/env;
      fi;
    - time poetry install --no-ansi --sync
  allow_failure: true
  cache:
    key:
      prefix: "py313pre"
      files:
        - poetry.lock

.poetry cache pypy:
  extends: .poetry cache
  script:
    # ToDo: there's no blake3 wheel yet for PyPy, remove this when there's one (if ever).
    # Check if we need to install everything or just check for changes in the package lock
    # Note that creating the virtualenv with poetry makes the installation of blake3 fail
    # for some reason, so I used some tricks to use venv instead.
    - set -euo pipefail
    - if poetry env info -p; then
        echo "We have a cached venv";
      else
        echo "No cache, installing everything...";
        apt-get update && apt-get install -y curl;
        curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > rustup.sh;
        sh rustup.sh -v -y;
        source $HOME/.cargo/env;
        poetry env use "$(which python3)";
        venvpath="$(poetry env info -p)";
        rm -rf "$venvpath";
        python3 -m venv "$venvpath";
      fi;
    - time poetry install --no-ansi
  cache:
    key:
      prefix: "pypy"
      files:
        - poetry.lock
  allow_failure: true

poetry cache pypy3.8:
  extends: .poetry cache pypy
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.8pypy"
  cache:
    key:
      prefix: "pypy38"
      files:
        - poetry.lock

poetry cache pypy3.9:
  extends: .poetry cache pypy
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.9pypy"
  cache:
    key:
      prefix: "pypy39"
      files:
        - poetry.lock

poetry cache pypy3.10:
  extends: .poetry cache pypy
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.10pypy"
  cache:
    key:
      prefix: "pypy310"
      files:
        - poetry.lock

poetry cache stackless3.8:
  extends: .poetry cache
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.8stackless"
  cache:
    key:
      prefix: "stackless38"
      files:
        - poetry.lock
  allow_failure: true

python lint:
  stage: static_analysis
  needs:
    - poetry cache py3.10
  script:
    - time poetry run inv reformat
    - changes="$(git status --porcelain=v2 2>/dev/null)"
    - if [ -n "$changes" ]; then printf "Code is not properly formatted\n%s" "$changes"; exit 1; fi
    - time poetry run inv lint
  cache:
    key:
      prefix: "py310"
      files:
        - poetry.lock
    policy: pull
    paths:
      - .cache/poetry/
  except:
    - main
    - tags

packages security:
  stage: static_analysis
  needs:
    - poetry cache py3.10
  script:
    - time poetry run inv safety
  cache:
    key:
      prefix: "py310"
      files:
        - poetry.lock
    policy: pull
    paths:
      - .cache/poetry/
  except:
    - main
    - tags

.tests:
  stage: test
  script:
    - time poetry run inv tests --report
    - poetry run coverage report --show-missing --fail-under 100
    - poetry run coverage xml
  cache:
    key: "python-${CI_COMMIT_REF_SLUG}"
    policy: pull
    paths:
      - .cache/poetry/
  coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
  artifacts:
    when: always
    reports:
      junit: report.xml
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml
  except:
    - main
    - tags

tests py3.8:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.8"
  needs:
    - poetry cache py3.8
    - python lint
    - packages security
  cache:
    key:
      prefix: "py38"
      files:
        - poetry.lock

tests py3.9:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.9"
  needs:
    - poetry cache py3.9
    - python lint
    - packages security
  cache:
    key:
      prefix: "py39"
      files:
        - poetry.lock

tests py3.10:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.10"
  needs:
    - poetry cache py3.10
    - python lint
    - packages security
  cache:
    key:
      prefix: "py310"
      files:
        - poetry.lock

tests py3.11:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.11"
  needs:
    - poetry cache py3.11
    - python lint
    - packages security
  cache:
    key:
      prefix: "py311"
      files:
        - poetry.lock

tests py3.12:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.12"
  needs:
    - poetry cache py3.12
    - python lint
    - packages security
  cache:
    key:
      prefix: "py312"
      files:
        - poetry.lock

tests py3.13-pre:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.13-pre"
  needs:
    - poetry cache py3.13-pre
    - python lint
    - packages security
  cache:
    key:
      prefix: "py313pre"
      files:
        - poetry.lock
  allow_failure: true

tests pypy3.8:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.8pypy"
  needs:
    - poetry cache pypy3.8
    - python lint
    - packages security
  cache:
    key:
      prefix: "pypy38"
      files:
        - poetry.lock
  allow_failure: true

tests pypy3.9:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.9pypy"
  needs:
    - poetry cache pypy3.9
    - python lint
    - packages security
  cache:
    key:
      prefix: "pypy39"
      files:
        - poetry.lock
  allow_failure: true

tests pypy3.10:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.10pypy"
  needs:
    - poetry cache pypy3.10
    - python lint
    - packages security
  cache:
    key:
      prefix: "pypy310"
      files:
        - poetry.lock
  allow_failure: true

tests stackless3.8:
  extends: .tests
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.8stackless"
  needs:
    - poetry cache stackless3.8
    - python lint
    - packages security
  script:
    - time poetry run inv tests --no-coverage  # with coverage is segfaulting for some reason
  cache:
    key:
      prefix: "stackless38"
      files:
        - poetry.lock
  allow_failure: true

# https://aquasecurity.github.io/trivy/v0.18.0/integrations/gitlab-ci/
security scanning:
  stage: security_analysis
  image:
    name: docker.io/aquasec/trivy:latest
    entrypoint: [ "" ]
  needs:
    - packages security
  script:
    - trivy --version
    # update vulnerabilities db
    - time trivy --cache-dir .cache/trivy/ image --download-db-only --no-progress
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
    - time trivy --cache-dir .cache/trivy/ fs --exit-code 0 --no-progress --format template --template "@/contrib/gitlab.tpl" --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" .
    # Prints the full report
    - time trivy --cache-dir .cache/trivy/ fs --exit-code 0 --no-progress .
    # Fails on every vulnerability that can be fixed
    - time trivy --cache-dir .cache/trivy/ fs --exit-code 1 --ignore-unfixed --no-progress .
  cache:
    key: "trivy-${CI_COMMIT_REF_SLUG}"
    policy: pull-push
    paths:
      - .cache/trivy/
  artifacts:
    reports:
      # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/
      # (the container scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
      container_scanning: gl-container-scanning-report.json
  except:
    variables:
      - $CONTAINER_SCANNING_DISABLED
    refs:
      - tags
      - main

.fuzz:
  stage: security_analysis
  image: "registry.gitlab.com/nevrona/public/poetry-docker:1.7.1-3.12"
  needs:
    - poetry cache py3.12
  before_script:
    - poetry add --group dev --source pythonfuzz pythonfuzz
  cache:
    - key:
        prefix: "py312"
        files:
          - poetry.lock
      policy: pull
      paths:
        - .cache/poetry/
    - key: "fuzz-0"
      policy: pull-push
      paths:
        - .fuzzed/
  only:
    - /^release\/.+$/

fuzz blake2signer:
  extends: .fuzz
  script:
    - time poetry run inv fuzz --short --signer blake2signer

fuzz blake2timestampsigner:
  extends: .fuzz
  script:
    - time poetry run inv fuzz --short --signer blake2timestampsigner

fuzz blake2serializersigner:
  extends: .fuzz
  script:
    - time poetry run inv fuzz --short --signer blake2serializersigner

.publish:
  stage: publish
  before_script:
    - echo "Artifacts from this job are temporary, and its sole purpose is to verify everything was published successfully without malicious intermediaries. Do not link nor depend on these artifacts! Fetch the package from PyPi or as specified in the README or docs."
  after_script:
    - apt-get update
    - apt-get -y install --no-install-recommends b3sum
    - sha256sum dist/*
    - sha512sum dist/*
    - b2sum dist/*
    - b2sum -l 256 dist/*
    - b3sum dist/*
  artifacts:
    paths:
      - dist/
    expire_in: 1 week

publish test:
  extends: .publish
  script:
    - set -euo pipefail
    - MAX_TRIES=${PUBLISH_TEST_MAX_TRIES:-10}
    - poetry config repositories.testpypi https://test.pypi.org/legacy/
    - poetry config pypi-token.testpypi "${POETRY_PYPI_TOKEN_TESTPYPI:?env var unset (forgot to protect branch?)}"
    - count=0; while [ $count -lt $MAX_TRIES ]; do printf "Attempt %d of %d\n" "$((count + 1))" "$MAX_TRIES"; sleep "$((count / 2))"; poetry version prerelease && poetry publish --build -r testpypi && break || let "count+=1"; done
    - if [ $count -ge $MAX_TRIES ]; then exit 1; fi
  only:
    - /^release\/.+$/

publish:
  extends: .publish
  script:
    - set -euo pipefail
    - poetry config pypi-token.pypi "${POETRY_PYPI_TOKEN_PYPI:?env var unset (forgot to protect branch?)}"
    - poetry publish --build
  only:
    - tags