.gitlab-ci.yml

# Copyright 2019 James Polley
# Copyright 2019 Steven C Hartley
# Copyright 2019 AJ Esler
# Copyright 2020 Matthew B. Gray
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# https://docs.gitlab.com/ee/ci/quick_start/
image: docker:stable

services:
  - docker:dind

stages:
  - build
  - test
  - publish

# For more naming options, see https://docs.gitlab.com/ee/ci/variables/
variables:
  DOCKER_HOST: tcp://docker:2375
  DOCKER_DRIVER: overlay2
  CONTAINER_TEST_IMAGE: ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_SLUG}-test
  GITLAB_CI_RUNNING: "true"

before_script:
  - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.gitlab.com

docker_build:
  stage: build
  script:
    - docker build --target=development --pull -t $CONTAINER_TEST_IMAGE .
    - docker push $CONTAINER_TEST_IMAGE

# Verify correctness of this program by running rspec tests
rspec_tests:
  stage: test
  script:
    - docker run -d --name="test-database" --hostname "postgres" -e "POSTGRES_PASSWORD=test" postgres:latest
    - docker run --network "container:test-database" -e "POSTGRES_PASSWORD=test" $CONTAINER_TEST_IMAGE bundle exec rake db:create db:structure:load spec

# Code style checks only against new changes
# This doesn't run for CI on tags or on master
code_style:
  stage: test
  script:
    - docker pull $CONTAINER_TEST_IMAGE
    # - docker run $CONTAINER_TEST_IMAGE sh -c 'bundle exec rubocop $(git diff --name-only origin/master...)'
    - docker run $CONTAINER_TEST_IMAGE ./node_modules/eslint/bin/eslint.js --ext js,vue app/javascript
  except:
    - tags
    - master

# Assert that files in this project have an Apache Licence at the top
licence_check:
  stage: test
  script:
    - docker pull $CONTAINER_TEST_IMAGE
    - docker run $CONTAINER_TEST_IMAGE bundle exec rake test:branch:copyright

# Static analysis against antipatterns in code and published CVEs that affect the project
security_analysis:
  stage: test
  script:
    - docker pull $CONTAINER_TEST_IMAGE
    - docker run $CONTAINER_TEST_IMAGE bundle update brakeman --quiet
    - docker run $CONTAINER_TEST_IMAGE bundle exec brakeman --run-all-checks --no-pager
    - docker run $CONTAINER_TEST_IMAGE bundle exec bundler-audit check --update
    - docker run $CONTAINER_TEST_IMAGE bundle exec ruby-audit check
    # - docker run $CONTAINER_TEST_IMAGE yarn audit
    - docker run $CONTAINER_TEST_IMAGE script/yarn_smart_audit.rb
    - docker run $CONTAINER_TEST_IMAGE yarn check --integrity
  only:
    - master
    - security-patch    # Branches that are named this run will trigger this step too
    - security-patching
    - security-patches

# Stable images for production grade use
# These move :stable when a git tag passes CI, and creates a docker image matching that tag
# This allows to pin/roll back to a stable point, or go with the latest stable image
release_image:
  stage: publish
  variables:
    CONTAINER_RELEASE_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
  script:
    - docker pull $CONTAINER_TEST_IMAGE
    - docker tag $CONTAINER_TEST_IMAGE $CONTAINER_RELEASE_IMAGE
    - docker push $CONTAINER_RELEASE_IMAGE
    - docker tag $CONTAINER_RELEASE_IMAGE $CI_REGISTRY_IMAGE:stable
    - docker push $CI_REGISTRY_IMAGE:stable
  only:
    - tags

# Latest images for testing in a staging environment
# These move :latest when master passes CI
latest_image:
  stage: publish
  variables:
    CONTAINER_RELEASE_IMAGE: ${CI_REGISTRY_IMAGE}:latest
  script:
    - docker pull $CONTAINER_TEST_IMAGE
    - docker tag $CONTAINER_TEST_IMAGE $CONTAINER_RELEASE_IMAGE
    - docker push $CONTAINER_RELEASE_IMAGE
  only:
    - master