.gitlab-ci.yml

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml

stages:
  - baseimage
  - build
  - test
  - prepare
  - review
  - integration_testing
  - deploy:staging
  - qa
  - deploy:canary
  - deploy:production
  - scan

variables:
  default_php_image: registry.gitlab.com/minds/engine/php:8.2

baseimage:prepare:
  stage: baseimage
  image:
    name: gcr.io/kaniko-project/executor:v1.14.0-debug
    entrypoint: [""]
  script:
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}/containers/php"
      --dockerfile "${CI_PROJECT_DIR}/containers/php/Dockerfile"
      --destination "${CI_REGISTRY_IMAGE}/php:${CI_PIPELINE_ID}"
  rules:
    - if: '$CI_COMMIT_REF_NAME == "master"'
      when: never
    - if: '$CI_COMMIT_REF_NAME != "master"'
      changes:
        - containers/php/*
      when: manual
      allow_failure: true

baseimage:deploy:
  stage: baseimage
  image:
    name: gcr.io/kaniko-project/executor:v1.14.0-debug
    entrypoint: [""]
  script:
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}/containers/php"
      --dockerfile "${CI_PROJECT_DIR}/containers/php/Dockerfile"
      --destination "${CI_REGISTRY_IMAGE}/php:8.2"
  rules:
    - if: '$CI_COMMIT_REF_NAME == "master"'
      changes:
        - containers/php/*
    - if: '$CI_COMMIT_REF_NAME != "master"'
      when: never
    - when: manual
      allow_failure: true

build:
  stage: build
  image: "$default_php_image"
  script:
    - apk add --no-cache git
    - sh tools/setup.sh production
  artifacts:
    name: "$CI_COMMIT_REF_SLUG"
    paths:
      - vendor
      - bin

test:
  stage: test
  image: "$default_php_image"
  script:
    - php -n -c Spec/php-test.ini bin/phpspec run

lint:
  stage: test
  image: "$default_php_image"
  script:
    - bin/php-cs-fixer fix --allow-risky=yes --verbose --dry-run

static-analysis:
  stage: test
  image: "$default_php_image"
  script:
    - mv settings.example.php settings.php
    - bin/phpstan analyse --memory-limit=1G
  allow_failure: true

prepare:fpm:
  stage: prepare
  image:
    name: gcr.io/kaniko-project/executor:v1.14.0-debug
    entrypoint: [""]
  script:
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/containers/php-fpm/Dockerfile"
      --destination "${CI_REGISTRY_IMAGE}/fpm:${CI_PIPELINE_ID}"
      --build-arg MINDS_VERSION=$CI_PIPELINE_ID
      --build-arg SENTRY_DSN=$SENTRY_DSN

prepare:rr:
  stage: prepare
  image:
    name: gcr.io/kaniko-project/executor:v1.14.0-debug
    entrypoint: [""]
  script:
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/containers/php-rr/Dockerfile"
      --destination "${CI_REGISTRY_IMAGE}/rr:${CI_PIPELINE_ID}"
      --build-arg MINDS_VERSION=$CI_PIPELINE_ID
      --build-arg SENTRY_DSN=$SENTRY_DSN

prepare:runners:
  stage: prepare
  image:
    name: gcr.io/kaniko-project/executor:v1.14.0-debug
    entrypoint: [""]
  script:
    - /kaniko/executor
      --context "${CI_PROJECT_DIR}"
      --dockerfile "${CI_PROJECT_DIR}/containers/php-runners/Dockerfile"
      --destination "${CI_REGISTRY_IMAGE}/runners:${CI_PIPELINE_ID}"
      --build-arg MINDS_VERSION=$CI_PIPELINE_ID
      --build-arg SENTRY_DSN=$RUNNERS_SENTRY_DSN

prepare:all:sentry:
  stage: prepare
  image: getsentry/sentry-cli:2.31.0
  script:
    - echo "Create a new release $CI_PIPELINE_ID"
    - sentry-cli releases new $CI_PIPELINE_ID
    - sentry-cli releases set-commits --auto $CI_PIPELINE_ID
    - sentry-cli releases finalize $CI_PIPELINE_ID
    - echo "Finalized release for $CI_PIPELINE_ID"

container_scanning:
  stage: scan
  variables:
    CS_IMAGE: $CI_REGISTRY_IMAGE/fpm:$CI_PIPELINE_ID


container_scanning_runners:
  extends: container_scanning
  stage: scan
  variables:
    CS_IMAGE: $CI_REGISTRY_IMAGE/runners:$CI_PIPELINE_ID

dependency_scanning:
  stage: scan

.oci_prepare: &oci_prepare
  - mkdir ~/.oci
  - cp $OCI_CONFIG ~/.oci/config
  - cp $OCI_KEY /tmp/oci-key.pem
  - export OCI_CLI_SUPPRESS_FILE_PERMISSIONS_WARNING=True
  - | 
    oci ce cluster create-kubeconfig \
      --cluster-id $OKE_CLUSTER_ID \
      --file $KUBECONFIG \
      --region us-ashburn-1 \
      --token-version 2.0.0  \
      --kube-endpoint PUBLIC_ENDPOINT

review:start:
  stage: review
  image: minds/ci:latest
  script:
    - *oci_prepare
    # Download repo, use same branch name if exists
    - HELM_GIT_REPO=https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/minds/helm-charts.git
    - git clone --branch=master $HELM_GIT_REPO
    - BRANCH_EXISTS=$(git ls-remote --heads $HELM_GIT_REPO $CI_COMMIT_REF_NAME | wc -l)
    - cd ./helm-charts
    - if [ $BRANCH_EXISTS == "1" ] ; then
    -    echo "Matching branch exists, checking out $CI_COMMIT_REF_NAME..."
    -    git checkout $CI_COMMIT_REF_NAME 2>/dev/null
    - fi;
    #
    - echo "Upgrading helm for pipeline ${CI_PIPELINE_ID}"
    - echo "Setting to image ${CI_REGISTRY_IMAGE}"
    - "helm upgrade \
      --install \
      --namespace default \
      --values ./minds/values-sandbox-oke.yaml \
      --reuse-values \
      --set engine.image.repository=$CI_REGISTRY_IMAGE/fpm \
      --set engine.image.rrRepository=$CI_REGISTRY_IMAGE/rr \
      --set-string engine.image.tag=$CI_PIPELINE_ID \
      --set domain=$CI_COMMIT_REF_SLUG.$KUBE_INGRESS_BASE_DOMAIN
      --set cdn_domain=$CI_COMMIT_REF_SLUG.$KUBE_INGRESS_BASE_DOMAIN
      --set siteUrl=https://$CI_COMMIT_REF_SLUG.$KUBE_INGRESS_BASE_DOMAIN/
      --set-string environments.sandbox.routingCookie=false
      --set-string sockets.serverUri=$CI_COMMIT_REF_SLUG-sockets.$KUBE_INGRESS_BASE_DOMAIN
      --wait \
      $CI_COMMIT_REF_SLUG \
      ./minds"
    - sentry-cli releases deploys $CI_PIPELINE_ID new -e review-$CI_COMMIT_REF_SLUG
  environment:
    name: review/$CI_COMMIT_REF_NAME
    url: https://$CI_COMMIT_REF_SLUG.$KUBE_INGRESS_BASE_DOMAIN
    on_stop: review:stop
  except:
    refs:
      - master

review:stop:
  stage: review
  image: minds/ci:latest
  script:
    - *oci_prepare
    - helm -n default del $CI_COMMIT_REF_SLUG
  environment:
    name: review/$CI_COMMIT_REF_NAME
    url: https://$CI_COMMIT_REF_SLUG.$KUBE_INGRESS_BASE_DOMAIN
    action: stop
  variables:
    GIT_STRATEGY: none
  when: manual
  except:
    refs:
      - master
      - feat/ci-k8s


integration_testing:
  stage: qa
  image: "$default_php_image"
  script:
    - apk add --no-cache git
    - >
      if [ "$CI_COMMIT_REF_NAME" == "master" ]; then
        export MINDS_DOMAIN=https://www.minds.com
      else
        export MINDS_DOMAIN=https://$CI_COMMIT_REF_SLUG.$KUBE_INGRESS_BASE_DOMAIN
      fi
    - export BYPASS_SIGNING_KEY=$BYPASS_SIGNING_KEY
    - sh integration_tests/setup_and_run.sh
  artifacts:
    when: always
    paths:
      - integration_tests/tests/_output
  allow_failure: true

# qa:manual:
#   stage: qa
#   script:
#     - echo "Manually approved"
#   when: manual
#   only:
#     refs:
#       - master
#       - production
#       - test/gitlab-ci
#   allow_failure: true

################
# Deploy Stage #
################

.deploy: &deploy
  stage: deploy:staging
  image: minds/ci:latest
  script:
    # FPM
    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - crane tag $CI_REGISTRY_IMAGE/fpm:$CI_PIPELINE_ID $IMAGE_LABEL
    # RoadRunner (rr)
    - crane tag $CI_REGISTRY_IMAGE/rr:$CI_PIPELINE_ID $IMAGE_LABEL
    # OKE: Rolling restart
    - *oci_prepare
    - kubectl -n default rollout restart deployment minds-engine-$IMAGE_LABEL
    # Update sentry
    - sentry-cli releases deploys $CI_PIPELINE_ID new -e $IMAGE_LABEL

staging:fpm:
  <<: *deploy
  after_script:
    - crane tag $CI_REGISTRY_IMAGE/fpm:$CI_PIPELINE_ID latest
    - crane tag $CI_REGISTRY_IMAGE/rr:$CI_PIPELINE_ID latest
  stage: deploy:staging
  variables:
    IMAGE_LABEL: "staging"
  environment:
    name: staging
    url: https://www.minds.com/?staging=1
  only:
    refs:
      - master
      - test/gitlab-ci
  allow_failure: true

canary:fpm:
  <<: *deploy
  stage: deploy:canary
  variables:
    IMAGE_LABEL: "canary"
  only:
    refs:
      - master
  environment:
    name: canary
    url: https://www.minds.com/?canary=1 # requires canary cookie
  when: manual
  allow_failure: true

production:fpm:
  <<: *deploy
  stage: deploy:production
  variables:
    IMAGE_LABEL: "production"
  only:
    refs:
      - master
  environment:
    name: production
    url: https://www.minds.com/
  when: manual

production:runners:
  stage: deploy:production
  image: minds/ci:latest
  script:
    - IMAGE_LABEL="production"
    - crane auth login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - crane tag $CI_REGISTRY_IMAGE/runners:$CI_PIPELINE_ID $IMAGE_LABEL
    - crane tag $CI_REGISTRY_IMAGE/runners:$CI_PIPELINE_ID latest
    # OKE: Rolling restart
    - *oci_prepare
    - kubectl -n default get deployments | grep minds-runners- | awk '{print $1}' | xargs kubectl -n default rollout restart deployment
  only:
    refs:
      - master
      - test/gitlab-ci
  environment:
    name: runners
    url: https://www.minds.com/