.gitlab-ci.yml

stages:
  - workspace
  - deps
  - env
  - codegen
  - lint
  - test
  - build
  - tag
  - analyze
  - deploy

variables:
  DOCKER_HOST: tcp://docker:2375/
  DOCKER_TLS_CERTDIR: ""
  PROJECT_VERSION: ${CI_COMMIT_REF_SLUG}
  ORGANIZATION: codesdowork
  PROJECT: monorepo
  IMAGE_BASE: ${CI_REGISTRY}/${ORGANIZATION}/${PROJECT}
  DOCKER_VERSION: 27.5.1
  DEPS_CACHE_POLICY: pull
  ENV_CACHE_POLICY: pull
  CODEGEN_CACHE_POLICY: pull
  MASTER_BRANCH: master
  DEV_BRANCH: develop

default:
  image: ${IMAGE_BASE}/workspace:${PROJECT_VERSION}
  services:
    - name: docker:${DOCKER_VERSION}-dind
      alias: docker
      command:
        - "--feature"
        - "containerd-snapshotter"
  cache:
    - key:
        files:
          - pnpm-lock.yaml
      paths:
        - node_modules
      policy: $DEPS_CACHE_POLICY
    - key: nx-cache
      paths:
        - .nx
    - key: env-${CI_COMMIT_SHA}
      paths:
        - ./**/.env
        - ./**/*.pem
        - ./**/.ssh
      policy: $ENV_CACHE_POLICY
    - key: codegen-${CI_COMMIT_SHA}
      paths:
        - ./packages/**/generated
      policy: $CODEGEN_CACHE_POLICY
  before_script:
    - export PATH="$PWD/node_modules/.bin:$PATH"
    - if [ "$CI_COMMIT_BRANCH" = "$MASTER_BRANCH" ] || [ "$CI_COMMIT_BRANCH" = "$DEV_BRANCH" ]; then export NX_BASE=$(git log origin/$CI_COMMIT_BRANCH --first-parent --merges -n 1 --skip 1 --format=%H); fi
    - docker login -u ${DOCKER_HUB_USER} -p ${DOCKER_HUB_PASSWORD}
    - echo "$CI_REGISTRY_PASSWORD" | docker login $CI_REGISTRY -u $CI_REGISTRY_USER --password-stdin
    - docker network create --driver=bridge builder-network
    - docker buildx create --use --driver-opt network=builder-network
    - docker buildx inspect --bootstrap

build workspace image:
  stage: workspace
  image: docker:${DOCKER_VERSION}
  cache: []
  script:
    - docker info
    - docker buildx build --network=host --push -t ${IMAGE_BASE}/workspace-base:${PROJECT_VERSION} -f packages/workspace/base/Dockerfile --platform=linux/arm64 .
    - docker buildx build --network=host --push -t ${IMAGE_BASE}/workspace:${PROJECT_VERSION} -f packages/workspace/Dockerfile --build-arg IMAGE_BASE=${IMAGE_BASE} --build-arg PROJECT_VERSION=${PROJECT_VERSION} --platform=linux/arm64 .
  resource_group: single

install deps:
  stage: deps
  variables:
    DEPS_CACHE_POLICY: pull-push
  script:
    - nci
  resource_group: single

generate env files:
  stage: env
  variables:
    ENV_CACHE_POLICY: push
  script:
    - if [ "$CI_COMMIT_BRANCH" = "$MASTER_BRANCH" ]; then export STAGE=PROD; elif [ "$CI_COMMIT_BRANCH" = "$DEV_BRANCH" ]; then export STAGE=TEST,PROD; else export STAGE=DEV,TEST,PROD; fi
    - nx g env-files ${STAGE} ${BITWARDEN_USER} ${BITWARDEN_PASSWORD}
  resource_group: single

codegen:
  stage: codegen
  variables:
    CODEGEN_CACHE_POLICY: push
  script:
    - nx affected -t codegen
  resource_group: single

check formatting:
  stage: lint
  script:
    - nx format:check
  resource_group: single

eslint:
  stage: lint
  script:
    - nx affected -t lint
  resource_group: single

secretlint:
  stage: lint
  script:
    - secretlint --secretlintignore .gitignore "**/*"
  resource_group: single

svelte check:
  stage: lint
  script:
    - nx affected -t svelte-check
  resource_group: single

sonarqube:
  stage: lint
  cache: []
  image:
    name: sonarsource/sonar-scanner-cli:11.1
    entrypoint: [""]
  script:
    - sonar-scanner
  allow_failure: true
  only:
    - master
  resource_group: single

audit:
  stage: lint
  script:
    - na audit --audit-level=high
  allow_failure: true
  resource_group: single

test:
  stage: test
  script:
    - nx affected -t test
  resource_group: single

build images:
  stage: build
  script:
    - nx docker-build workspace-deps
    - nx affected -t docker-build --exclude="workspace*" --parallel=1
    - nx docker-build just-documentation
  resource_group: single

image security:
  stage: analyze
  script:
    - nx affected -t docker-pull
    - nx affected -t docker-trivy
  allow_failure: true
  resource_group: single

workspace security:
  stage: analyze
  script:
    - nr trivy
  allow_failure: true
  resource_group: single

lighthouse:
  stage: analyze
  script:
    - nx affected -t lighthouse --parallel=1
  artifacts:
    paths:
      - ./reports/lighthouse
  resource_group: single

deploy:
  stage: deploy
  script:
    - if [ "$CI_COMMIT_BRANCH" = "$MASTER_BRANCH" ]; then nx affected -t deploy; else nx affected -t deploy -c development; fi
  only:
    - master
    - develop
  resource_group: single