.gitlab-ci.yml

# Define rules for a job that should run for events related to a merge request
# - merge request is opened, a new commit is pushed to its branch, etc.  This
# definition does nothing by itself but can be referenced by jobs that want to
# run in this condition.
.merge_request_rules: &RUN_ON_MERGE_REQUEST
  rules:
    # If the pipeline is triggered by a merge request event then we should
    # run.
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'

    # If the pipeline is triggered by anything else then we should not run.
    - when: "never"

# As above, but rules for running when the scheduler triggers the pipeline.
.schedule_rules: &RUN_ON_SCHEDULE
  rules:
    # There are multiple schedules so make sure this one is for us.  The
    # `SCHEDULE_TARGET` variable is explicitly, manually set by us in the
    # schedule configuration.
    - if: '$SCHEDULE_TARGET != $CI_JOB_NAME'
      when: "never"

    # Make sure this is actually a scheduled run
    - if: '$CI_PIPELINE_SOURCE != "schedule"'
      when: "never"

    # Conditions look good: run.
    - when: "always"

stages:
  - "build"
  - "deploy"

default:
  # Guide the choice of an appropriate runner for all these jobs.
  # https://docs.gitlab.com/ee/ci/runners/#runner-runs-only-tagged-jobs
  tags:
    - "nixos"
    - "shell"

variables:
  # https://docs.gitlab.com/ee/ci/runners/configure_runners.html#job-stages-attempts
  GET_SOURCES_ATTEMPTS: 10

docs:
  <<: *RUN_ON_MERGE_REQUEST
  stage: "build"
  script:
    - "nix-build --attr docs --out-link result-docs"
    # GitLab wants to lchown artifacts.  It can't do that to store paths.  Get
    # a copy of the docs outside of the store.
    - "cp --recursive --no-preserve=mode ./result-docs/docs ./docs-build/"
  artifacts:
    paths:
      - "./docs-build/"
    expose_as: "documentation"

unit-tests:
  <<: *RUN_ON_MERGE_REQUEST
  stage: "build"
  script:
    - "nix-build --attr unit-tests && cat result"

.morph-build: &MORPH_BUILD
  <<: *RUN_ON_MERGE_REQUEST
  timeout: "3 hours"
  stage: "build"
  script:
    - |
      # GRID is set in one of the "instantiations" of this job template.
      nix-shell --run "morph build --show-trace morph/grid/${GRID}/grid.nix"


morph-build-localdev:
  <<: *MORPH_BUILD
  variables:
    GRID: "local"

  before_script:
    - |
      # The local grid configuration is *almost* complete enough to build.  It
      # just needs this tweak.
      echo '{}' > morph/grid/${GRID}/public-keys/users.nix

morph-build-staging:
  <<: *MORPH_BUILD
  variables:
    GRID: "testing"


morph-build-production:
  <<: *MORPH_BUILD
  variables:
    GRID: "production"


vulnerability-scan:
  <<: *RUN_ON_MERGE_REQUEST
  stage: "build"
  script:
    - "ci-tools/vulnerability-scan security-report.json"
    - "ci-tools/count-vulnerabilities <security-report.json"
  artifacts:
    paths:
      - "security-report.json"
    expose_as: "security report"


system-tests:
  <<: *RUN_ON_MERGE_REQUEST
  timeout: "3 hours"
  stage: "build"
  script:
    - "nix-build --attr system-tests"

# A template for a job that can update one of the grids.
.update-grid: &UPDATE_GRID
  stage: "deploy"
  script: |
    env --ignore-environment - \
      NIX_PATH="$NIX_PATH" \
      GITLAB_USER_LOGIN="$GITLAB_USER_LOGIN" \
      CI_JOB_NAME="$CI_JOB_NAME" \
      CI_PIPELINE_SOURCE="$CI_PIPELINE_SOURCE" \
      CI_COMMIT_BRANCH="$CI_COMMIT_BRANCH" \
      ./ci-tools/update-grid-servers "${PRIVATESTORAGEIO_SSH_DEPLOY_KEY_PATH}" "${CI_ENVIRONMENT_NAME}"

# Update the staging deployment - only on a commit to the develop branch.
update-staging:
  <<: *UPDATE_GRID

  # https://docs.gitlab.com/ee/ci/yaml/#rules
  rules:
    # https://docs.gitlab.com/ee/ci/yaml/index.html#rulesif
    # https://docs.gitlab.com/ee/ci/jobs/job_control.html#cicd-variable-expressions
    # https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
    - if: '$CI_COMMIT_BRANCH == "develop"'
  environment:
    # You can find some status information about environments in GitLab at
    # https://whetstone.privatestorage.io/privatestorage/PrivateStorageio/-/environments.
    name: "staging"
    # The URL controls where the "View Deployment" button for this environment
    # will take you.  The main website isn't controlled by this codebase so we
    # don't point there.  The monitoring system *is* controlled by this
    # codebase and it also tells us lots of stuff about other things
    # controlled by this codebase so that seems like a good place to land.
    # Not that I make it a habit to visit the deployment using the GitLab
    # button...  Still, discoverability or something.
    url: "https://monitoring.privatestorage-staging.com/"

# Update the production deployment - only on a commit to the production branch.
deploy-to-production:
  <<: *UPDATE_GRID

  # https://docs.gitlab.com/ee/ci/yaml/#rules
  rules:
    # https://docs.gitlab.com/ee/ci/yaml/index.html#rulesif
    # https://docs.gitlab.com/ee/ci/jobs/job_control.html#cicd-variable-expressions
    # https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
    - if: '$CI_COMMIT_BRANCH == "production"'

  environment:
    # See notes in `update-staging`.
    name: "production"
    url: "https://monitoring.private.storage/"

update-nixpkgs:
  <<: *RUN_ON_SCHEDULE
  stage: "build"
  script:
    - |
      ./ci-tools/with-ssh-agent \
          ./ci-tools/update-nixpkgs \
              "$CI_SERVER_URL" \
              "$CI_SERVER_HOST" \
              "$CI_PROJECT_PATH" \
              "$CI_PROJECT_ID" \
              "$CI_DEFAULT_BRANCH"

update-production:
  <<: *RUN_ON_SCHEDULE
  stage: "build"
  script:
    - |
      ./ci-tools/update-production \
              "$CI_SERVER_URL" \
              "$CI_PROJECT_ID" \
              "develop" \
              "production"