default:
  # Guide the choice of an appropriate runner for all these jobs.
  # https://docs.gitlab.com/ee/ci/runners/#runner-runs-only-tagged-jobs
  tags:
    - "nixos"
    - "shell"

docs:
  stage: "build"
  script:
    - "nix-shell --run 'nix-build docs.nix'"
    - "cp --recursive --no-preserve=mode result/docs/. docs/build/"
  artifacts:
    paths:
      - "docs/build/"
    expose_as: "documentation"

unit-tests:
  stage: "test"
  script:
    - "nix-shell --run 'nix-build nixos/unit-tests.nix' && cat result"

morph-builds:
  tags:
    # Run this job in a Docker container so that it won't have the system
    # /nix/store so that it has to build everything.  This is necessary so
    # that the logic below that chooses what to send to cachix catches all our
    # stuff.  Anything that exists in /nix/store at the beginning of the job
    # won't be cached.  Also there are issues with any concurrent builds
    # sharing /nix/store.
    #
    # This is far from ideal but maybe it's a tolerable hack for now.
    - "nixos"
    - "docker"
  stage: "test"
  variables:
    # CACHIX_AUTH_TOKEN, which lets us push to cachix, is supplied by GitLab
    # thanks to project-level configuration.
    CACHIX_NAME: "privatestorage-opensource"

  script:
    - |
      nix-env -iA nixpkgs.cachix nixpkgs.bash
      cachix use privatestorage-opensource
      nix path-info --all > /tmp/store-path-pre-build
      for grid in morph/grid/*/grid.nix; do
          morph build "${grid}"
      done
      bash -c "comm -13 <(sort /tmp/store-path-pre-build | grep -v '\.drv$') <(nix path-info --all | grep -v '\.drv$' | sort) | cachix push $CACHIX_NAME"

vulnerability-scan:
  stage: "test"
  script:
    - "sed -i 's/undefined/\"unundefined\"/' morph/grid/local/secrets/users.nix"
    - "ci-tools/vulnerability-scan security-report.json"
    - "ci-tools/count-vulnerabilities <security-report.json"
  artifacts:
    paths:
      - "security-report.json"
    expose_as: "security report"


system-tests:
  stage: "test"
  timeout: "3 hours"
  script:
    - "nix-shell --run 'nix-build nixos/system-tests.nix'"

deploy-to-staging:
  stage: "deploy"
  only:
    - "staging"
  environment:
    name: "staging"
    url: "https://privatestorage-staging.com/"
  script:
    - echo "Hello $GITLAB_USER_LOGIN from $CI_JOB_NAME. I was triggered by $CI_PIPELINE_SOURCE "
    - echo "and would like to deploy the $CI_COMMIT_BRANCH branch to the $CI_ENVIRONMENT_NAME environment."

deploy-to-production:
  stage: "deploy"
  only:
    - "production"
  environment:
    name: "production"
    url: "https://privatestorage.io/"
  script:
    - echo "Hello $GITLAB_USER_LOGIN from $CI_JOB_NAME. I was triggered by $CI_PIPELINE_SOURCE "
    - echo "and would like to deploy the $CI_COMMIT_BRANCH branch to the $CI_ENVIRONMENT_NAME environment."