.only-default: &only-default
  only:
    - master
    - branches
    - merge_requests

stages:
  - pre-commit
  - gitlab
  - test
  - deploy
  - docker

include:
  - template: Dependency-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml

before_script:
  - apt-get update && apt-get install redis-server -y
  - redis-server --daemonize yes
  - python -V
  - pip install wheel tox

pre-commit-check:
  <<: *only-default
  stage: pre-commit
  image: python:3.11-bookworm
  # variables:
  #   PRE_COMMIT_HOME: ${CI_PROJECT_DIR}/.cache/pre-commit
  # cache:
  #   paths:
  #     - ${PRE_COMMIT_HOME}
  script:
    - pip install pre-commit
    - pre-commit run --all-files

sast:
  stage: gitlab
  before_script: []

dependency_scanning:
  stage: gitlab
  before_script:
    - apt-get update && apt-get install redis-server libmariadb-dev -y
    - redis-server --daemonize yes
    - python -V
    - pip install wheel tox

secret_detection:
  stage: gitlab
  before_script: []

test-3.8-core:
  <<: *only-default
  image: python:3.8-bookworm
  script:
    - tox -e py38-core
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

test-3.9-core:
  <<: *only-default
  image: python:3.9-bookworm
  script:
    - tox -e py39-core
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

test-3.10-core:
  <<: *only-default
  image: python:3.10-bookworm
  script:
    - tox -e py310-core
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

test-3.11-core:
  <<: *only-default
  image: python:3.11-bookworm
  script:
    - tox -e py311-core
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

test-3.12-core:
  <<: *only-default
  image: python:3.12-bookworm
  script:
    - tox -e py312-core
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

test-3.8-all:
  <<: *only-default
  image: python:3.8-bookworm
  script:
    - tox -e py38-all
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

test-3.9-all:
  <<: *only-default
  image: python:3.9-bookworm
  script:
    - tox -e py39-all
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

test-3.10-all:
  <<: *only-default
  image: python:3.10-bookworm
  script:
    - tox -e py310-all
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

test-3.11-all:
  <<: *only-default
  image: python:3.11-bookworm
  script:
    - tox -e py311-all
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml
  coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'

test-3.12-all:
  <<: *only-default
  image: python:3.12-bookworm
  script:
    - tox -e py312-all
  artifacts:
    when: always
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

build-test:
  stage: test
  image: python:3.11-bookworm

  before_script:
    - python -m pip install --upgrade pip
    - python -m pip install --upgrade build
    - python -m pip install --upgrade setuptools wheel

  script:
    - python -m build

  artifacts:
    when: always
    name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
    paths:
      - dist/*
    expire_in: 1 year

test-docs:
  <<: *only-default
  image: python:3.11-bookworm
  script:
    - tox -e docs

deploy_production:
  stage: deploy
  image: python:3.11-bookworm

  before_script:
    - python -m pip install --upgrade pip
    - python -m pip install --upgrade build
    - python -m pip install --upgrade setuptools wheel twine

  script:
    - python -m build
    - python -m twine upload dist/*

  rules:
    - if: $CI_COMMIT_TAG

build-image:
  before_script: []
  image: docker:24.0
  stage: docker
  services:
    - docker:24.0-dind
  script: |
    CURRENT_DATE=$(echo $CI_COMMIT_TIMESTAMP | head -c 10 | tr -d -)
    IMAGE_TAG=$CI_REGISTRY_IMAGE/auth:$CURRENT_DATE-$CI_COMMIT_SHORT_SHA
    CURRENT_TAG=$CI_REGISTRY_IMAGE/auth:$CI_COMMIT_TAG
    MINOR_TAG=$CI_REGISTRY_IMAGE/auth:$(echo $CI_COMMIT_TAG | cut -d '.' -f 1-2)
    MAJOR_TAG=$CI_REGISTRY_IMAGE/auth:$(echo $CI_COMMIT_TAG | cut -d '.' -f 1)
    LATEST_TAG=$CI_REGISTRY_IMAGE/auth:latest

    docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    docker run --privileged --rm tonistiigi/binfmt --uninstall qemu-*
    docker run --privileged --rm tonistiigi/binfmt --install all
    docker buildx create --use --name new-builder
    docker buildx build . --tag $IMAGE_TAG --tag $CURRENT_TAG --tag $MINOR_TAG --tag $MAJOR_TAG --tag $LATEST_TAG --file docker/Dockerfile --platform linux/amd64,linux/arm64 --push --build-arg AUTH_VERSION=$(echo $CI_COMMIT_TAG | cut -c 2-)
  rules:
    - if: $CI_COMMIT_TAG
      when: delayed
      start_in: 10 minutes

build-image-dev:
  before_script: []
  image: docker:24.0
  stage: docker
  services:
    - docker:24.0-dind
  script: |
    CURRENT_DATE=$(echo $CI_COMMIT_TIMESTAMP | head -c 10 | tr -d -)
    IMAGE_TAG=$CI_REGISTRY_IMAGE/auth:$CURRENT_DATE-$CI_COMMIT_BRANCH-$CI_COMMIT_SHORT_SHA

    docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    docker run --privileged --rm tonistiigi/binfmt --uninstall qemu-*
    docker run --privileged --rm tonistiigi/binfmt --install all
    docker buildx create --use --name new-builder
    docker buildx build . --tag $IMAGE_TAG --file docker/Dockerfile --platform linux/amd64,linux/arm64 --push --build-arg AUTH_PACKAGE=git+https://gitlab.com/allianceauth/allianceauth@$CI_COMMIT_BRANCH
  rules:
    - if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME == ""'
      when: manual
    - if: '$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME != ""'
      when: never

build-image-mr:
  before_script: []
  image: docker:24.0
  stage: docker
  services:
    - docker:24.0-dind
  script: |
    CURRENT_DATE=$(echo $CI_COMMIT_TIMESTAMP | head -c 10 | tr -d -)
    IMAGE_TAG=$CI_REGISTRY_IMAGE/auth:$CURRENT_DATE-$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME-$CI_COMMIT_SHORT_SHA

    docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    docker run --privileged --rm tonistiigi/binfmt --uninstall qemu-*
    docker run --privileged --rm tonistiigi/binfmt --install all
    docker buildx create --use --name new-builder
    docker buildx build . --tag $IMAGE_TAG --file docker/Dockerfile --platform linux/amd64,linux/arm64 --push --build-arg AUTH_PACKAGE=git+$CI_MERGE_REQUEST_SOURCE_PROJECT_URL@$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
      when: manual
    - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
      when: never