.gitlab-ci.yml

default:
  image: registry.gitlab.com/jarvis-network/base/container-images/docker-buildx:20.10
  services:
    - name: docker:20.10-dind
      entrypoint: ['env', '-u', 'DOCKER_HOST']
      command: ['dockerd-entrypoint.sh']
  before_script:
    - docker context create buildx-ctx
    - docker buildx create buildx-ctx --use
    - echo $ACR_CORE_PASSWORD | docker login -u $ACR_CORE_USER --password-stdin $ACR_CORE_URL
  interruptible: true
variables:
  DOCKER_DRIVER: overlay2
  REGISTRY: jarvisnetworkcoreacr.azurecr.io/jarvis-network/apps/exchange/mono-repo
  REGISTRY_USERNAME: asim_jarvis
  REGISTRY_PASSWORD: ${GITLAB_TOKEN}

.yarn_install_tree_hash: &yarn_install_tree_hash |-
  apk add git bash jq
  OUTDIR=_out ENABLE_TREE_HASH_OUTPUT=yes ./scripts/ci/gather_files_for_yarn_install.bash
  export TREE_HASH="$(cat _out/tree_hash)"
  export IMAGE="${REGISTRY}/install:${TREE_HASH}"
  echo "IMAGE: '$IMAGE'"

stages:
  - prepare
  - test and deploy

build `install` image:
  stage: prepare
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  script:
    - *yarn_install_tree_hash
    - sed "s/%TREE_HASH%/${TREE_HASH}/g" .gitlab-ci-template.yml > generated-pipeline.yml
    - docker buildx bake install --print
    - docker buildx bake install --progress=plain
  artifacts:
    paths:
      - generated-pipeline.yml

execute pipeline:
  stage: test and deploy
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  trigger:
    strategy: depend
    include:
      - artifact: generated-pipeline.yml
        job: build `install` image

security scan:
  stage: test and deploy
  only:
    - merge_requests
  script:
    - *yarn_install_tree_hash
    - docker pull "$IMAGE"
    - docker run --rm -v/var/run/docker.sock:/var/run/docker.sock
      aquasec/trivy image --severity CRITICAL --timeout 25m "$IMAGE"