.gitlab-ci.yml

workflow:
  auto_cancel:
    on_new_commit: interruptible
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_PIPELINE_SOURCE == "push"
    - if: $CI_PIPELINE_SOURCE == "schedule"

stages:
  - build
  - security
  - publish
  - release
  - deploy

variables:
  PACKAGE_REGISTRY_URL: "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/generic/build/${CI_COMMIT_TAG}"
  GRADLE_OPTS: -Dorg.gradle.daemon=false

# ------------------------------ Conditions

.if-merge-request-or-main: &if-merge-request-or-main
  - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
  - if: $CI_MERGE_REQUEST_SOURCE_BRANCH_NAME
  - if: $CI_PIPELINE_SOURCE == "schedule"
    when: never
  - if: '$CI_COMMIT_MESSAGE =~ /^\(nobuild\)/'
    when: never

.if-release: &if-release
  - if: '$CI_COMMIT_TAG =~ /^\d+.\d+.\d+.*/'
  - if: $CI_PIPELINE_SOURCE == "schedule"
    when: never

# ------------------------------ Security

security:dependencies:
  stage: security
  interruptible: true
  needs: [ ]
  variables:
    TRIVY_CACHE_DIR: ".trivycache/"
  cache:
    paths:
      - .trivycache/
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      allow_failure: true
    - if: '$CI_COMMIT_TAG =~ /^\d+.\d+.\d+.*/'
      allow_failure: false
    - if: $CI_PIPELINE_SOURCE == "schedule"
      allow_failure: false
  artifacts:
    when: always
    reports:
      dependency_scanning: report.json
  script:
    - trivy repo ./ --exit-code 0
    - trivy repo ./ --exit-code 0 --format template --template "@/contrib/gitlab.tpl" --output report.json
    - trivy repo ./ --exit-code 1 --severity CRITICAL
  tags:
    - linux

# ------------------------------ Build

build:debug:
  stage: build
  rules:
    - *if-merge-request-or-main
  before_script:
    - export JAVA_HOME=/Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home
  script:
    - ./gradlew
      clean
      linkDebugExecutable{MacosX64,MacosArm64,LinuxX64,LinuxArm64,MingwX64}
  tags:
    - macos

build:release:
  stage: build
  rules:
    - *if-release
  artifacts:
    paths:
      - rad/build/bin/**
    expire_in: 1 week
  before_script:
    - export JAVA_HOME=/Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home
  script:
    - ./gradlew
      clean
      linkReleaseExecutable{MacosX64,MacosArm64,LinuxX64,LinuxArm64,MingwX64}
  tags:
    - macos

# ------------------------------ Publish

publish:
  stage: publish
  rules:
    - *if-release
  dependencies:
    - build:release
  script:
    - |
      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "rad/build/bin/linuxX64/releaseExecutable/rad.kexe" "${PACKAGE_REGISTRY_URL}/rad-linux-x64"
    - |
      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "rad/build/bin/linuxArm64/releaseExecutable/rad.kexe" "${PACKAGE_REGISTRY_URL}/rad-linux-arm64"
    - |
      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "rad/build/bin/macosX64/releaseExecutable/rad.kexe" "${PACKAGE_REGISTRY_URL}/rad-macos-x64"
    - |
      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "rad/build/bin/macosArm64/releaseExecutable/rad.kexe" "${PACKAGE_REGISTRY_URL}/rad-macos-arm64"
    - |
      curl --header "JOB-TOKEN: ${CI_JOB_TOKEN}" --upload-file "rad/build/bin/mingwX64/releaseExecutable/rad.exe" "${PACKAGE_REGISTRY_URL}/rad-windows-x64.exe"
  tags:
    - macos

# ------------------------------ Release

release:
  stage: release
  rules:
    - *if-release
  dependencies:
    - publish
  script:
    - echo "Running release job for $CI_COMMIT_TAG"
  release:
    tag_name: '$CI_COMMIT_TAG'
    description: '$CI_COMMIT_TAG'
    assets:
      links:
        - name: "Linux x64"
          url: ${PACKAGE_REGISTRY_URL}/rad-linux-x64
        - name: "Linux arm64"
          url: ${PACKAGE_REGISTRY_URL}/rad-linux-arm64
        - name: "macOS x64"
          url: ${PACKAGE_REGISTRY_URL}/rad-macos-x64
        - name: "macOS arm64"
          url: ${PACKAGE_REGISTRY_URL}/rad-macos-arm64
        - name: "Windows x64"
          url: ${PACKAGE_REGISTRY_URL}/rad-windows-x64.exe
  tags:
    - linux

# ------------------------------ Deploy

deploy:
  stage: deploy
  rules:
    - *if-release
  dependencies:
    - release
  script:
    - ssh root@duke.karmakrafts.local 'cd /home/tools/rad && ./deploy.sh'
    - echo "Rad service deployed (code $?)"
  tags:
    - macos