image: docker:latest

variables:
  GIT_STRATEGY: fetch
  GIT_SUBMODULE_STRATEGY: recursive
  PACKER_VERSION: 1.4.3
  ANNOUNCE: http://labsync.lab.fablab-nea.de:6969/announce
  WEBSEED: http://labsync.lab.fablab-nea.de/labsync/$CI_COMMIT_REF_NAME/$CI_PIPELINE_ID/images
  DOCKER_IMAGE_BUILDER: ${CI_REGISTRY_IMAGE}/labsync-builder:main
  DOCKER_IMAGE_SECURITY_SCANNER: ${CI_REGISTRY_IMAGE}/security-scanner:main
  DOCKER_TLS_CERTDIR: ""

stages:
 - prepare
 - check
 - build

dockerimage_builder:
  stage: prepare
  before_script:
    - apk add --no-cache make
  services:
   - docker:dind
  variables:
    DOCKER_IMAGE_BUILDER: ${CI_REGISTRY_IMAGE}/labsync-builder:$CI_COMMIT_REF_SLUG
  script:
    - docker pull $DOCKER_IMAGE_BUILDER || true
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - make builderimg
    - docker push $DOCKER_IMAGE_BUILDER
    - echo "DOCKER_IMAGE_BUILDER=$DOCKER_IMAGE_BUILDER" >> build.env
  artifacts:
    reports:
      dotenv: build.env
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - if:
      changes:
        paths:
          - builder/**/*
        compare_to: main
      when: on_success

dockerimage_security_scanner:
  stage: prepare
  before_script:
    - apk add --no-cache make
  services:
   - docker:dind
  script:
    - docker pull $DOCKER_IMAGE_SECURITY_SCANNER || true
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - make secscanimg
    - docker push $DOCKER_IMAGE_SECURITY_SCANNER
    - echo "DOCKER_IMAGE_SECURITY_SCANNER=${CI_REGISTRY_IMAGE}/security-scanner:$CI_COMMIT_REF_SLUG" >> build.env
  artifacts:
    reports:
      dotenv: build.env
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
      when: on_success
    - if:
      changes:
        paths:
          - security-scanner/**/*
        compare_to: main
      when: on_success

security_scanner:
  stage: check
  image: $DOCKER_IMAGE_SECURITY_SCANNER
  script:
    - set -x
    - export GITLAB_URL="$(echo "$CI_PROJECT_URL" | grep -Eo '^https?://[^/]*')"
    - /code/venv/bin/python -m security_scanner $target
  only:
    refs:
      - schedules
      - triggers
    variables:
      - $task == "security-scanner"
      - $target

lightburn-download:
  stage: prepare
  image: quay.io/official-images/alpine
  script:
    - mkdir -p packer/ansible/roles/lightburn/files
    - 'wget -O packer/ansible/roles/lightburn/files/lightburn.zip  --header "JOB-TOKEN: $CI_JOB_TOKEN" "${CI_SERVER_URL}/api/v4/projects/fablab%2Flightburn-patched/jobs/artifacts/main/download?job=patch-Linux64"'
  artifacts:
    paths:
      - packer/ansible/roles/lightburn/files/lightburn.zip
    expire_in: 4 hours

.squashfs_template: &squashfs_template
  image: $DOCKER_IMAGE_BUILDER
  stage: build
  services:
    - docker:dind
  script:
    - echo DOCKER_IMAGE_BUILDER=$DOCKER_IMAGE_BUILDER
    - echo DOCKER_IMAGE_SECURITY_SCANNER=$DOCKER_IMAGE_SECURITY_SCANNER
    - scripts/packer.sh debian-bookworm
    - aws --endpoint-url "$AWS_ENDPOINT_URL" s3 cp images/ "s3://$AWS_BUCKET/$CI_COMMIT_REF_SLUG/$CI_JOB_ID/" --recursive --no-progress
  artifacts:
    paths:
      - images.txt
      - images/*.dpkg-list
      - images/*.initramfs
      - images/*.linux
      #- images/*.squashfs
      - images/*.torrent

squashfs_featurebranch:
  <<: *squashfs_template
  variables:
    COMPRESSION_LEVEL: 4
  except:
    variables:
      - $task == "security-scanner"
    refs:
      - main

squashfs_main:
  <<: *squashfs_template
  variables:
    COMPRESSION_LEVEL: 15
  only:
    refs:
      - main
  except:
    variables:
      - $task == "security-scanner"