.gitlab-ci.yml

stages:
  - prepare
  - build
  - test
  - deploy

include:
  - template: Security/Container-Scanning.gitlab-ci.yml

image:
  name: $CI_REGISTRY_IMAGE/gamsmiro-ci:latest


variables:
  BUILD_LINUX:
    value: 'yes'
    description: 'Build Linux (ignored on master) (yes/no)?'
  BUILD_WINDOWS:
    value: 'yes'
    description: 'Build Windows (ignored on master) (yes/no)?'
  BUILD_MACOS:
    value: 'yes'
    description: 'Build macOS (ignored on master) (yes/no)?'
  BUILD_MACOS_ARM:
    value: 'yes'
    description: 'Build macOS ARM (ignored on master) (yes/no)?'
  FORCE_BUILD_LINUX_BUILDER:
    value: 'no'
    description: 'Build Linux build image even when Dockerfile did not change (yes/no)?'
  FORCE_BUILD_WINDOWS_BUILDER:
    value: 'no'
    description: 'Build Windows build image even when Dockerfile did not change (yes/no)?'
  FORCE_RELEASE:
    value: 'no'
    description: 'Force release even if tests fail (yes/no)?'
  SKIP_TESTS:
    value: 'no'
    description: 'Skip tests on Windows/macOS (yes/no)?'
  MIRO_MAX_TEST_FAILURES:
    value: '1'
    description: 'Maximum number of tests allowed to fail before the job fails'
  SKIP_NOTARIZATION:
    value: 'no'
    description: 'Skip notarization of macOS installer (yes/no)?'
  BUILD_CI:
    value: 'no'
    description: 'Build CI image (yes/no)?'
  PUSH_UNSTABLE_SERVER_IMAGES:
    value: 'no'
    description: 'Push MIRO Server images to registry.gams.com (tagged as unstable on develop and feature on feature branches) (yes/no)?'


.assume_role: &assume_role
    - >
      STS=($(aws sts assume-role-with-web-identity
      --role-arn ${AWS_S3_ROLE_ARN}
      --role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}"
      --web-identity-token $ID_TOKEN
      --duration-seconds 3600
      --query 'Credentials.[AccessKeyId,SecretAccessKey,SessionToken]'
      --output text))
    - export AWS_ACCESS_KEY_ID="${STS[0]}"
    - export AWS_SECRET_ACCESS_KEY="${STS[1]}"
    - export AWS_SESSION_TOKEN="${STS[2]}"

prepare_all:
  tags:
    - linux
  stage: prepare
  image: curlimages/curl
  script:
    - 'echo "Building on branch: $CI_COMMIT_BRANCH"'
    - >
      if [[ "$CI_COMMIT_BRANCH" == "master" ]]; then
        if [[ `grep -m 1 -e 'MIROVersion' src/app.R | cut -f2 -d'"' | cut -f3 -d'.'` -ge "999" ]]; then
          echo "Cannot build release with patch number greater than or equal to 999"
          exit 1
        fi
        if [[ `curl -s https://gams.com/miro/latest.ver` == `grep -m 1 -e 'MIROVersion' src/app.R | cut -f2 -d'"' | tr . ,` ]]; then
          echo "Cannot build the same release twice. Please update version number"
          exit 1
        fi
      fi
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_COMMIT_BRANCH == "master"'
      when: always
    - if: '$CI_COMMIT_BRANCH == "develop"'
      when: always
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - if: '$CI_PIPELINE_SOURCE == "web"'
    - when: manual

build_build_image_linux:
  tags:
    - linux
  image: docker:20.10
  services:
    - docker:20.10-dind
  stage: prepare
  before_script:
    # this is to be able to pull and push images
    - mkdir -p $HOME/.docker
    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
    - apk update && apk add jq
  script:
    - cd ci/linux
    - docker build -t $CI_REGISTRY_IMAGE/builder-linux:latest --build-arg R_BASE_VERSION=`jq -r ".rVersion" ../../build-config.json` --build-arg OPENSSL_VERSION=`jq -r ".opensslVersion" ../../build-config.json` .
    - docker push $CI_REGISTRY_IMAGE/builder-linux:latest
  rules:
    - if: $FORCE_BUILD_LINUX_BUILDER == "yes"
    - if: '$CI_PIPELINE_SOURCE != "push"'
      when: never
    - changes:
        paths:
          - ci/linux/Dockerfile
        compare_to: develop


build_build_image_windows:
  tags:
    - windows-shell
  stage: prepare
  before_script:
    # this is to be able to pull and push images
    - New-Item -ItemType Directory -Force -Path %USERPROFILE%/.docker
    - $env:DOCKER_AUTH_CONFIG > %USERPROFILE%/.docker/config.json
  script:
    - $buildConfig=Get-Content build-config.json | ConvertFrom-Json
    - $rVersion=$buildConfig.rVersion
    - $gamsVersion=$buildConfig.gamsVersion
    - cd ci/windows
    - docker build -t $env:CI_REGISTRY_IMAGE/builder-windows:latest --build-arg R_VERSION=$rVersion --build-arg GAMS_VERSION=$gamsVersion .
    - docker push $env:CI_REGISTRY_IMAGE/builder-windows:latest
  rules:
    - if: $FORCE_BUILD_WINDOWS_BUILDER == "yes"
    - if: '$CI_PIPELINE_SOURCE != "push"'
      when: never
    - changes:
        paths:
          - ci/windows/Dockerfile
        compare_to: develop

lint_job:
  tags:
   - linux
  stage: test
  before_script:
    - mkdir -p $R_CACHE_ROOTPATH
    - git config --global --add safe.directory "$CI_PROJECT_DIR"
    - yarn install
  script:
   - pre-commit run --all-files
   - ./scripts/fix_copyright.sh
  variables:
    PRE_COMMIT_HOME: ${CI_PROJECT_DIR}/.cache/pre-commit
    R_CACHE_ROOTPATH: ${PRE_COMMIT_HOME}/R.cache
  cache:
    - key:
        files:
          - yarn.lock
      paths:
        - node_modules/
  needs: []
  rules:
    - if: $CI_MERGE_REQUEST_ID
      when: always

build_linux_job:
  tags:
    - linux
    - puma
  stage: build
  services:
    - docker:20.10-dind
  image: $CI_REGISTRY_IMAGE/builder-linux:latest
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_VERIFY: 1
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_CERT_PATH: "/certs/client"
    DOCKER_HOST: tcp://docker:2376
    GIT_SUBMODULE_STRATEGY: normal
    NODE_OPTIONS: --openssl-legacy-provider
  before_script:
    # this is to be able to pull and push images
    - mkdir -p $HOME/.docker
    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
    - yarn install
  script:
    - '[[ "$CI_COMMIT_BRANCH" != "master" ]] && [[ "$BUILD_LINUX" == "no" ]] && [[ "$BUILD_CI" == "no" ]] && [[ "$PUSH_UNSTABLE_SERVER_IMAGES" == "no" ]] && echo "Skipping Linux build" && exit 0'
    - yarn dist
    - >
      if [[ "$CI_COMMIT_BRANCH" == "master" ]]; then
        pushd server
            python3 miro_server.py build
            python3 miro_server.py push --unstable --custom-tag latest
        popd
      elif [[ "$CI_COMMIT_BRANCH" == "develop" ]] || [[ "$CI_COMMIT_BRANCH" == "rc" ]] || [[ "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME" == "rc" ]]; then
        pushd server
            python3 miro_server.py build
            python3 miro_server.py push --unstable --custom-tag unstable
        popd
      elif [[ "$PUSH_UNSTABLE_SERVER_IMAGES" != "no" ]]; then
        pushd server
            python3 miro_server.py build
            python3 miro_server.py push --unstable --custom-tag feature
        popd
      elif [[ "$BUILD_CI" != "no" ]]; then
        pushd server
          python3 miro_server.py build --module ui
        popd
      fi
    - >
      if [[ "$BUILD_CI" != "no" ]]; then
        yarn docker-build-ci
        docker tag gamsmiro-ci $CI_REGISTRY_IMAGE/gamsmiro-ci:latest
        docker push $CI_REGISTRY_IMAGE/gamsmiro-ci:latest
        docker tag gamsmiro-server-ci $CI_REGISTRY_IMAGE/gamsmiro-server-ci:latest
        docker push $CI_REGISTRY_IMAGE/gamsmiro-server-ci:latest
      fi
  artifacts:
    paths:
      - dist/*.AppImage
    expire_in: 1 week
  cache:
    - key: build-cache
      paths:
        - build/lib_devel/
    - key:
        files:
          - yarn.lock
      paths:
        - node_modules/
    - key:
        files:
          - src/package-lock.json
      paths:
        - src/node_modules/
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success
  needs: [prepare_all]


dependency_scanning_js:
  tags:
   - linux
  stage: test
  script:
    - echo -n '{"launcher":' > npm-audit-report.json
    - npm i --package-lock-only --ignore-scripts
    - npm audit --omit=dev --json | tr -d '\n' >> npm-audit-report.json || true
    - echo -n ',"ui":' >> npm-audit-report.json
    - |
        pushd src
          npm audit --omit=dev --json | tr -d '\n' >> ../npm-audit-report.json || true
        popd
    - echo -n ',"server_admin":' >> npm-audit-report.json
    - |
        pushd server/admin
          npm i --package-lock-only --ignore-scripts
          npm audit --omit=dev --json | tr -d '\n' >> ../../npm-audit-report.json || true
        popd
    - echo -n '}' >> npm-audit-report.json
  artifacts:
    paths:
      - npm-audit-report.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


dependency_scanning_r:
  tags:
   - linux
  stage: test
  script:
    - Rscript scripts/checkVuln.R
  artifacts:
    paths:
      - r-audit-report.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


dependency_scanning_python:
  tags:
    - linux
  stage: test
  script:
    - pip-audit -r server/auth/requirements.txt -f json > audit-auth.json || true
    - python3 ./ci/create_pip_audit_report.py pip-audit-report.json audit-auth.json
  artifacts:
    paths:
      - pip-audit-report.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


container_scanning:
  tags:
    - linux
  variables:
    CS_DOCKERFILE_PATH: "server/ui/Dockerfile"
    GIT_STRATEGY: "fetch"
    CS_IGNORE_UNFIXED: "true"
  before_script:
    - IMAGE_TAG="latest" && [[ "$CI_COMMIT_BRANCH" != "master" ]] && IMAGE_TAG="feature" && ([[ "$CI_COMMIT_BRANCH" == "develop" ]] || [[ "$CI_COMMIT_BRANCH" == "rc" ]] || [[ "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME" == "rc" ]]) && IMAGE_TAG=unstable
    - export CS_IMAGE=$CI_REGISTRY_IMAGE/miro-ui:$IMAGE_TAG
  after_script:
    - cp gl-container-scanning-report.json gl-container-scanning-report-ui.json
  artifacts:
    paths:
      - gl-container-scanning-report-ui.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


container_scanning_admin:
  extends: container_scanning
  variables:
    CS_DOCKERFILE_PATH: "server/admin/Dockerfile"
    GIT_STRATEGY: "fetch"
    CS_IGNORE_UNFIXED: "true"
  before_script:
    - IMAGE_TAG="latest" && [[ "$CI_COMMIT_BRANCH" != "master" ]] && IMAGE_TAG="feature" && ([[ "$CI_COMMIT_BRANCH" == "develop" ]] || [[ "$CI_COMMIT_BRANCH" == "rc" ]] || [[ "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME" == "rc" ]]) && IMAGE_TAG=unstable
    - export CS_IMAGE=$CI_REGISTRY_IMAGE/miro-admin:$IMAGE_TAG
  after_script:
    - cp gl-container-scanning-report.json gl-container-scanning-report-admin.json
  artifacts:
    paths:
      - gl-container-scanning-report-admin.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


container_scanning_auth:
  extends: container_scanning
  variables:
    CS_DOCKERFILE_PATH: "server/auth/Dockerfile"
    GIT_STRATEGY: "fetch"
    CS_IGNORE_UNFIXED: "true"
  before_script:
    - IMAGE_TAG="latest" && [[ "$CI_COMMIT_BRANCH" != "master" ]] && IMAGE_TAG="feature" && ([[ "$CI_COMMIT_BRANCH" == "develop" ]] || [[ "$CI_COMMIT_BRANCH" == "rc" ]] || [[ "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME" == "rc" ]]) && IMAGE_TAG=unstable
    - export CS_IMAGE=$CI_REGISTRY_IMAGE/miro-auth:$IMAGE_TAG
  after_script:
    - cp gl-container-scanning-report.json gl-container-scanning-report-auth.json
  artifacts:
    paths:
      - gl-container-scanning-report-auth.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


container_scanning_proxy:
  extends: container_scanning
  variables:
    CS_DOCKERFILE_PATH: "server/proxy/Dockerfile"
    GIT_STRATEGY: "fetch"
  before_script:
    - IMAGE_TAG="latest" && [[ "$CI_COMMIT_BRANCH" != "master" ]] && IMAGE_TAG="feature" && ([[ "$CI_COMMIT_BRANCH" == "develop" ]] || [[ "$CI_COMMIT_BRANCH" == "rc" ]] || [[ "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME" == "rc" ]]) && IMAGE_TAG=unstable
    - export CS_IMAGE=$CI_REGISTRY_IMAGE/miro-proxy:$IMAGE_TAG
  after_script:
    - cp gl-container-scanning-report.json gl-container-scanning-report-proxy.json
  artifacts:
    paths:
      - gl-container-scanning-report-proxy.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


container_scanning_sproxy:
  extends: container_scanning
  variables:
    CS_DOCKERFILE_PATH: "server/docker-socket-proxy/Dockerfile"
    GIT_STRATEGY: "fetch"
  before_script:
    - IMAGE_TAG="latest" && [[ "$CI_COMMIT_BRANCH" != "master" ]] && IMAGE_TAG="feature" && ([[ "$CI_COMMIT_BRANCH" == "develop" ]] || [[ "$CI_COMMIT_BRANCH" == "rc" ]] || [[ "$CI_MERGE_REQUEST_SOURCE_BRANCH_NAME" == "rc" ]]) && IMAGE_TAG=unstable
    - export CS_IMAGE=$CI_REGISTRY_IMAGE/miro-sproxy:$IMAGE_TAG
  after_script:
    - cp gl-container-scanning-report.json gl-container-scanning-report-sproxy.json
  artifacts:
    paths:
      - gl-container-scanning-report-sproxy.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


container_scanning_db:
  extends: container_scanning
  variables:
    CS_IMAGE: "postgres:16.1-alpine"
  after_script:
    - cp gl-container-scanning-report.json gl-container-scanning-report-db.json
  artifacts:
    paths:
      - gl-container-scanning-report-db.json
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


create_vulnerability_report:
  tags:
    - linux
  stage: test
  needs:
    - dependency_scanning_js
    - dependency_scanning_r
    - dependency_scanning_python
    - container_scanning
    - container_scanning_admin
    - container_scanning_auth
    - container_scanning_proxy
    - container_scanning_sproxy
  script:
    - python3 ci/create_vuln_report.py
  artifacts:
    paths:
      - ci-vuln-report.html
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success


build_windows_job:
  tags:
    - windows
  stage: build
  image: $CI_REGISTRY_IMAGE/builder-windows:latest
  variables:
    CSC_LINK: cert.p12
    GIT_SUBMODULE_STRATEGY: normal
  before_script:
    - yarn install
    - '[IO.File]::WriteAllBytes([io.path]::Combine((Get-Location).path, $env:CSC_LINK), [Convert]::FromBase64String($env:WIN_CERT_FILE_B64))'
  script:
    - 'if ("$env:CI_COMMIT_BRANCH" -ne "master" -and "$env:BUILD_WINDOWS" -eq "no") { "Skipping Windows build"; Exit }'
    - yarn dist
  artifacts:
    paths:
      - dist/*.exe
    expire_in: 1 week
  cache:
    - key:
        files:
          - src/miro-pkg-lock.csv
      paths:
        - r
    - key: build-cache
      paths:
        - build/lib_devel/
    - key:
        files:
          - yarn.lock
      paths:
        - node_modules
    - key:
        files:
          - src/package-lock.json
      paths:
        - src/node_modules/
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success
  needs: [prepare_all]


build_macos_job:
  tags:
    - macos
  stage: build
  variables:
    OPENSSL_PKG_CONFIG_PATH: ${OPENSSL_PKG_CONFIG_PATH_MACOS}
    GIT_SUBMODULE_STRATEGY: normal
  before_script:
    - yarn install
  script:
    - '[[ "$CI_COMMIT_BRANCH" != "master" ]] && [[ "$BUILD_MACOS" == "no" ]] && echo "Skipping macOS build" && exit 0'
    - export PATH="/usr/bin:${PATH}"
    - yarn dist
  artifacts:
    paths:
      - dist/*.dmg
    expire_in: 1 week
  cache:
    - key:
        files:
          - src/miro-pkg-lock.csv
      paths:
        - r
      policy: push
    - key: build-cache
      paths:
        - build/lib_devel/
    - key:
        files:
          - yarn.lock
      paths:
        - node_modules
    - key:
        files:
          - src/package-lock.json
      paths:
        - src/node_modules/
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success
  needs: [prepare_all]


build_macos_arm_job:
  tags:
    - macos-arm64
  stage: build
  variables:
    OPENSSL_PKG_CONFIG_PATH: ${OPENSSL_PKG_CONFIG_PATH_MACOS}
    GIT_SUBMODULE_STRATEGY: normal
  before_script:
    - yarn install
  script:
    - '[[ "$CI_COMMIT_BRANCH" != "master" ]] && [[ "$BUILD_MACOS_ARM" == "no" ]] && echo "Skipping macOS ARM build" && exit 0'
    - export PATH="/usr/bin:${PATH}"
    - yarn dist
    - mkdir dist/arm && mv dist/*.dmg dist/arm
  artifacts:
    paths:
      - dist/arm/*.dmg
    expire_in: 1 week
  cache:
    - key:
        files:
          - src/miro-pkg-lock.csv
      paths:
        - r
      policy: push
    - key: build-cache
      paths:
        - build/lib_devel/
    - key:
        files:
          - yarn.lock
      paths:
        - node_modules
    - key:
        files:
          - src/package-lock.json
      paths:
        - src/node_modules/
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success
  needs: [prepare_all]


test_windows_job:
  tags:
    - windows
  stage: test
  image: $CI_REGISTRY_IMAGE/builder-windows:latest
  before_script:
    - yarn install
  script:
    - 'if ("$env:SKIP_TESTS" -eq "yes") { "Skipping tests"; Exit }'
    - 'if ("$env:CI_COMMIT_BRANCH" -ne "master" -and "$env:BUILD_WINDOWS" -eq "no") { "Skipping Windows build"; Exit }'
    - yarn test gams_sys_dir=$env:GAMS_SYS_DIR
  dependencies: []
  cache:
    - key:
        files:
          - src/miro-pkg-lock.csv
      paths:
        - r
      policy: pull
    - key: build-cache
      paths:
        - build/lib_devel/
      policy: pull
    - key:
        files:
          - yarn.lock
      paths:
        - node_modules/
      policy: pull
  artifacts:
    when: always
    reports:
      junit: src/test-out.xml
    paths:
      - src/tests/testthat/_snaps
      - src/tests/logs-tests
    expire_in: 1 week
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success
  needs: [build_windows_job]


test_macos_job:
  tags:
    - macos
  stage: test
  variables:
    LANG: en_US.UTF-8
  before_script:
    - yarn install
  script:
    - '[[ "$SKIP_TESTS" == "yes" ]] && echo "Skipping tests" && exit 0'
    - '[[ "$CI_COMMIT_BRANCH" != "master" ]] && [[ "$BUILD_MACOS" == "no" ]] && echo "Skipping macOS build" && exit 0'
    - yarn test gams_sys_dir=${GAMS_PATH_MACOS}
  dependencies: []
  cache:
    - key:
        files:
          - src/miro-pkg-lock.csv
      paths:
        - r
      policy: pull
    - key: build-cache
      paths:
        - build/lib_devel/
      policy: pull
    - key:
        files:
          - yarn.lock
      paths:
        - node_modules/
      policy: pull
  artifacts:
    when: always
    reports:
      junit: src/test-out.xml
    paths:
      - src/tests/testthat/_snaps
      - src/tests/logs-tests
    expire_in: 1 week
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success
  needs: [build_macos_job]


test_macos_arm_job:
  tags:
    - macos-arm64
  stage: test
  variables:
    LANG: en_US.UTF-8
  before_script:
    - yarn install
  script:
    - '[[ "$SKIP_TESTS" == "yes" ]] && echo "Skipping tests" && exit 0'
    - '[[ "$CI_COMMIT_BRANCH" != "master" ]] && [[ "$BUILD_MACOS_ARM" == "no" ]] && echo "Skipping macOS ARM build" && exit 0'
    - yarn test gams_sys_dir=${GAMS_PATH_MACOS_ARM}
  dependencies: []
  cache:
    - key:
        files:
          - src/miro-pkg-lock.csv
      policy: pull
      paths:
        - r
    - key: build-cache
      paths:
        - build/lib_devel/
      policy: pull
    - key:
        files:
          - yarn.lock
      paths:
        - node_modules/
      policy: pull
  artifacts:
    when: always
    reports:
      junit: src/test-out.xml
    paths:
      - src/tests/testthat/_snaps
      - src/tests/logs-tests
    expire_in: 1 week
  rules:
    - if: $CI_COMMIT_TAG
      when: never
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "master"'
      when: never
    - when: on_success
  needs: [build_macos_arm_job]


test_job_api:
  tags:
    - linux
  stage: test
  image: docker:20.10
  services:
    - name: docker:20.10-dind
    - name: postgres:16.1-alpine
      alias: postgres
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: "/certs"
    FF_NETWORK_PER_BUILD: "true"
    GMS_MIRO_DATABASE_HOST: postgres
    GMS_MIRO_DATABASE: miroapitests
    GMS_MIRO_DATABASE_USER: mirotests
    GMS_MIRO_DATABASE_PWD: mirotests
    POSTGRES_DB: $GMS_MIRO_DATABASE
    POSTGRES_USER: $GMS_MIRO_DATABASE_USER
    POSTGRES_PASSWORD: $GMS_MIRO_DATABASE_PWD
    POSTGRES_HOST_AUTH_METHOD: trust
  before_script:
    # this is to be able to pull and push images
    - mkdir -p $HOME/.docker
    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
  script:
    - docker pull ${CI_REGISTRY_IMAGE}/miro-auth-test:unstable && docker tag ${CI_REGISTRY_IMAGE}/miro-auth-test:unstable miro-auth-test || exit 1
    - ./test/run-api-tests.sh
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
      when: on_success
    - if: $CI_MERGE_REQUEST_TITLE =~ /^Draft:/
      when: manual
    - if: $CI_MERGE_REQUEST_ID

test_job:
  tags:
    - linux
  stage: test
  services:
    - name: postgres:16.1-alpine
  variables:
    MIRO_DB_TYPE: postgres
    MIRO_DB_HOST: postgres
    MIRO_DB_NAME: mirotests
    MIRO_DB_USERNAME: mirotests
    MIRO_DB_PASSWORD: mirotests
    POSTGRES_DB: $MIRO_DB_NAME
    POSTGRES_USER: $MIRO_DB_USERNAME
    POSTGRES_PASSWORD: $MIRO_DB_PASSWORD
    POSTGRES_HOST_AUTH_METHOD: trust
  before_script:
    - source /etc/profile.d/ci.sh
  script:
    - mchecklic
    - mtestall
  interruptible: true
  artifacts:
    when: always
    reports:
      junit: src/test-out.xml
    paths:
      - src/tests/testthat/_snaps
      - src/tests/logs-tests
    expire_in: 1 week
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
      when: on_success
    - if: $CI_MERGE_REQUEST_TITLE =~ /^Draft:/
      when: manual
    - if: $CI_MERGE_REQUEST_ID


test_job_gamspy:
  tags:
    - linux
  stage: test
  image: python
  before_script:
    - pip install --force-reinstall git+https://github.com/GAMS-dev/gamspy.git@develop
  script:
    - ./scripts/test_gamspy_models.sh
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
      when: on_success
    - if: $CI_MERGE_REQUEST_TITLE =~ /^Draft:/
      when: manual
    - if: $CI_MERGE_REQUEST_ID


test_job_miro_server:
  tags:
    - linux
    - puma
  stage: test
  image: $CI_REGISTRY_IMAGE/gamsmiro-server-ci:latest
  services:
    - docker:27-dind
    - selenium/standalone-chrome
  variables:
    MIRO_PROXY_URL: http://docker:8080
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_VERIFY: 1
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_CERT_PATH: "/certs/client"
    DOCKER_HOST: tcp://docker:2376
    FF_NETWORK_PER_BUILD: "true"
  before_script:
    # this is to be able to pull and push images
    - mkdir -p $HOME/.docker
    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
  script:
    - ./scripts/test_miro_server.sh
  artifacts:
    when: always
    paths:
      - miro_server_all_logs.txt
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'
      when: on_success
    - if: $CI_MERGE_REQUEST_TITLE =~ /^Draft:/
      when: manual
    - if: $CI_MERGE_REQUEST_ID



upload_cloudfront:
  tags:
    - linux
  stage: deploy
  image: $CI_REGISTRY_IMAGE/builder-linux:latest
  id_tokens:
      ID_TOKEN:
        aud: ${S3_OIDC_AUD}
  script:
    - *assume_role
    - echo "MIRO_SHA_HASH_WIN=`sha256sum dist/*.exe |cut -d ' ' -f1`" > .hashes.txt
    - echo "MIRO_SHA_HASH_MAC_ARM=`sha256sum dist/arm/*.dmg |cut -d ' ' -f1`" >> .hashes.txt
    - echo "MIRO_SHA_HASH_MAC_X86=`sha256sum dist/*.dmg |cut -d ' ' -f1`" >> .hashes.txt
    - echo "MIRO_SHA_HASH_LINUX=`sha256sum dist/*.AppImage |cut -d ' ' -f1`" >> .hashes.txt
    - ./ci/s3_upload_artifacts.sh
  artifacts:
    paths:
      - .hashes.txt
    expire_in: 1 week
  rules:
    - if: '$CI_COMMIT_BRANCH == "master"'
      when: on_success

upload_dockerhub:
  tags:
    - linux
  stage: deploy
  services:
    - docker:20.10-dind
  image: $CI_REGISTRY_IMAGE/builder-linux:latest
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_VERIFY: 1
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_CERT_PATH: "/certs/client"
    DOCKER_HOST: tcp://docker:2376
  before_script:
    # this is to be able to pull and push images
    - mkdir -p $HOME/.docker
    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
  script:
    - echo -e "\e[0Ksection_start:`date +%s`:download_image_section[collapsed=true]\r\e[0KDownloading images section"
    - cd server && python3 miro_server.py download ${CI_REGISTRY_IMAGE} && cd ..
    - echo -e "\e[0Ksection_end:`date +%s`:download_image_section\r\e[0K"
    - cd server && python3 miro_server.py push && cd ..
  rules:
    - if: '$CI_COMMIT_BRANCH == "master"'
      when: on_success

update_doc_job_release:
  tags:
    - linux
  stage: deploy
  services:
    - docker:20.10-dind
  image: $CI_REGISTRY_IMAGE/builder-linux:latest
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_VERIFY: 1
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_CERT_PATH: "/certs/client"
    DOCKER_HOST: tcp://docker:2376
  before_script:
    - mkdir -p $HOME/.docker
    - echo $DOCKER_AUTH_CONFIG > $HOME/.docker/config.json
    - git config --global user.email "puma@noreply.gams.com"
    - git config --global user.name "Gitlab Runner (puma)"
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - printf '#!/bin/sh\necho "$SSH_PRIVATE_KEY_GAMSCOM_PASSPHRASE"' > ~/.ssh/.print_ssh_password
    - chmod 700 ~/.ssh/.print_ssh_password
    - chmod +x ~/.ssh/.print_ssh_password
    - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
    - chmod 644 ~/.ssh/known_hosts
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY_GAMSCOM" | tr -d '\r' | DISPLAY=":0.0" SSH_ASKPASS=~/.ssh/.print_ssh_password setsid ssh-add - > /dev/null
  script:
    - docker pull ${CI_REGISTRY_IMAGE}/miro-auth:latest && docker tag ${CI_REGISTRY_IMAGE}/miro-auth:latest miro-auth || exit 1
    - ./ci/push_docs.sh
    - ./ci/update_website.sh
  dependencies: [upload_cloudfront]
  needs: [upload_cloudfront, upload_dockerhub]
  rules:
    - if: '$CI_COMMIT_BRANCH == "master"'
      when: on_success

update_doc_job:
  tags:
    - linux
  stage: deploy
  before_script:
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - printf '#!/bin/sh\necho "$SSH_PRIVATE_KEY_GAMSCOM_STAGING_PASSPHRASE"' > ~/.ssh/.print_ssh_password
    - chmod 700 ~/.ssh/.print_ssh_password
    - chmod +x ~/.ssh/.print_ssh_password
    - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
    - chmod 644 ~/.ssh/known_hosts
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY_GAMSCOM_STAGING" | tr -d '\r' | DISPLAY=":0.0" SSH_ASKPASS=~/.ssh/.print_ssh_password setsid ssh-add - > /dev/null
  script:
    - rsync -Orlptvz doc/* staging@gams.com:/var/www/html/staging.gams.com/public_html/miro
  rules:
    - if: $CI_MERGE_REQUEST_ID
      when: always
    - if: '$CI_COMMIT_BRANCH == "master"'
      when: always
    - if: '$CI_COMMIT_BRANCH == "develop"'
      when: always
    - when: manual
    - allow_failure: true
  needs: []