.gitlab-ci.yml

image: $CI_REGISTRY/procivis/one/one-operations/core-base:1.81.0-0.1

include:
  - local: "docs/docs.gitlab-ci.yml"
  - project: "procivis/one/one-operations"
    file:
      - "gitlab/docker.gitlab-ci.yml"
      - "gitlab/github.gitlab-ci.yml"
      - "gitlab/rules.gitlab-ci.yml"
      - "gitlab/ci-tools.gitlab-ci.yml"

variables:
  DOCKER_DRIVER: overlay2
  DEPENDENCY_TRACK_PROJECT_NAME: "ONE-Core"
  CI_TAG_PATTERN: /^v[0-9]+\.[0-9]+\.[0-9]+-.+$/
  GITHUB_PROJECT: "procivis/one-core"
  GITHUB_TAG_PATTERN: /^v[0-9]+\.[0-9]+\.[0-9]+-.+$/
  CARGO_TARGET_DIR: "/build-cache/target"

  # Required variables in GitLab config:
  # - AAD_SERVICE_PRINCIPAL_CLIENT_ID: Azure Active directory Application id. Use for RBAC SP kubelogin
  # - AAD_SERVICE_PRINCIPAL_CLIENT_SECRET: Application secret. Use for RBAC SP kubelogin
  # - AD_TENANT_ID: Azure Active Directory Tenant ID
  # - RESOURCE_GROUP: Azure Resource group where AKS deployed
  # - CLUSTER_NAME: AKS cluster name
  # - DEMO_RESOURCE_GROUP: Azure Resource group where AKS deployed
  # - DEMO_CLUSTER_NAME: AKS cluster name
  # - DOCKER_AUTH_CONFIG: Pull image from private repository
  # - BITRISE_API_ACCESS_TOKEN: Bitrise access token for IOS sdk build
  # - AZURE_STORAGE_ACCOUNT: storage account for sdk build upload
  # - AZURE_STORAGE_KEY: storage account key
  # - PGP_PRIVATE_KEY: helm-secrets
  # - DEPENDENCY_TRACK_BASE_URL: Base url for SBOM scanning
  # - DEPENDENCY_TRACK_API_KEY: Api key for api access

workflow:
  rules:
    - if: $CI_COMMIT_BRANCH
    - if: $CI_COMMIT_TAG
  auto_cancel:
    on_new_commit: conservative

stages:
  - build
  - test
  - docs
  - tests
  - scan
  - publish
  - deploy
  - sdk_build
  - sdk_artifact
  - e2e_tests
  - api_tests
  - github
  - sync_with_jira

.app_settings: &app_settings
  - APP_FLAVOR=${APP_FLAVOR:-$(echo $CI_COMMIT_TAG | sed -n "s/^v.*-\(.*\)$/\1/p")}
  - APP_FLAVOR=${APP_FLAVOR:-procivis}
  - APP_VERSION=$(echo $CI_COMMIT_TAG | sed -n "s/^\(v.*\)-.*$/\1/p")
  - APP_VERSION=${APP_VERSION:-$CI_COMMIT_REF_SLUG-$CI_COMMIT_SHORT_SHA}
  - IMAGE_NAME=$CI_REGISTRY_IMAGE/$APP_FLAVOR
  - IMAGE_TAG=$IMAGE_NAME:$APP_VERSION
  - D_TRACK_PROJECT_VERSION=${CI_COMMIT_TAG:-$CI_COMMIT_REF_SLUG}
  - DEPLOY_IMAGE_TAG=$APP_VERSION

before_script:
  - *app_settings

.only_main_or_tag_or_manual:
  rules:
    - !reference [.rule:only_main_or_tag, rules]
    - when: manual

.rule:run_tests:
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG =~ $CI_TAG_PATTERN
      when: never
    - when: manual

.rule:except_main_branch:
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG =~ $CI_TAG_PATTERN
      when: never
    - when: on_success

.cargo_build:
  script:
    - cargo build --release
  after_script:
    - mkdir -p target/release
    - mv ${CARGO_TARGET_DIR}/release/core-server target/release/core-server
  artifacts:
    expire_in: 1 hour
    paths:
      - target/release/core-server

.cargo_tests:
  stage: test
  variables:
    # The default amount of codegen-units (256 for dev builds) vastly increases
    # the RAM usage during compilation, hence we limit it in CI
    RUSTFLAGS: "-C codegen-units=4"
  script:
    - cargo llvm-cov --no-clean --workspace --lcov --ignore-filename-regex=".*test.*\.rs$|tests/.*\.rs$|migration/.*\.rs$" --output-path lcov.info
    - cargo llvm-cov report --cobertura --output-path cobertura.xml
    - cargo llvm-cov report
  coverage: '/^TOTAL\s+\d+\s+\d+\s+(?:\d+\.\d+)%\s+\d+\s+\d+\s+(?:\d+\.\d+)%\s+\d+\s+\d+\s+(\d+\.\d+)%/'
  artifacts:
    expire_in: 1 day
    when: always
    paths:
      - lcov.info
    reports:
      coverage_report:
        coverage_format: cobertura
        path: cobertura.xml

.run_e2e_tests:
  variables:
    CORE_IMAGE_TAG: ${APP_VERSION}
  trigger:
    project: procivis/one/one-e2e-tests
    branch: main
    strategy: depend

.run_api_tests:
  variables:
    CORE_IMAGE_TAG: ${APP_VERSION}
    API_TEST_RUN_CORE: true
    API_TEST_RUN_BFF: false
  trigger:
    project: procivis/one/one-tests
    branch: main
    strategy: depend


build:
  stage: build
  extends:
    - .cargo_build
    - .rule:only_main_or_tag

tests:mariadb:
  interruptible: true
  needs: []
  extends:
    - .cargo_tests
  variables:
    MYSQL_DATABASE: core_db
    MARIADB_ROOT_PASSWORD: root_password
    ONE_app__databaseUrl: "mysql://root:${MARIADB_ROOT_PASSWORD}@mariadb:3306/${MYSQL_DATABASE}"
  services:
    - alias: mariadb
      name: mariadb:10.9
      pull_policy: always
  when: manual
  allow_failure: true
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG =~ $CI_TAG_PATTERN
      when: always
    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      when: manual

tests:sqlite:
  interruptible: true
  needs: []
  extends:
    - .cargo_tests
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH || $CI_COMMIT_TAG =~ $CI_TAG_PATTERN
      when: always
    - if: $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH
      when: always

linter:clippy:
  interruptible: true
  stage: test
  needs: []
  script:
    - cargo clippy --all-targets --message-format=json -- -D warnings > clippy.json
    - cargo clippy --package sql-data-provider --message-format=json -- -W clippy::expect_used -W clippy::panic -W clippy::unwrap_used >> clippy.json
  artifacts:
    expire_in: 1 day
    when: always
    paths:
      - clippy.json

linter:rustfmt:
  interruptible: true
  stage: test
  needs: []
  script:
    - TOOLCHAIN_VERSION=$(rustup toolchain list | grep nightly | head -n1 | awk '{print $1}')
    - cargo +$TOOLCHAIN_VERSION fmt --all -- --check

linter:dependencies:
  interruptible: true
  stage: test
  script:
    - cargo deny --format json check 2> deny.json || true
    - cargo deny check
  artifacts:
    expire_in: 1 day
    when: always
    paths:
      - deny.json

sonarqube-check:
  stage: test
  needs:
    - job: linter:clippy
      artifacts: true
    - job: tests:mariadb
      artifacts: true
  image:
    name: sonarsource/sonar-scanner-cli:latest
    entrypoint: [""]
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
    GIT_DEPTH: "0" # Tells git to fetch all the branches of the project, required by the analysis task
  script:
    - sonar-scanner
  allow_failure: true
  extends:
    - .rule:only_main_or_tag

publish:
  stage: publish
  needs:
    - job: build
      artifacts: true
  extends:
    - .docker_publish
    - .rule:only_main_or_tag

sdk:ios:bitrise:
  stage: sdk_build
  image: $CI_REGISTRY/procivis/one/one-operations/bitrise-builder:0.2.0
  needs: []
  when: manual
  variables:
    # ONE-wallet project on Bitrise
    BITRISE_PROJECT_SLUG: 6ee8c26f-6d7b-4bcb-8ddc-be1ba3cd2687
    BITRISE_WORKFLOW: iOS_Core_SDK
  script:
    - >
      /etc/gitrise.sh
      --access-token $BITRISE_API_ACCESS_TOKEN
      --slug $BITRISE_PROJECT_SLUG
      --workflow $BITRISE_WORKFLOW
      --commit "$CI_COMMIT_SHA"
      --env "CI_PIPELINE_ID:$CI_PIPELINE_ID"
      --output "artifacts"
  artifacts:
    paths:
      - artifacts
    expire_in: 10 days

sdk:android:build:
  services:
    - docker:dind
  stage: sdk_build
  needs: []
  when: manual
  script:
    - export HOSTNAME=$(docker ps -ql)
    - export CROSS_CONTAINER_OPTS='--env="CI_PIPELINE_ID='$CI_PIPELINE_ID'"'
    - makers build_android
  after_script:
    - mkdir -p target/bindings/android
    - mv ${CARGO_TARGET_DIR}/bindings/android target/bindings/android
  artifacts:
    paths:
      - target/bindings/android
    expire_in: 5 days

sdk:upload_artifacts:
  stage: sdk_artifact
  image: mcr.microsoft.com/azure-cli
  needs:
    - job: sdk:android:build
      artifacts: true
    - job: sdk:ios:bitrise
      artifacts: true
  variables:
    AZURE_CONTAINER_NAME: "core-sdk"
    ANDROID_BUILD_SOURCE_PATH: "target/bindings/android"
    ANDROID_CONTAINER_PATH: "android/${CI_PIPELINE_ID}"
    ANDROID_SDK_DEBUG_FILE: "onecore-debug.aar"
    ANDROID_SDK_RELEASE_FILE: "onecore-release.aar"
    IOS_CONTAINER_PATH: "ios/${CI_PIPELINE_ID}"
    IOS_BUILD_SOURCE_PATH: "artifacts"
    IOS_BUILD_FILE: "deploy.zip"
    AZURE_STORAGE_URL: "https://onetfstatestorage.blob.core.windows.net"
  script:
    # https://learn.microsoft.com/en-us/cli/azure/storage/blob?view=azure-cli-latest#az-storage-blob-download
    - ANDROID_CONTAINER_PATH_DEBUG=$ANDROID_CONTAINER_PATH/$ANDROID_SDK_DEBUG_FILE
    - ANDROID_CONTAINER_PATH_RELEASE=$ANDROID_CONTAINER_PATH/$ANDROID_SDK_RELEASE_FILE
    - IOS_CONTAINER_PATH=$IOS_CONTAINER_PATH/$IOS_BUILD_FILE
    # Upload Android debug file
    - az storage blob upload --overwrite -c $AZURE_CONTAINER_NAME -n $ANDROID_CONTAINER_PATH_DEBUG -f $ANDROID_BUILD_SOURCE_PATH/$ANDROID_SDK_DEBUG_FILE
    # Upload Android release file
    - az storage blob upload --overwrite -c $AZURE_CONTAINER_NAME -n $ANDROID_CONTAINER_PATH_RELEASE -f $ANDROID_BUILD_SOURCE_PATH/$ANDROID_SDK_RELEASE_FILE
    # Upload IOS zip file
    - az storage blob upload --overwrite -c $AZURE_CONTAINER_NAME -n $IOS_CONTAINER_PATH -f $IOS_BUILD_SOURCE_PATH/$IOS_BUILD_FILE
    # Prepare variables
    - |
      ANDROID_DEBUG_LINK=${AZURE_STORAGE_URL}/$AZURE_CONTAINER_NAME/$ANDROID_CONTAINER_PATH_DEBUG
      ANDROID_DEBUG_SHA1=$(sha1sum -b $ANDROID_BUILD_SOURCE_PATH/$ANDROID_SDK_DEBUG_FILE | cut -d " " -f1)
      ANDROID_RELEASE_LINK=${AZURE_STORAGE_URL}/$AZURE_CONTAINER_NAME/$ANDROID_CONTAINER_PATH_RELEASE
      ANDROID_RELEASE_SHA1=$(sha1sum -b $ANDROID_BUILD_SOURCE_PATH/$ANDROID_SDK_RELEASE_FILE | cut -d " " -f1)
      IOS_LINK=${AZURE_STORAGE_URL}/$AZURE_CONTAINER_NAME/$IOS_CONTAINER_PATH
      IOS_SHA1=$(sha1sum -b $IOS_BUILD_SOURCE_PATH/$IOS_BUILD_FILE | cut -d " " -f1)
    - >
      cat <<-EOM
        =========================
        SDK Download links:
        -------------------------
        Android DEBUG: ${ANDROID_DEBUG_LINK}
        SHA-1: ${ANDROID_DEBUG_SHA1}
        -------------------------
        Android RELEASE: ${ANDROID_RELEASE_LINK}
        SHA-1: ${ANDROID_RELEASE_SHA1}
        -------------------------
        iOS: ${IOS_LINK}
        SHA-1: ${IOS_SHA1}
        =========================
      EOM
    - |
      echo "ANDROID_DEBUG_LINK=${ANDROID_DEBUG_LINK}" > sdk_env_variables.env
      echo "ANDROID_DEBUG_SHA1=${ANDROID_DEBUG_SHA1}" >> sdk_env_variables.env
      echo "ANDROID_RELEASE_LINK=${ANDROID_RELEASE_LINK}" >> sdk_env_variables.env
      echo "ANDROID_RELEASE_SHA1=${ANDROID_RELEASE_SHA1}" >> sdk_env_variables.env
      echo "IOS_LINK=${IOS_LINK}" >> sdk_env_variables.env
      echo "IOS_SHA1=${IOS_SHA1}" >> sdk_env_variables.env
  artifacts:
    paths:
      - sdk_env_variables.env
    reports:
      dotenv: sdk_env_variables.env

sdk:react-native:
  stage: sdk_artifact
  needs:
    - job: sdk:upload_artifacts
      artifacts: true
  variables:
    NEW_VERSION: "1.$CI_PIPELINE_ID.0"
    CI_COMMIT_REF_NAME: $CI_COMMIT_REF_NAME
  trigger:
    project: procivis/one/react-native-one-core
    branch: main
    strategy: depend
    forward:
      pipeline_variables: true

sdk:generate_binding_files:
  stage: sdk_build
  needs: []
  when: manual
  script:
    - makers generate_uniffi_interfaces
  artifacts:
    paths:
      - target/uniffi-interface/ch/procivis/one/core/one_core_uniffi.kt
      - target/uniffi-interface/one_core.swift
    expire_in: 10 days

tests:e2e:
  stage: e2e_tests
  when: manual
  needs:
    - job: publish
      artifacts: true
  extends:
    - .run_e2e_tests
    - .rule:manual_main_or_tag

tests:api:
  stage: api_tests
  needs:
    - job: publish
      artifacts: true
  extends:
    - .run_api_tests
    - .rule:only_main_or_tag

.deploy_trigger:
  stage: deploy
  trigger:
    project: procivis/one/one-operations
    branch: main
    strategy: depend
  variables:
    HELM_PATH: charts/one-core-chart
    HELM_APP_NAME: one-core
    DEPLOY_IMAGE_TAG: $APP_VERSION

deploy:dev:
  resource_group: core-dev
  extends:
    - .deploy_trigger
  variables:
    VALUES_PATH: values/dev
    K8S_NAMESPACE: default
  rules:
    - if: $CI_COMMIT_REF_NAME == "main"

deploy:test:
  extends:
    - .deploy_trigger
    - .rule:deploy:test
  variables:
    VALUES_PATH: values/test
    K8S_NAMESPACE: one-test

deploy:demo:
  extends:
    - .deploy_trigger
    - .rule:deploy:demo
  variables:
    VALUES_PATH: values/demo
    K8S_NAMESPACE: default
    RESOURCE_GROUP: $DEMO_RESOURCE_GROUP
    CLUSTER_NAME: $DEMO_CLUSTER_NAME

deploy:canivc:
  extends:
    - .deploy_trigger
    - .rule:deploy:demo
  variables:
    VALUES_PATH: values/canivc
    K8S_NAMESPACE: canivc


test:build:
  stage: tests
  needs: []
  extends:
    - .cargo_build
    - .rule:except_main_branch

tests:publish:
  stage: tests
  needs:
    - job: test:build
      artifacts: true
  extends:
    - .docker_publish
    - .rule:except_main_branch

e2e:trigger_tests:
  stage: tests
  when: manual
  needs:
    - job: tests:publish
      artifacts: true
  extends:
    - .run_e2e_tests
    - .rule:run_tests

api:trigger_tests:
  stage: tests
  when: manual
  needs:
    - job: tests:publish
      artifacts: true
  extends:
    - .run_api_tests
    - .rule:except_main_branch

dtrack:upload-bom:
  stage: scan
  needs: []
  variables:
    D_TRACK_PATH: ${DEPENDENCY_TRACK_BASE_URL}/api/v1/bom
    SBOM_FILE_PATH: "one-core.json"
    SBOM_FILES: >-
      apps/core-server/core-server.cdx.json
      apps/migration/migration.cdx.json
      lib/one-core/one-core.cdx.json
      lib/shared-types/shared-types.cdx.json
      lib/sql-data-provider/sql-data-provider.cdx.json
      platforms/uniffi-bindgen/uniffi-bindgen.cdx.json
      platforms/uniffi/one-core-uniffi.cdx.json
  extends:
    - .rule:only_main_or_tag
  script:
    - cargo cyclonedx -f json
    - cyclonedx-cli merge --input-files ${SBOM_FILES} --input-format=json --output-format=json --group apps > ${SBOM_FILE_PATH}
    - file_content=$(base64 -i $SBOM_FILE_PATH)
    - |
      curl -i --fail -X PUT \
        -H "Content-Type: application/json" \
        -H "X-API-Key: ${DEPENDENCY_TRACK_API_KEY}" \
        --data @- ${D_TRACK_PATH} << EOF
      {
        "projectName": "${DEPENDENCY_TRACK_PROJECT_NAME}",
        "projectVersion": "${D_TRACK_PROJECT_VERSION}",
        "autoCreate": true,
        "bom": "${file_content}"
      }
      EOF
  artifacts:
    when: always
    paths:
      - ${SBOM_FILE_PATH}
    reports:
      cyclonedx:
        - ${SBOM_FILE_PATH}

.dTrack_metrics: &dTrack_metrics
  - base_url=${DEPENDENCY_TRACK_BASE_URL}/api/v1/project/lookup
  - url="${base_url}?name=${DEPENDENCY_TRACK_PROJECT_NAME}&version=${D_TRACK_PROJECT_VERSION}"
  - echo "URL=$url"
  - >
    result=$(curl -X GET "${url}" \
      -H "X-Api-Key: ${DEPENDENCY_TRACK_API_KEY}" \
      -H "Accept: application/json")
  - metrics=$(echo $result | jq -r .metrics)
  - echo "Dependency Track Project Version metrics=${metrics}"

dtrack:policy_violations:
  stage: scan
  allow_failure: true
  needs:
    - job: dtrack:upload-bom
  extends:
    - .rule:only_main_or_tag
  script:
    - *dTrack_metrics
    - violated_licences=$(echo ${metrics} | jq -r .policyViolationsFail)
    - echo "Count of violated_licences=${violated_licences}"
    - >
      if [[ ${violated_licences} -gt 0 ]]; then
        echo "Violated licences more that 0."
        exit 1;
      fi

dtrack:metrics:
  stage: scan
  allow_failure: true
  needs:
    - job: dtrack:upload-bom
  extends:
    - .rule:only_main_or_tag
  script:
    - *dTrack_metrics
    - critical=$(echo ${metrics} | jq -r .critical)
    - high=$(echo ${metrics} | jq -r .high)
    - echo "Critical vulnerabilities=${critical}"
    - echo "High vulnerabilities=${high}"
    - >
      if [[ ${critical} -gt 0  || ${high} -gt 0  ]]; then
          echo "Lib vulnerabilities more that 0."
          exit 1;
      fi

github:push:
  stage: github
  variables:
    FILES_TO_ATTACH: >-
      one-core.json
  extends:
    - .ci-tool:open_source_release
  needs:
    - job: dtrack:upload-bom
      artifacts: true

set_jira_version:
  stage: sync_with_jira
  extends:
    - .ci-tool:set_jira_version