default:
  before_script:
    - set -e
    # DANGER don't use `set -x` or print the environment via e.g. `env` in pipeline runs, this might leak credentials (has leaked them)
  interruptible: true
  tags:
    - 1cpu-4gb # build on smaller machine

variables:
  API_DOMAIN_PATH: '$CI_PROJECT_DIR/api_domain'

stages:
  - test
  - build
  - deploy
  - deploy_production

# job templates

.rule_templates:
  only_main:
    - if: $CI_COMMIT_BRANCH == 'main'
      when: on_success
  only_review:
    - if: $CI_COMMIT_BRANCH =~ /^main$|^noenv\/.*/
      when: never
    - if: $CI_COMMIT_BRANCH
      when: on_success
  manually_review:
    - if: $CI_COMMIT_BRANCH =~ /^main$|^noenv\/.*/
      when: never
    - if: $CI_COMMIT_BRANCH
      when: manual

.deploy:
  image:
    name: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/hashicorp/terraform:1.11.3'
    # default entrypoint is terraform command, but we want to run shell scripts
    entrypoint: ['/bin/sh', '-c']
  variables:
    ENVIRONMENT_ID: $CI_ENVIRONMENT_SLUG
  artifacts:
    paths:
      - 'terraform/environments/crash.log' # optional, only available in case of a crash/panic
      - 'terraform/environments/terraform-*.log' # separate log for every step/command
      - $API_DOMAIN_PATH
    name: '${CI_JOB_NAME}_${CI_JOB_ID}'
    expire_in: 1 week
  script:
    - terraform/environments/scripts/create-or-update-env.sh "$ENVIRONMENT_ID" "$CI_COMMIT_SHA"
    - echo "$(terraform/environments/scripts/get-output.sh api_domain)" > "$API_DOMAIN_PATH"
  resource_group: $ENVIRONMENT_ID # never execute terraform in parallel on the same environment
  interruptible: false

.smoketest:
  image: 'europe-north1-docker.pkg.dev/holi-shared/docker/holi-docker/holi-k6-builder'
  script:
    - API_DOMAIN=$(cat "$API_DOMAIN_PATH")
    - terraform/environments/scripts/wait-for-ssl.sh "https://${API_DOMAIN}"
    - BASE_URL="https://${API_DOMAIN}/graphql" k6 run smoketest/main.js
    # TODO should/could we roll back the service to the last working revision on test failure?

# end job templates

# pipeline in chronological order

## common steps

cache_lint_test:
  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/denoland/deno:2.2.6'
  stage: 'test'
  script:
    - deno cache --allow-import --lock=deno.lock app/deps.ts app/dev_deps.ts
    - deno fmt --check
    - deno lint
    - deno test --allow-import

# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
sast:
  needs: ['cache_lint_test']
  stage: test
include:
  - template: Security/SAST.gitlab-ci.yml

build_docker:
  needs: ['cache_lint_test']
  image: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/docker:28'
  stage: build
  services:
    - name: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/docker:28-dind'
      alias: 'docker'
  variables:
    # this could be fetched via terraform output ("gcr_location" in infra project), but then we would need an extra job for terraform
    GCR_IMAGE: europe-north1-docker.pkg.dev/holi-shared/docker/holi-donations-api
  script:
    - docker pull "$GCR_IMAGE" || true # Allows us to use --cache-from, we need to tag with latest in the next command for this to work
    - docker build --cache-from "$GCR_IMAGE" -t "$GCR_IMAGE":latest -t "$GCR_IMAGE":"$CI_COMMIT_SHA" -t "$GCR_IMAGE":"$CI_COMMIT_REF_SLUG" .
    - docker push "$GCR_IMAGE":"$CI_COMMIT_SHA" # this is the tag that is used for deployment
    - docker push "$GCR_IMAGE":"$CI_COMMIT_REF_SLUG" # just for easyly knowing which is the last image for a branch
    - docker push "$GCR_IMAGE":latest # for caching the build

## review environments

review_deploy:
  extends: .deploy
  needs: ['build_docker']
  stage: deploy
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    url: https://$CI_ENVIRONMENT_SLUG.donations.apis.holi.social
    on_stop: review_destroy
    auto_stop_in: 1 week
  rules:
    - !reference [.rule_templates, only_review]

review_smoketest:
  extends: .smoketest
  needs: ['review_deploy']
  stage: deploy
  rules:
    - !reference [.rule_templates, only_review]

review_destroy:
  needs: ['review_deploy']
  stage: deploy
  image:
    name: 'europe-north1-docker.pkg.dev/holi-shared/docker-hub-remote/hashicorp/terraform:1.11.3'
    # default entrypoint is terraform command, but we want to run shell scripts
    entrypoint: ['/bin/sh', '-c']
  variables:
    # has to be set to none for auto stop
    GIT_STRATEGY: none
    ENVIRONMENT_ID: $CI_ENVIRONMENT_SLUG
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    action: stop
  dependencies: [] # explicitly disable artifact usage
  artifacts:
    paths:
      - 'terraform/environments/crash.log' # optional, only available in case of a crash/panic
      - 'terraform/environments/terraform-*.log' # separate log for every step/command
    name: '${CI_JOB_NAME}_${CI_JOB_ID}'
    when: on_failure
    expire_in: 1 week
  script:
    # branch may have been deleted, so we clone and checkout main
    - git clone "$CI_REPOSITORY_URL" main-clone
    - cd main-clone
    - terraform/environments/scripts/destroy-env.sh "$CI_ENVIRONMENT_SLUG"
  allow_failure: true
  rules:
    - !reference [.rule_templates, manually_review]
  resource_group: $ENVIRONMENT_ID # never execute terraform in parallel on the same environment
  interruptible: false

## staging environment

staging_deploy:
  extends: .deploy
  needs: ['build_docker']
  stage: deploy
  environment:
    name: staging
    deployment_tier: staging
    url: https://staging.donations.apis.holi.social
  variables:
    ENVIRONMENT_ID: staging
  rules:
    - !reference [.rule_templates, only_main]

staging_smoketest:
  extends: .smoketest
  needs: ['staging_deploy']
  stage: deploy
  rules:
    - !reference [.rule_templates, only_main]
  resource_group: unified-api-staging

staging_trigger_unified-api_redeployment:
  needs: ['staging_smoketest']
  stage: deploy
  trigger:
    project: 'app/holi-unified-api'
    branch: 'main'
    forward:
      yaml_variables: false
      pipeline_variables: false
  rules:
    - !reference [.rule_templates, only_main]

## production environment

production_deploy:
  extends: .deploy
  needs: ['staging_smoketest']
  stage: deploy_production
  allow_failure: false
  environment:
    name: production
    deployment_tier: production
    url: https://production.donations.apis.holi.social
  variables:
    ENVIRONMENT_ID: production
  rules:
    - !reference [.rule_templates, only_main]

production_smoketest:
  extends: .smoketest
  needs: ['production_deploy']
  stage: deploy_production
  rules:
    - !reference [.rule_templates, only_main]

production_trigger_unified-api_redeployment:
  needs: ['production_smoketest']
  stage: deploy_production
  trigger:
    project: 'app/holi-unified-api'
    branch: 'production'
    forward:
      yaml_variables: false
      pipeline_variables: false
  rules:
    - !reference [.rule_templates, only_main]
  resource_group: unified-api-production