Release-Pipelines.gitlab-ci.yml

#############################################################################
## 'MAIN' TARGETED MERGE REQUESTS, RELEASE TAGS
#############################################################################

.main_pr_base_rules:
  rules:
    - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"
    - if: $CI_COMMIT_TAG
      when: never

.main_pr_manual_rules:
  rules:
    - if: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "main"
      when: manual
    - if: $CI_COMMIT_TAG
      when: never

.main_commit_push_rules:
  rules:
    - if: $CI_COMMIT_BRANCH && ($CI_COMMIT_BRANCH == "main") && ($CI_PIPELINE_SOURCE == "push")
    - if: $CI_COMMIT_TAG
      when: never

.main_commit_web_rules:
  rules:
    - if: $CI_COMMIT_BRANCH && ($CI_COMMIT_BRANCH == "main") && ($CI_PIPELINE_SOURCE == "web")
    - if: $CI_COMMIT_TAG
      when: never

.release_rules:
  rules:
    - if: $CI_COMMIT_TAG =~ /^(?P<MAJOR>0|[1-9]\d*)\.(?P<MINOR>0|[1-9]\d*)\.(?P<PATCH>0|[1-9]\d*)$/

check-main-pr-rules:
  stage: .pre
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  script:
    - echo $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
    - echo $CI_COMMIT_TAG
    - if [ "$CI_MERGE_REQUEST_TARGET_BRANCH_NAME" != "main" ];
      then echo "merge request target branch is not 'main'";
      else echo "merge request target branch '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME' == 'main'"; fi
    - if [ "$CI_MERGE_REQUEST_TARGET_BRANCH_NAME" == "main" ];
      then echo "merge request target branch is 'main'";
      else echo "merge request target branch '$CI_MERGE_REQUEST_TARGET_BRANCH_NAME' != 'main'"; fi
    - if [ -n "$CI_COMMIT_TAG" ];
      then echo "commit tag string length is nonzero";
      else echo "commit tag = '$CI_COMMIT_TAG'"; fi
    - if [ -z "$CI_COMMIT_TAG" ];
      then echo "commit tag string length is zero";
      else echo "commit tag = '$CI_COMMIT_TAG'"; fi

check-main-commit-push-rules:
  stage: .pre
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  script:
    - echo $CI_COMMIT_BRANCH
    - echo $CI_PIPELINE_SOURCE
    - echo $CI_COMMIT_TAG
    - if [ -n "$CI_COMMIT_BRANCH" ];
      then echo "commit branch string length is nonzero";
      else echo "commit branch = '$CI_COMMIT_BRANCH'"; fi
    - if [ -z "$CI_COMMIT_BRANCH" ];
      then echo "commit branch string length is zero";
      else echo "commit branch = '$CI_COMMIT_BRANCH'"; fi
    - if [ "$CI_COMMIT_BRANCH" = "main" ];
      then echo "commit branch is 'main'";
      else echo "'$CI_COMMIT_BRANCH' != 'main'"; fi
    - if [ "$CI_COMMIT_BRANCH" != "main" ];
      then echo "commit branch is not 'main'";
      else echo "'$CI_COMMIT_BRANCH' == 'main'"; fi
    - if [ "$CI_PIPELINE_SOURCE" = "push" ];
      then echo "pipeline source is 'push'";
      else echo "'$CI_PIPELINE_SOURCE' != 'push'"; fi
    - if [ "$CI_PIPELINE_SOURCE" != "push" ];
      then echo "pipeline source is not 'push'";
      else echo "'$CI_PIPELINE_SOURCE' == 'push'"; fi
    - if [ -n "$CI_COMMIT_BRANCH" ] && [ "$CI_COMMIT_BRANCH" = "main" ] && [ "$CI_PIPELINE_SOURCE" = "push" ];
      then echo "commit branch exists, is 'main', and it's a push";
      else echo "commit branch = '$CI_COMMIT_BRANCH', pipeline source = '$CI_PIPELINE_SOURCE'"; fi
    - if [ -z "$CI_COMMIT_BRANCH" ] || [ "$CI_COMMIT_BRANCH" != "main" ] || [ "$CI_PIPELINE_SOURCE" != "push" ];
      then echo "commit branch doesn't exist or isn't 'main' or it isn't a push";
      else echo "commit branch = '$CI_COMMIT_BRANCH', pipeline source = '$CI_PIPELINE_SOURCE'"; fi
    - if [ -z "$CI_COMMIT_TAG" ];
      then echo "commit tag string length is zero";
      else echo "commit tag = '$CI_COMMIT_TAG'"; fi
    - if [ -n "$CI_COMMIT_TAG" ];
      then echo "commit tag string length is nonzero";
      else echo "commit tag = '$CI_COMMIT_TAG'"; fi

check-main-commit-web-rules:
  stage: .pre
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_commit_web_rules, rules ]
  script:
    - echo $CI_COMMIT_BRANCH
    - echo $CI_PIPELINE_SOURCE
    - echo $CI_COMMIT_TAG
    - if [ -n "$CI_COMMIT_BRANCH" ];
      then echo "commit branch string length is nonzero";
      else echo "commit branch = '$CI_COMMIT_BRANCH'"; fi
    - if [ -z "$CI_COMMIT_BRANCH" ];
      then echo "commit branch string length is zero";
      else echo "commit branch = '$CI_COMMIT_BRANCH'"; fi
    - if [ "$CI_COMMIT_BRANCH" = "main" ];
      then echo "commit branch is 'main'";
      else echo "'$CI_COMMIT_BRANCH' != 'main'"; fi
    - if [ "$CI_COMMIT_BRANCH" != "main" ];
      then echo "commit branch is not 'main'";
      else echo "'$CI_COMMIT_BRANCH' == 'main'"; fi
    - if [ "$CI_PIPELINE_SOURCE" = "web" ];
      then echo "pipeline source is 'web'";
      else echo "'$CI_PIPELINE_SOURCE' != 'web'"; fi
    - if [ "$CI_PIPELINE_SOURCE" != "web" ];
      then echo "pipeline source is not 'web'";
      else echo "'$CI_PIPELINE_SOURCE' == 'web'"; fi
    - if [ -n "$CI_COMMIT_BRANCH" ] && [ "$CI_COMMIT_BRANCH" = "main" ] && [ "$CI_PIPELINE_SOURCE" = "web" ];
      then echo "commit branch exists, is 'main', and it's a web gui call";
      else echo "commit branch = '$CI_COMMIT_BRANCH', pipeline source = '$CI_PIPELINE_SOURCE'"; fi
    - if [ -z "$CI_COMMIT_BRANCH" ] || [ "$CI_COMMIT_BRANCH" != "main" ] || [ "$CI_PIPELINE_SOURCE" != "web" ];
      then echo "commit branch doesn't exist or isn't 'main' or it isn't a web gui call";
      else echo "commit branch = '$CI_COMMIT_BRANCH', pipeline source = '$CI_PIPELINE_SOURCE'"; fi
    - if [ -z "$CI_COMMIT_TAG" ];
      then echo "commit tag string length is zero" ;
      else echo "commit tag = '$CI_COMMIT_TAG'"; fi
    - if [ -n "$CI_COMMIT_TAG" ];
      then echo "commit tag string length is nonzero";
      else echo "commit tag = '$CI_COMMIT_TAG'"; fi

check-release-rules:
  stage: .pre
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .release_rules, rules ]
  before_script:
    - RELEASE_REGEX="^(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)$"
  script:
    - echo $PRERELEASE_REGEX
    - if [[ $CI_COMMIT_TAG =~ $RELEASE_REGEX ]];
      then echo "$CI_COMMIT_TAG is a valid release tag.";
      else echo "$CI_COMMIT_TAG is not a valid release tag!"; fi

build-main-pr-backend-test-image:
  stage: build
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    BACKEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
  script:
    - docker build -f apps/api/Dockerfile --target=dev --build-arg project=api
      -t ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test .
    - docker push -q ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  after_script:
    - docker logout $CI_REGISTRY

build-main-pr-frontend-test-image:
  stage: build
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
  script:
    - docker build -f apps/frontend/Dockerfile --target=dev
      --build-arg project=frontend --build-arg apihost=personaldb-backend --build-arg apiport=3333
      -t ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test .
    - docker push -q ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  after_script:
    - docker logout $CI_REGISTRY

build-main-pr-frontend-e2e-test-image:
  stage: build
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_E2E_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend-e2e"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
  script:
    - docker build -f apps/frontend-e2e/Dockerfile
      -t ${FRONTEND_E2E_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}
      -t ${FRONTEND_E2E_IMAGE_NAME}:latest .
    - docker push -q -a ${FRONTEND_E2E_IMAGE_NAME}
  after_script:
    - docker logout $CI_REGISTRY

build-main-pr-db-image:
  stage: build
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    DB_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
  script:
    - docker build -f database/Postgres.Dockerfile -t ${DB_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA} .
    - docker push -q ${DB_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}
  after_script:
    - docker logout $CI_REGISTRY

build-main-pr-liquibase-image:
  stage: build
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    LIQUIBASE_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-liquibase"
  before_script:
    - echo "$REGISTRY_PASSWORD" | docker login -u $REGISTRY_USER --password-stdin $REGISTRY
  script:
    - docker build -f database/Liquibase.Dockerfile -t ${LIQUIBASE_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA} .
    - docker push -q ${LIQUIBASE_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}
  after_script:
    - docker logout $REGISTRY

build-main-pr-backend-image:
  stage: build
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-backend-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    BACKEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - docker pull -q ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  script:
    - docker build --cache-from ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test -f apps/api/Dockerfile
      --target=prod --build-arg project=api -t ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA} .
    - docker push -q ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}
  after_script:
    - docker logout $CI_REGISTRY

build-main-pr-frontend-image:
  stage: build
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-frontend-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - docker pull -q ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  script:
    - docker build --cache-from ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
      -f apps/frontend/Dockerfile --target=prod --build-arg project=frontend
      -t ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA} .
    - docker push -q ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}
  after_script:
    - docker logout $CI_REGISTRY

test-main-pr-db:
  stage: test-db
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-db-image
    - build-main-pr-liquibase-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml pull -q db liquibase
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d db
    - export $(grep -v '^#' .env.prod.template | xargs)
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog status
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog validate
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog updateSQL
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog updateTestingRollback
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history

test-main-pr-backend:
  stage: test-units
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-backend-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    BACKEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend"
  before_script:
    - docker pull -q ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  script:
    - docker run ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test test api

test-main-pr-frontend:
  stage: test-units
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-frontend-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend"
  before_script:
    - docker pull -q ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  script:
    - docker run ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test test frontend

test-main-pr-e2e:
  stage: test-e2e
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - test-main-pr-db
    - build-main-pr-backend-image
    - build-main-pr-frontend-image
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - export $(grep -v '^#' .env.prod.template | xargs)
    - cp config/frontend/default.conf.http-template config/frontend/default.conf.template
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d --quiet-pull
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history
    - docker compose -f docker-compose.e2e.yml up --quiet-pull --exit-code-from test-e2e test-e2e

test-main-pr-e2e-api:
  stage: test-e2e
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_manual_rules, rules ]
  needs:
    - test-main-pr-db
    - build-main-pr-backend-image
    - build-main-pr-frontend-image
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - export $(grep -v '^#' .env.prod.template | xargs)
    - cp config/frontend/default.conf.http-template config/frontend/default.conf.template
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d --quiet-pull
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history
    - docker compose -f docker-compose.e2e.yml up --quiet-pull --exit-code-from test-e2e-api test-e2e-api

test-main-pr-e2e-ui-chrome:
  stage: test-e2e
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_manual_rules, rules ]
  needs:
    - test-main-pr-db
    - build-main-pr-backend-image
    - build-main-pr-frontend-image
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - export $(grep -v '^#' .env.prod.template | xargs)
    - cp config/frontend/default.conf.http-template config/frontend/default.conf.template
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d --quiet-pull
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history
    - docker compose -f docker-compose.e2e.yml up --quiet-pull --exit-code-from test-e2e-ui-chrome test-e2e-ui-chrome

test-main-pr-e2e-ui-chrome-mobile:
  stage: test-e2e
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_manual_rules, rules ]
  needs:
    - test-main-pr-db
    - build-main-pr-backend-image
    - build-main-pr-frontend-image
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - export $(grep -v '^#' .env.prod.template | xargs)
    - cp config/frontend/default.conf.http-template config/frontend/default.conf.template
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d --quiet-pull
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history
    - docker compose -f docker-compose.e2e.yml up --quiet-pull --exit-code-from test-e2e-ui-chrome-mobile test-e2e-ui-chrome-mobile

test-main-pr-e2e-ui-firefox:
  stage: test-e2e
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_manual_rules, rules ]
  needs:
    - test-main-pr-db
    - build-main-pr-backend-image
    - build-main-pr-frontend-image
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - export $(grep -v '^#' .env.prod.template | xargs)
    - cp config/frontend/default.conf.http-template config/frontend/default.conf.template
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d --quiet-pull
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history
    - docker compose -f docker-compose.e2e.yml up --quiet-pull --exit-code-from test-e2e-ui-firefox test-e2e-ui-firefox

test-main-pr-e2e-ui-firefox-mobile:
  stage: test-e2e
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_manual_rules, rules ]
  needs:
    - test-main-pr-db
    - build-main-pr-backend-image
    - build-main-pr-frontend-image
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - export $(grep -v '^#' .env.prod.template | xargs)
    - cp config/frontend/default.conf.http-template config/frontend/default.conf.template
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d --quiet-pull
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history
    - docker compose -f docker-compose.e2e.yml up --quiet-pull --exit-code-from test-e2e-ui-firefox-mobile test-e2e-ui-firefox-mobile

test-main-pr-e2e-ui-edge:
  stage: test-e2e
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_manual_rules, rules ]
  needs:
    - test-main-pr-db
    - build-main-pr-backend-image
    - build-main-pr-frontend-image
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - export $(grep -v '^#' .env.prod.template | xargs)
    - cp config/frontend/default.conf.http-template config/frontend/default.conf.template
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d --quiet-pull
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history
    - docker compose -f docker-compose.e2e.yml up --quiet-pull --exit-code-from test-e2e-ui-edge test-e2e-ui-edge

test-main-pr-e2e-ui-edge-mobile:
  stage: test-e2e
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_manual_rules, rules ]
  needs:
    - test-main-pr-db
    - build-main-pr-backend-image
    - build-main-pr-frontend-image
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  before_script:
    - sed -i "s/TAG=.*$/TAG=${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}/" .env.prod.template
    - sed -i "s^REGISTRY_PATH=.*$^REGISTRY_PATH=${CI_REGISTRY_IMAGE}/^" .env.prod.template
    - export $(grep -v '^#' .env.prod.template | xargs)
    - cp config/frontend/default.conf.http-template config/frontend/default.conf.template
  script:
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml up -d --quiet-pull
    - docker compose --env-file .env.prod.template -f docker-compose.yml -f docker-compose.prod.yml run --rm liquibase
      liquibase --changelogFile=personaldb.changelog-root.xml --url=jdbc:postgresql://db:5432/${POSTGRES_DB}
      --username=${POSTGRES_USER} --password=${POSTGRES_PASSWORD} --classpath=changelog history
    - docker compose -f docker-compose.e2e.yml up --quiet-pull --exit-code-from test-e2e-ui-edge-mobile test-e2e-ui-edge-mobile

lint-main-pr-backend:
  stage: lint
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-backend-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    BACKEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend"
  before_script:
    - docker pull -q ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  script:
    - docker run ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test lint api

lint-main-pr-frontend:
  stage: lint
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-frontend-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend"
  before_script:
    - docker pull -q ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  script:
    - docker run ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test lint frontend

lint-main-pr-frontend-e2e:
  stage: lint
  interruptible: true
  allow_failure: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-frontend-e2e-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_E2E_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend-e2e"
  before_script:
    - docker pull -q ${FRONTEND_E2E_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}
  script:
    - docker run ${FRONTEND_E2E_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA} lint frontend-e2e

audit-main-pr-backend:
  stage: audit
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-backend-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    BACKEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend"
  before_script:
    - docker pull -q ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  script:
    - docker run --entrypoint npm ${BACKEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test audit --audit-level critical

audit-main-pr-frontend:
  stage: audit
  interruptible: true
  rules:
    - !reference [ .main_pr_base_rules, rules ]
  needs:
    - build-main-pr-frontend-test-image
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend"
  before_script:
    - docker pull -q ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test
  script:
    - docker run --entrypoint npm ${FRONTEND_IMAGE_NAME}:${CI_MERGE_REQUEST_TARGET_BRANCH_SHA}_test audit --audit-level critical

gemnasium-dependency_scanning:
  stage: scan-dependencies
  interruptible: true
  allow_failure: true
  rules:  # TODO: Rules does not work
    - !reference [ .main_pr_base_rules, rules ]

build-main-commit-db-image:
  stage: build-images
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    DB_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - docker pull -q ${DB_IMAGE_NAME}:${CI_COMMIT_BEFORE_SHA}
  script:
    - docker tag ${DB_IMAGE_NAME}:${CI_COMMIT_BEFORE_SHA} ${DB_IMAGE_NAME}:${CI_COMMIT_SHA}
    - docker push -q ${DB_IMAGE_NAME}:${CI_COMMIT_SHA}
  after_script:
    - docker logout $CI_REGISTRY

build-main-commit-liquibase-image:
  stage: build-images
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    LIQUIBASE_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-liquibase"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - docker pull -q ${LIQUIBASE_IMAGE_NAME}:${CI_COMMIT_BEFORE_SHA}
  script:
    - docker tag ${LIQUIBASE_IMAGE_NAME}:${CI_COMMIT_BEFORE_SHA} ${LIQUIBASE_IMAGE_NAME}:${CI_COMMIT_SHA}
    - docker push -q ${LIQUIBASE_IMAGE_NAME}:${CI_COMMIT_SHA}
  after_script:
    - docker logout $CI_REGISTRY

build-main-commit-backend-image:
  stage: build-images
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    BACKEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - docker pull -q ${BACKEND_IMAGE_NAME}:${CI_COMMIT_BEFORE_SHA}
  script:
    - docker tag ${BACKEND_IMAGE_NAME}:${CI_COMMIT_BEFORE_SHA} ${BACKEND_IMAGE_NAME}:${CI_COMMIT_SHA}
    - docker push -q ${BACKEND_IMAGE_NAME}:${CI_COMMIT_SHA}
  after_script:
    - docker logout $CI_REGISTRY

build-main-commit-frontend-image:
  stage: build-images
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
    - docker pull -q ${FRONTEND_IMAGE_NAME}:${CI_COMMIT_BEFORE_SHA}
  script:
    - docker tag ${FRONTEND_IMAGE_NAME}:${CI_COMMIT_BEFORE_SHA} ${FRONTEND_IMAGE_NAME}:${CI_COMMIT_SHA}
    - docker push -q ${FRONTEND_IMAGE_NAME}:${CI_COMMIT_SHA}
  after_script:
    - docker logout $CI_REGISTRY

build-main-commit-web-db-image:
  stage: build-images
  rules:
    - !reference [ .main_commit_web_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    DB_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
  script:
    - docker build -f database/Postgres.Dockerfile -t ${DB_IMAGE_NAME}:${CI_COMMIT_SHA} .
    - docker push -q ${DB_IMAGE_NAME}:${CI_COMMIT_SHA}
  after_script:
    - docker logout $CI_REGISTRY

build-main-commit-web-liquibase-image:
  stage: build-images
  rules:
    - !reference [ .main_commit_web_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    LIQUIBASE_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-liquibase"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
  script:
    - docker build -f database/Liquibase.Dockerfile -t ${LIQUIBASE_IMAGE_NAME}:${CI_COMMIT_SHA} .
    - docker push -q ${LIQUIBASE_IMAGE_NAME}:${CI_COMMIT_SHA}
  after_script:
    - docker logout $REGISTRY

build-main-commit-web-backend-image:
  stage: build-images
  rules:
    - !reference [ .main_commit_web_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    BACKEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
  script:
    - docker build -f apps/api/Dockerfile --target=prod --build-arg project=api
      -t ${BACKEND_IMAGE_NAME}:${CI_COMMIT_SHA} .
    - docker push ${BACKEND_IMAGE_NAME}:${CI_COMMIT_SHA}
  after_script:
    - docker logout $CI_REGISTRY

build-main-commit-web-frontend-image:
  stage: build-images
  rules:
    - !reference [ .main_commit_web_rules, rules ]
  image: $DOCKER_IMAGE
  services:
    - $DOCKER_SERVICE
  variables:
    FRONTEND_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend"
  before_script:
    - echo "$CI_REGISTRY_PASSWORD" | docker login -u $CI_REGISTRY_USER --password-stdin $CI_REGISTRY
  script:
    - docker build -f apps/frontend/Dockerfile --target=prod --build-arg project=frontend
      -t ${FRONTEND_IMAGE_NAME}:${CI_COMMIT_SHA} .
    - docker push ${FRONTEND_IMAGE_NAME}:${CI_COMMIT_SHA}
  after_script:
    - docker logout $CI_REGISTRY

scan-main-commit-db-image:
  stage: scan-images
  allow_failure: true
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  needs:
    - build-main-commit-db-image
  image:
    name: $TRIVY_IMAGE
    entrypoint: [ "" ]
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    TRIVY_NO_PROGRESS: "true"
    TRIVY_CACHE_DIR: ".trivycache/"
    FULL_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db:${CI_COMMIT_SHA}"
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - trivy image --clear-cache
    # update vulnerabilities db
    - trivy image --download-db-only
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
    - trivy image --exit-code 0 --timeout 30m --security-checks vuln --format template --template "@/contrib/gitlab.tpl"
      --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
    # Prints full report
    - trivy image --exit-code 0 --timeout 30m --security-checks vuln "$FULL_IMAGE_NAME"
    # Fail on critical vulnerabilities
    - trivy image --exit-code 1 --timeout 30m --security-checks vuln --ignore-unfixed --severity CRITICAL $FULL_IMAGE_NAME
  cache:
    paths:
      - .trivycache/
  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/
  artifacts:
    when: always
    reports:
      container_scanning: gl-container-scanning-report.json

scan-main-commit-liquibase-image:
  stage: scan-images
  allow_failure: true
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  needs:
    - build-main-commit-liquibase-image
  image:
    name: $TRIVY_IMAGE
    entrypoint: [ "" ]
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    TRIVY_NO_PROGRESS: "true"
    TRIVY_CACHE_DIR: ".trivycache/"
    FULL_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-liquibase:${CI_COMMIT_SHA}"
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - trivy image --clear-cache
    # update vulnerabilities db
    - trivy image --download-db-only
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
    - trivy image --exit-code 0 --timeout 30m --security-checks vuln --format template --template "@/contrib/gitlab.tpl"
      --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
    # Prints full report
    - trivy image --exit-code 0 --timeout 30m --security-checks vuln "$FULL_IMAGE_NAME"
    # Fail on critical vulnerabilities
    - trivy image --exit-code 1 --timeout 30m --security-checks vuln --ignore-unfixed --severity CRITICAL "$FULL_IMAGE_NAME"
  cache:
    paths:
      - .trivycache/
  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/
  artifacts:
    when: always
    reports:
      container_scanning: gl-container-scanning-report.json

scan-main-commit-backend-image:
  stage: scan-images
  allow_failure: true
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  needs:
    - build-main-commit-backend-image
  image:
    name: $TRIVY_IMAGE
    entrypoint: [ "" ]
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    TRIVY_NO_PROGRESS: "true"
    TRIVY_CACHE_DIR: ".trivycache/"
    FULL_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-backend:${CI_COMMIT_SHA}"
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - trivy image --clear-cache
    # update vulnerabilities db
    - trivy image --download-db-only
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
    - trivy image --exit-code 0 --timeout 30m --security-checks vuln --format template --template "@/contrib/gitlab.tpl"
      --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
    # Prints full report
    - trivy image --exit-code 0 --timeout 30m --security-checks vuln "$FULL_IMAGE_NAME"
    # Fail on critical vulnerabilities
    - trivy image --exit-code 1 --timeout 30m --security-checks vuln --ignore-unfixed --severity CRITICAL "$FULL_IMAGE_NAME"
  cache:
    paths:
      - .trivycache/
  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/
  artifacts:
    when: always
    reports:
      container_scanning: gl-container-scanning-report.json

scan-main-commit-frontend-image:
  stage: scan-images
  allow_failure: true
  rules:
    - !reference [ .main_commit_push_rules, rules ]
  needs:
    - build-main-commit-frontend-image
  image:
    name: $TRIVY_IMAGE
    entrypoint: [ "" ]
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    TRIVY_NO_PROGRESS: "true"
    TRIVY_CACHE_DIR: ".trivycache/"
    FULL_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-frontend:${CI_COMMIT_SHA}"
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - trivy image --clear-cache
    # update vulnerabilities db
    - trivy image --download-db-only
    # Builds report and puts it in the default workdir $CI_PROJECT_DIR, so `artifacts:` can take it from there
    - trivy image --exit-code 0 --timeout 30m --security-checks vuln --format template --template "@/contrib/gitlab.tpl"
      --output "$CI_PROJECT_DIR/gl-container-scanning-report.json" "$FULL_IMAGE_NAME"
    # Prints full report
    - trivy image --exit-code 0 --timeout 30m --security-checks vuln "$FULL_IMAGE_NAME"
    # Fail on critical vulnerabilities
    - trivy image --exit-code 1 --timeout 30m --security-checks vuln --ignore-unfixed --severity CRITICAL "$FULL_IMAGE_NAME"
  cache:
    paths:
      - .trivycache/
  # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/
  artifacts:
    when: always
    reports:
      container_scanning: gl-container-scanning-report.json


scan-main-commit-web-db-image:
  stage: scan-images
  allow_failure: true
  rules:
    - !reference [ .main_commit_web_rules, rules ]
  needs:
    - build-main-commit-web-db-image
  image:
    name: $TRIVY_IMAGE
    entrypoint: [ "" ]
  variables:
    # No need to clone the repo, we exclusively work on artifacts.  See
    # https://docs.gitlab.com/ee/ci/runners/README.html#git-strategy
    GIT_STRATEGY: none
    TRIVY_USERNAME: "$CI_REGISTRY_USER"
    TRIVY_PASSWORD: "$CI_REGISTRY_PASSWORD"
    TRIVY_AUTH_URL: "$CI_REGISTRY"
    TRIVY_NO_PROGRESS: "true"
    TRIVY_CACHE_DIR: ".trivycache/"
    FULL_IMAGE_NAME: "${REGISTRY}${REGISTRY_PROJECT}iqbberlin/personaldb-db:${CI_COMMIT_SHA}"
  script:
    - trivy --version
    # cache cleanup is needed when scanning images with the same tags, it does not remove the database
    - trivy image --clear-cache
    # update vulnerabilities db