.gitlab-ci.yml

default:
  tags: ["shared"]

stages:
  - lint
  - test
  - build
  - deploy-stage
  - deploy-prod
  - perf-stage
  - perf-prod

include:
  - project: 'prodsec-dev/component-registry-ops'
    ref: "$CORGI_OPS_BRANCH"
    file: '/templates/gitlab/ansible-run.yml'
  - project: 'enterprise-pipelines/gitlab-ci/includes'
    file: 'SAST/sonarqube.yml'

.common_ci_setup: &common_ci_setup
  - export LANG=en_US.UTF-8
  - cd /etc/pki/ca-trust/source/anchors/ && curl -O "${ROOT_CA_URL}"; cd -
  - update-ca-trust
  - export REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt
  - dnf install --nodocs --setopt install_weak_deps=false -y git python3.11 python3.11-pip
  - python3.11 -m pip install tox

.common_test_setup: &common_test_setup
  # Define below in CI settings, then export here so subprocesses can use also
  # Keep in sync with OpenShift
  # Not used in tests directly, but needed for tests to pass
  - export CORGI_APP_STREAMS_LIFE_CYCLE_URL
  - export CORGI_BREW_URL
  - export CORGI_BREW_DOWNLOAD_ROOT_URL
  - export CORGI_ERRATA_TOOL_URL
  - export CORGI_LOOKASIDE_CACHE_URL
  - export CORGI_MANIFEST_HINTS_URL
  - export CORGI_PRODSEC_DASHBOARD_URL
  - export CORGI_PULP_URL
  - export GOCACHE
  - export GOPATH
  - export PIP_INDEX_URL
  - export ROOT_CA_URL
  - export DNF_WITH_OPTIONS='dnf --disableplugin=subscription-manager --nodocs --setopt install_weak_deps=false -y'
  - export RPM_REQUIREMENTS=$(grep '^[^#]' ./requirements/rpms.txt)

build-image:
  stage: build
  extends:
    - .ansible-build
# No "except: refs: schedules" here, daily image rebuilds
# (as part of detect-secrets daily CI job) give us any new security updates

deploy-stage:
  stage: deploy-stage
  extends:
    - .ansible-deploy-stage
  except:
    refs:
      - schedules

deploy-prod:
  stage: deploy-prod
  extends:
    - .ansible-deploy-prod
  except:
    refs:
      - schedules

sonarqube:
  allow_failure: true
  stage: test

variables:
  # Env vars for postgres image initialization
  POSTGRESQL_ADMIN_PASSWORD: test
  POSTGRESQL_USER: unused_but_needed
  POSTGRESQL_PASSWORD: test
  POSTGRESQL_DATABASE: corgi-db

test:
  stage: test
  # Keep in sync with Dockerfile
  image: registry.redhat.io/ubi9/ubi
  services:
    # Keep in sync with OpenShift
    - name: registry.redhat.io/rhel8/postgresql-13:1
      alias: postgres
  variables:
    # Application-specific env vars
    CORGI_DB_USER: postgres  # default admin user
    CORGI_DB_HOST: postgres  # same as service alias
    CORGI_DB_PASSWORD: test  # same as POSTGRESQL_ADMIN_PASSWORD
  before_script:
    - *common_ci_setup
    - *common_test_setup
  script:
    - $DNF_WITH_OPTIONS install $RPM_REQUIREMENTS
    - tox -e corgi -- --cov-fail-under=70 --cov-report xml --junitxml=junit.xml
  except:
    refs:
      - schedules
  # report coverage lines like 'TOTAL    2962    882    70%'
  coverage: '/TOTAL(?:\s+\d+\s+\d+\s+)(\d+)%/'
  artifacts:
      when: always
      reports:
        coverage_report:
          coverage_format: cobertura
          path: coverage.xml
        junit:
          - junit.xml
      expire_in: 1 week

test-migrations:
  stage: test
  # Keep in sync with Dockerfile
  image: registry.redhat.io/ubi9/ubi
  services:
    # Keep in sync with OpenShift
    - name: registry.redhat.io/rhel8/postgresql-13:1
      alias: postgres
  variables:
    # Application-specific env vars
    CORGI_DB_USER: postgres  # default admin user
    CORGI_DB_HOST: postgres  # same as service alias
    CORGI_DB_PASSWORD: test  # same as POSTGRESQL_ADMIN_PASSWORD
  before_script:
    - *common_ci_setup
    - *common_test_setup
  script:
    - $DNF_WITH_OPTIONS install $RPM_REQUIREMENTS
    - python3.11 -m pip install tox
    - tox -e corgi-migrations
  except:
    refs:
      - schedules

test-performance:
  stage: perf-stage
  allow_failure: true
  # Keep in sync with Dockerfile
  image: registry.redhat.io/ubi9/ubi
  before_script:
    - *common_ci_setup
    - *common_test_setup
  script:
    - $DNF_WITH_OPTIONS install $RPM_REQUIREMENTS
    - python3.11 -m pip install tox
    - tox -e corgi -- -m performance --no-cov
  only:
    refs:
      - schedules

mypy:
  stage: test
  image: $UBI9_IMAGE
  before_script:
    - *common_ci_setup
    - *common_test_setup
  script:
    - $DNF_WITH_OPTIONS install $RPM_REQUIREMENTS
    - tox -e mypy
  except:
    refs:
      - schedules

schema:
  stage: test
  image: $UBI9_IMAGE
  before_script:
    - *common_ci_setup
    - *common_test_setup
  script:
    - $DNF_WITH_OPTIONS install $RPM_REQUIREMENTS
    - tox -e schema
  except:
    refs:
      - schedules

flake8:
  stage: lint
  image: $UBI9_IMAGE
  before_script:
    - *common_ci_setup
  script:
    - tox -e flake8
  except:
    refs:
      - schedules

black:
  stage: lint
  image: $UBI9_IMAGE
  before_script:
    - *common_ci_setup
  script:
    - tox -e black
  except:
    refs:
      - schedules

isort:
  stage: lint
  image: $UBI9_IMAGE
  before_script:
    - *common_ci_setup
  script:
    - tox -e isort
  except:
    refs:
      - schedules

secrets:
  stage: lint
  image: $UBI9_IMAGE
  before_script:
    - *common_ci_setup
  script:
    - tox -e secrets
  only:
    refs:
      - schedules

locust-stage:
  stage: perf-stage
  image: $UBI9_IMAGE
  before_script:
    - *common_ci_setup
    - *common_test_setup
  script:
    - pip3 install locust
    - timeout --foreground 90s locust --headless -f ./perf --host https://$CORGI_DOMAIN --users 5 --spawn-rate 2 --csv=locust-result.csv --run-time 1m || exit 1
  artifacts:
    when: always
    paths:
      - locust-result.csv
  only:
    refs:
      - schedules

locust-prod:
  stage: perf-prod
  image: $UBI9_IMAGE
  before_script:
    - *common_ci_setup
    - *common_test_setup
  script:
    - pip3 install locust
    - timeout --foreground 90s locust --headless -f ./perf --host https://$CORGI_PROD_DOMAIN --users 5 --spawn-rate 2 --csv=locust-result.csv --run-time 1m || exit 1
  artifacts:
    when: always
    paths:
      - locust-result.csv
  only:
    refs:
      - schedules