.gitlab-ci.yml

stages:
  - build
  - lint
  - tiki-check
  - unit-tests
  - package-tiki
  - vendors-security
  - vendors_update

variables:
  MYSQL_ROOT_PASSWORD: secret
  MYSQL_DATABASE: tikitest
  MYSQL_USER: tikiuser
  MYSQL_PASSWORD: tikipass
  ELASTICSEARCH_HOST: elasticsearch
  #The source for these images is at https://github.com/rjsmelo/docker-ubuntu-php
  #Would be nice to update them from code, similar to https://medium.com/devops-with-valentine/how-to-build-a-docker-image-and-push-it-to-the-gitlab-container-registry-from-a-gitlab-ci-pipeline-acac0d1f26df
  BASE_QA_IMAGE: rjsmelo/ubuntu-php:8.1-qa
  #DBDiff is sensitive to mysql version.  
  #The schemas dumped for prior tikis on https://gitlab.com/tikiwiki/tikiwiki-ci-databases have explicit COLLATION() statements for each table column.  Later versions of mysql (8.0.11+, but not sure) will not dump the same whits explicit collations.
  #Running php doc/devtools/check_schema_upgrade.php -m 22 --db1=tiki:tiki@localhost:tikiold --db2=tiki:tiki@localhost:tikinew gives other errors localy that are false positives.  But locally, unless you decompress https://gitlab.com/tikiwiki/tikiwiki-ci-databases into doc/devtool/dbdiff/cache, tiki.org won't give the schemas to you, and will blacklist your IP address!  benoitg - 2023-05-16

  MARIADB_IMAGE_NEWEST_SUPPORTED: mariadb:10.11.7
  MARIADB_IMAGE_OLDEST_SUPPORTED: mariadb:10.5.11
  MYSQL_IMAGE_NEWEST_SUPPORTED: mysql:8.0.36
  MYSQL_IMAGE_OLDEST_SUPPORTED: mysql:8.0.29
  MANTICORE_NEWEST_SUPPORTED: 6.3.6
  #Only for older version upgrade tests these days
  MYSQL_5_IMAGE: mysql:5.7.44
  NODE_IMAGE: node:20
  MANTICORE_DSN: http://manticore
  # You can set USE_GITLAB_PROXY to "true" in your project configuration to use the gitlab dependency proxy. (default not using as it may cause issues for some accounts)
  USE_GITLAB_PROXY: ''
  # Default value for DEPENDENCY_PROXY_PREFIX (not using any proxy), you can set this on your project also if you do not set USE_GITLAB_PROXY to "true"
  DEPENDENCY_PROXY_PREFIX: ''
  npm_config_cache: "$CI_PROJECT_DIR/.npm"
  #Be careful here, composer cache dir handling can be a bit surprising.
  #If cache dir is a relative path, it's relative to the working directory, or the -d parameter if specified.
  #If cache dir in an absolute path, it's used as is.
  #Since we use multiple vendor directories, and gitlab-ci has different rules for cache, and we want a global cache, we use ${CI_PROJECT_DIR} here so it's always at the root
  COMPOSER_CACHE_DIR: ${CI_PROJECT_DIR}/.composercache
  PROJECT_PATH: "tikiwiki/tiki"

workflow:
  rules:
    # IGNORE PUSHES ON NON VERSION BRANCHES
    - if: '$CI_PIPELINE_SOURCE == "push" && ($CI_COMMIT_BRANCH != "master" && $CI_COMMIT_BRANCH !~ /^\d*\.x$/)'
      when: never
    #CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX was terribly defined by gitlab, because you need to append a / to every image name.
    #So you can't just use CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX prepended to every image name.
    #The following is a workround: 
    #gitlab-ci-local doesn't support rules variables yet, so it skips anyway
    #https://github.com/firecow/gitlab-ci-local/issues/691
    #
    #But since DEPENDENCY_PROXY_PREFIX is set to the empty string above, 
    #DEPENDENCY_PROXY_PREFIX will have no effect
    #This will run in gitlab-ci-local
    #
    - if: $CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX != "" && $USE_GITLAB_PROXY == 'true'
      variables:
        DEPENDENCY_PROXY_PREFIX: ${CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX}/
    # THIS WILL TRIGGER PIPELINES FOR MERGE REQUESTS AND SCHEDULES, AND PUSHES ON VERSION BRANCHES LIKE 21.x. 18.x
    - when: always

#Inspired from https://dev.to/drakulavich/gitlab-ci-cache-and-artifacts-explained-by-example-2opi

# Define a hidden job to be used with extends
# Better than default to avoid activating cache for all jobs
.node_dependencies_cache:
  image:
    name: ${DEPENDENCY_PROXY_PREFIX}${NODE_IMAGE}
  cache:
    key:
      files:
        - package-lock.json
    paths:
      - .npm
    policy: pull

node_modules:
  stage: build
  needs: []
  script:
    - npm ci --prefer-offline
  extends: .node_dependencies_cache
  cache:
    policy: pull-push
  artifacts:
    expire_in: 2 days
    paths:
      - node_modules
      - src/**/node_modules

#Tests for a successful compile of all generated files
node_build:
  stage: build
  needs: 
    - node_modules  #This is only because we still have some scss files installed from composer - 2023-11-17
    - composer
  image:
    name: ${DEPENDENCY_PROXY_PREFIX}${NODE_IMAGE}
  script:
    - npm run build
  artifacts:
    expire_in: 2 days
    paths:
      - public/generated/
      - themes/**/*.css # this includes not only the generated files, but all css files. Still should be ok.
      - themes/**/*.css.map
#
# build
#

.cache-vendor_bundled: &cache-vendor_bundled
    key:
      prefix: "vendor_bundled"
      files:
          - vendor_bundled/composer.lock
    paths:
      - vendor_bundled/vendor
    policy: pull

.cache-composercache: &cache-composercache
    key:
      prefix: "composer"
      files:
        - vendor_bundled/composer.lock
    paths:
      - .composercache/
    policy: pull-push

composer:
  stage: build
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  variables:
    COMPOSER_DISCARD_CHANGES: "true"
    COMPOSER_NO_INTERACTION: "1"
  script:
    - composer -V | grep "version 2" || composer self-update --2
    - composer --ansi install -d vendor_bundled --no-progress --prefer-dist --no-interaction
  cache: [*cache-composercache, *cache-vendor_bundled]
  artifacts:
    paths:
      - vendor_bundled/vendor/
    expire_in: 2 days

composer-dbdiff:
  stage: build
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  variables:
    COMPOSER_DISCARD_CHANGES: "true"
    COMPOSER_NO_INTERACTION: "1"
    COMPOSER_CACHE_DIR: ${CI_PROJECT_DIR}/.composercache-dbdiff
  script:
    - composer -V | grep "version 2" || composer self-update --2
    - composer --ansi install -d doc/devtools/dbdiff/ --no-progress --prefer-dist -n
  cache:
    key:
      prefix: "composer-dbdiff"
      files:
        - doc/devtools/dbdiff/composer.lock
    paths:
      - .composercache-dbdiff/
    policy: pull-push
  artifacts:
    paths:
      - doc/devtools/dbdiff/vendor/
    expire_in: 2 days
    when: always


#
# Lint
#

phpcs:
  stage: lint
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php vendor_bundled/vendor/squizlabs/php_codesniffer/bin/phpcs --cache=phpcs.cache -s --runtime-set ignore_warnings_on_exit true --parallel=8
  cache:
    - key:
        prefix: "phpcs"
        files:
          - phpcs.xml.dist
      paths:
        - phpcs.cache
      policy: pull-push

phplint:
  stage: lint
  image: ${DEPENDENCY_PROXY_PREFIX}rjsmelo/ubuntu-php:${PHP_VERSION}-qa
  needs:
    - composer
  script:
    - php vendor_bundled/vendor/overtrue/phplint/bin/phplint -n --configuration=doc/devtools/phplint.yml
  cache:
    key: phplint${PHP_VERSION}
    paths:
      - phplint.cache
  parallel:
    matrix:
      - PHP_VERSION: "8.1"
      - PHP_VERSION: "8.2"
      - PHP_VERSION: "8.3"

smarty-lint:
  stage: lint
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php vendor_bundled/vendor/umakantp/smartylint/smartyl -p --files=lib/test,templates,themes --rules=doc/devtools/smartyl.rules.xml

eslint:
  stage: lint
  needs: 
    - node_modules
  image:
    name: ${DEPENDENCY_PROXY_PREFIX}${NODE_IMAGE}
    #entrypoint: ["/bin/sh", "-c"]
  script:
    - npx eslint .
      
shlint:
  stage: lint
  needs: []
  image: koalaman/shellcheck-alpine:latest
  script:
    - shellcheck ./*.sh
    - shellcheck ./doc/devtools/*.sh

check-bom-encoding:
  stage: lint
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php doc/devtools/check_bom_encoding.php

unix-ending-line:
  stage: lint
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php doc/devtools/check_unix_ending_line.php

#
# Check Tikiwiki development specific check (related also with release)
#

sql-engine:
  stage: tiki-check
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php -d display_errors=On doc/devtools/check_sql_engine.php

schema-sql-drop:
  stage: tiki-check
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php -d display_errors=On doc/devtools/check_schema_sql_drop.php

schema-naming-convention:
  stage: tiki-check
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php -d display_errors=On doc/devtools/check_schema_naming_convention.php

translation:
  stage: tiki-check
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - git log --first-parent --pretty="format:%h" -1 --skip=1 | xargs -I gitHash php -d display_errors=On console.php translation:englishupdate --diff-command="git diff gitHash" --git --audit
  allow_failure: true

translation-standards:
  stage: tiki-check
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php doc/devtools/check_template_translation_standards.php --all

satis-validates:
  stage: tiki-check
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php doc/devtools/check_satis_validation.php
  rules:
    - if: '$CI_COMMIT_BRANCH == "master"'
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "master"'

#This is a non-network check
composer-validates:
  stage: tiki-check
  needs: []
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - composer -V | grep "version 2" || composer self-update --2
    - composer validate -d vendor_bundled --no-check-all
    - php doc/devtools/check_composer_dist_urls.php

#This tests if composer COULD update the current composer.lock (it is coherent and installable).  This is important because a developer wanting to update or add a dependency wouldn't be able to do so without figuring out why a composer.lock cannot be generated even before his changes.
#What we want to know is if a developer could successfully generate a new composer.lock file to update minor versions, or when adding dependencies.  Not if he could generate a minimal-impact composer.lock file with composer update --lock on stable branches, which is much harder, and not necessary for the master branch.
#This is a network check, it could fail because composer.tiki.org is not up to date or some other non-code related reason.
composer-could-update-lock:
  stage: tiki-check
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  
  script:
    - composer -V | grep "version 2" || composer self-update --2
    - composer update -d vendor_bundled --dry-run
  cache: [*cache-composercache]
  #This test should only run when composer-validates fail (because changes in the upstream deps can make this fail without code changes).  But I could find no way to have a test only run in gitlab-ci if a specific one fails.  So allow it to fail like composer-lock for now - benoitg 2023-05-03
  allow_failure: true

#This tests if composer update --lock WOULD update the current composer.lock (version hash changes, other changes) even if the dependencies required versions do not change.  This should only be important at release
.composer-lock:
  stage: tiki-check
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - cp $(command -v composer) temp/composer.phar
    - php temp/composer.phar -V | grep "version 2" || php temp/composer.phar self-update --2
    - php doc/devtools/update_composer_lock.php
  before_script:
    - mkdir before || true
    - cp vendor_bundled/composer.json vendor_bundled/composer.lock before
  after_script:
    - mkdir after || true
    - cp vendor_bundled/composer.json vendor_bundled/composer.lock after
    - diff -u before/composer.lock after/composer.lock
  artifacts:
    paths:
      - before
      - after
    expire_in: 2 days
    when: always
  cache: [*cache-composercache]
  allow_failure:
      exit_codes: 1

.template-tiki-schema-upgrade: &template-tiki-schema-upgrade
  stage: tiki-check
  needs:
    - composer
    - composer-dbdiff
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  services:
    - name: ${DEPENDENCY_PROXY_PREFIX}$IMAGE
      alias: mysql,
      command: ["--character-set-server=utf8mb4", "--collation-server=utf8mb4_unicode_ci"]
  script:
    - 'mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql --skip-column-names -B -e "SELECT CONCAT(''Version: '', VERSION(), CHAR(13), ''sql_mode: '', @@GLOBAL.sql_mode);SET GLOBAL log_bin_trust_function_creators = 1;"'
    - echo "GRANT ALL ON tikiold.* TO '${MYSQL_USER}';" | mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql
    - echo "GRANT ALL ON tikinew.* TO '${MYSQL_USER}';" | mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql
    - '[ ! -d doc/devtools/dbdiff/cache ] && mkdir doc/devtools/dbdiff/cache'
    - '[ ! -f doc/devtools/dbdiff/cache/$DBFILE ] && curl -sS https://gitlab.com/tikiwiki/tikiwiki-ci-databases/raw/master/$DBFILE.gz -o doc/devtools/dbdiff/cache/$DBFILE.gz && gzip -d doc/devtools/dbdiff/cache/$DBFILE.gz'
    - php -d display_errors=On doc/devtools/check_schema_upgrade.php -m $DBVER -e $ENGINE --db1=$MYSQL_USER:$MYSQL_PASSWORD@mysql:tikiold --db2=$MYSQL_USER:$MYSQL_PASSWORD@mysql:tikinew
  after_script:
    - echo "SHOW CREATE DATABASE tikiold" | mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql
    - echo "SHOW CREATE DATABASE tikinew" | mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql
    - mysqldump --column-statistics=0  --default-character-set=utf8mb4 -u root --password=$MYSQL_ROOT_PASSWORD -h mysql tikiold > tikiold.sql
    - mysqldump --column-statistics=0  --default-character-set=utf8mb4 -u root --password=$MYSQL_ROOT_PASSWORD -h mysql tikinew > tikinew.sql
  artifacts:
    paths:
      - tikiold.sql
      - tikinew.sql
    expire_in: 2 days
    when: always

.template-tiki-schema-upgrade-mysql8: &template-tiki-schema-upgrade-mysql8
  <<: *template-tiki-schema-upgrade
  services:
    - name: ${DEPENDENCY_PROXY_PREFIX}$IMAGE
      command: [ "--default-authentication-plugin=mysql_native_password", "--character-set-server=utf8mb4", "--collation-server=utf8mb4_unicode_ci"]
      alias: mysql

db-upgrade-28-mysql:
  <<: *template-tiki-schema-upgrade-mysql8
  variables:
    DBFILE: ci_28.sql
    DBVER: 28
    IMAGE: ${MYSQL_IMAGE_NEWEST_SUPPORTED}
    ENGINE: InnoDB

db-upgrade-27-mysql:
  <<: *template-tiki-schema-upgrade-mysql8
  variables:
    DBFILE: ci_27.sql
    DBVER: 27
    IMAGE: ${MYSQL_IMAGE_NEWEST_SUPPORTED}
    ENGINE: InnoDB

db-upgrade-26-mysql:
  <<: *template-tiki-schema-upgrade
  variables:
    DBFILE: ci_26.sql
    DBVER: 26
    IMAGE: ${MYSQL_5_IMAGE}
    ENGINE: InnoDB

db-upgrade-25-mysql:
  <<: *template-tiki-schema-upgrade
  variables:
    DBFILE: ci_25.sql
    DBVER: 25
    IMAGE: ${MYSQL_5_IMAGE}
    ENGINE: InnoDB

db-upgrade-24-mysql:
  <<: *template-tiki-schema-upgrade
  variables:
    DBFILE: ci_24.sql
    DBVER: 24
    IMAGE: ${MYSQL_5_IMAGE}
    ENGINE: InnoDB

sql-engine-conversion:
  stage: tiki-check
  needs:
    - composer
    - composer-dbdiff
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  services:
    - name: ${DEPENDENCY_PROXY_PREFIX}${MYSQL_IMAGE_NEWEST_SUPPORTED}
      alias: mysql
  script:
    - 'mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql --skip-column-names -B -e "SELECT CONCAT(''Version: '', VERSION(), CHAR(13), ''sql_mode: '', @@GLOBAL.sql_mode)"'
    - echo "GRANT ALL ON tikiold.* TO '${MYSQL_USER}';" | mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql
    - echo "GRANT ALL ON tikinew.* TO '${MYSQL_USER}';" | mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql
    - php -d display_errors=On doc/devtools/check_sql_engine_conversion.php --db1=$MYSQL_USER:$MYSQL_PASSWORD@mysql:tikiold --db2=$MYSQL_USER:$MYSQL_PASSWORD@mysql:tikinew
  after_script:
    - echo "SHOW CREATE DATABASE tikiold" | mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql
    - echo "SHOW CREATE DATABASE tikinew" | mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql
    - mysqldump --column-statistics=0 -u root --password=$MYSQL_ROOT_PASSWORD -h mysql tikiold > tikiold.sql
    - mysqldump --column-statistics=0 -u root --password=$MYSQL_ROOT_PASSWORD -h mysql tikinew > tikinew.sql
  artifacts:
    paths:
      - tikiold.sql
      - tikinew.sql
    expire_in: 2 days
    when: always

check-custom-folder:
  stage: tiki-check
  needs: []
  script:
    - echo "Changes in the _custom directory are not allowed to merge into mainstream."
    - exit 1
  rules:
    - if: $CI_PROJECT_PATH == $PROJECT_PATH && $CI_PIPELINE_SOURCE == "merge_request_event"
      changes:
        - "_custom/**/*"
      when: always

# This will mostly catch composer platform-check problems.
console-php-works:
  stage: tiki-check
  needs: 
      - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php console.php

#
# Unit Tests
#

.template-unit-tests:
  stage: unit-tests
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}rjsmelo/ubuntu-php:${PHP_VERSION}-qa
  services:
    - name: ${DEPENDENCY_PROXY_PREFIX}${DB_IMAGE}
      alias: mysql
      command: ["--default-authentication-plugin=mysql_native_password", "--explicit-defaults-for-timestamp=off"]
    - name: ${DEPENDENCY_PROXY_PREFIX}elasticsearch:5
      alias: elasticsearch
    - name: ${DEPENDENCY_PROXY_PREFIX}manticoresearch/manticore:${MANTICORE_NEWEST_SUPPORTED}
      alias: manticore
  variables:
    EXTRA: 1
    MCL: 1
  script:
    - 'echo -n "PHP Version: " && php -v | grep "^PHP"'
    - 'echo -n "MySQL/MariaDB Version: " && mysql -u root --password=$MYSQL_ROOT_PASSWORD -h mysql --skip-column-names -B -e "SELECT VERSION()" 2>/dev/null'
    - 'echo -n "ElasticSearch Version: " && curl -sS -XGET ''http://elasticsearch:9200'' | grep ''"number"'' | sed ''s/.*:.*"\(.*\)".*/\1/'''
    - 'echo -n "Manticore Version: " && mysql -h manticore -P 9306 -e "status" | grep "Server version:" | sed "s/^[^:]*:[[:space:]]*//"'
    - echo '<?php $dbversion_tiki = "21.0"; $host_tiki = "mysql"; $user_tiki = "tikiuser"; $pass_tiki = "tikipass"; $dbs_tiki = "tikitest"; $client_charset = "utf8mb4"; ' > lib/test/local.php
    - php -d display_errors=On vendor_bundled/vendor/phpunit/phpunit/phpunit --colors=always --log-junit report.xml --display-deprecations --display-notices --display-warnings
  artifacts:
    when: always
    paths:
      - report.xml
    reports:
      junit: report.xml
    expire_in: 2 days

unit-tests:
  extends: .template-unit-tests
  allow_failure: false
  parallel:
    matrix:
      - PHP_VERSION: "8.1"
        DB_IMAGE: ${MYSQL_IMAGE_OLDEST_SUPPORTED}
      - PHP_VERSION: "8.2"
        DB_IMAGE: ${MYSQL_IMAGE_NEWEST_SUPPORTED}
      - PHP_VERSION: "8.1"
        DB_IMAGE: ${MARIADB_IMAGE_OLDEST_SUPPORTED}
      - PHP_VERSION: "8.3"
        DB_IMAGE: ${MARIADB_IMAGE_NEWEST_SUPPORTED}

unit-tests-node:
  stage: unit-tests
  needs:
    - node_modules
  image:
    name: ${DEPENDENCY_PROXY_PREFIX}${NODE_IMAGE}
  script:
    - npm run testci
  coverage: '/All files(?:[^|]*\|){4}\s*(\S+)/'

#
# Package this Tiki build
#

tiki-package:
  stage: package-tiki
  needs:
    - composer
    - node_build
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    # Remove dev dependencies in composer
    - echo "=> Removing Composer dev dependencies ..."
    - composer -V | grep "version 2" || composer self-update --2
    - composer --ansi install -d vendor_bundled --no-dev --optimize-autoloader --no-progress --prefer-dist -n # remove dev packages
    # TODO: Remove dev dependencies in npm - benoitg - 2023-11-17
    - php console.php dev:buildwsconfs --generate
    # Cleanup folders that may have data, and we do not want to be packed
    - echo "=> Cleanup ..."
    # Assure temp folder is empty
    - rm -fr temp && git checkout temp
    # remove bin directory
    - rm -fr bin
    # Log files that are not part of GIT in the folder (exclude the ones expected)
    - echo "=> Files in the folder not tracked in git ..."
    - git ls-files --others | grep -v vendor_bundled/vendor/ | grep -v .composercache/ || echo "Ignore Failure"
    # remove comments from language files
    - echo "=> Optimize language files ..."
    - find lang/ -name language.php -exec php doc/devtools/stripcomments.php {} \;
    # set Permissions
    - echo "=> Fix permissions ..."
    - find . -type f -exec chmod 0664 {} \;
    - chown 0775 setup.sh
    - find . -type d -exec chmod 0755 {} \;
    # pack
    - echo "=> Pack tiki ..."
    - tar --exclude *.DS_Store --exclude tests --exclude doc/devtools --exclude .git --exclude .gitignore --exclude .composercache -pczf tiki-${CI_COMMIT_SHORT_SHA}-${CI_COMMIT_REF_SLUG}.tar.gz *
  cache: [*cache-composercache]
  artifacts:
    paths:
      - tiki-${CI_COMMIT_SHORT_SHA}-${CI_COMMIT_REF_SLUG}.tar.gz
    expire_in: 2 days
  allow_failure: true

check-directories:
  stage: package-tiki
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - php console.php dev:buildwsconfs --generate
    - php console.php dev:buildwsconfs

# Vendors Security
#

#disabled, showld be generated from /lib/core/Tiki/Package/ComposerPackages.yml
.vendor-security-check:
  stage: vendors-security
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - composer -V | grep "version 2" || composer self-update --2
    - cp composer.json.dist composer.json
    # These are packages frequently installed with tiki, but not distributed with it
    # This should be generated from /lib/core/Tiki/Package/ComposerPackages.yml
    # It wasn't automated before, and I don't know how we were supposed to get some of these packages locally.  php console.php package:list can generate the list, but I can find no command to install them all - benoitg - 2023-05-04
    - composer require jerome-breton/casperjs-installer:dev-master --no-progress
    - composer require enygma/expose:^3.0 --no-progress
    - composer require fullcalendar/fullcalendar-scheduler ^1.9 --no-progress
    - composer require fakerphp/faker dev-master --no-progress
    - composer require google/apiclient ^2.2.2 --no-progress
    - composer require mpdf/mpdf ^8.0.0 --no-progress
    - composer require xorti/mxgraph-editor ^3.9.12.2 --no-progress
    - composer require tikiwiki/diagram ^10 --no-progress
    - composer require thiagoalessio/tesseract_ocr ^2.7.0 --no-progress
    - composer require mathjax/mathjax ^2.7 --no-progress
    - composer require media-alchemyst/media-alchemyst ^0.5.1 --no-progress
    - composer require npm-asset/pdfjs-dist ~2.0.487 --no-progress
    - composer require bower-asset/wodo.texteditor ^0.5.9 --no-progress
    - composer require j0k3r/php-readability ^1.1.10 --no-progress
  allow_failure: false
  only:
    refs:
      - schedules
    variables:
      - $SCHEDULER == "vendor_check"

vendor-bundled-security-check:
  stage: vendors-security
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  script:
    - composer -V | grep "version 2\.[6-9]" || composer self-update 2.6.3
    - cd vendor_bundled
    - composer audit --locked --no-dev
  allow_failure: true
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      changes:
        - "vendor_bundled/composer.json"
        - "vendor_bundled/composer.lock"
    - if: $CI_PIPELINE_SOURCE == "schedule" && $SCHEDULER == "vendor_check"

update_vendor_bundled_dependencies:
  stage: vendors_update
  needs:
    - composer
  image: ${DEPENDENCY_PROXY_PREFIX}${BASE_QA_IMAGE}
  variables:
    BRANCH_NAME: "${CI_COMMIT_REF_NAME}_vendor_bundled_update"
    COMMIT_MESSAGE: "[UPD] Update ${CI_COMMIT_REF_NAME} vendor_bundled dependencies"
    CI_REPOSITORY_URL: "https://${GITLAB_USER_LOGIN}:${GITLAB_USER_TOKEN}@gitlab.com/${CI_PROJECT_PATH}.git"
    COMPOSER_DISCARD_CHANGES: "true"
    COMPOSER_NO_INTERACTION: "1"
  before_script:
    - git config --global user.email "${GITLAB_USER_EMAIL}"
    - git config --global user.name "${GITLAB_USER_NAME}"
  script:
    - composer -V | grep "version 2" || composer self-update --2
    - DATE=`date +%Y%m%d`
    - BRANCH_NAME="${BRANCH_NAME}_${DATE}"
    - php doc/devtools/update_vendor_bundled.php
    - if git diff --quiet --exit-code vendor_bundled/composer.lock; then exit 0; fi;
    - if git rev-parse --verify ${BRANCH_NAME}; then git branch -D ${BRANCH_NAME}; fi;
    - git checkout -b ${BRANCH_NAME}
    - git add vendor_bundled/composer.lock
    - git commit -m "${COMMIT_MESSAGE}"
    - git push ${CI_REPOSITORY_URL} HEAD:${BRANCH_NAME} --quiet
    - |
      HOST=${CI_PROJECT_URL} CI_PROJECT_ID=${CI_PROJECT_ID} SOURCE_BRANCH=${BRANCH_NAME} TARGET_BRANCH=${CI_COMMIT_REF_NAME} GITLAB_USER_ID=${GITLAB_USER_ID} PRIVATE_TOKEN=${GITLAB_USER_TOKEN} TARGET_PROJECT_ID=${TARGET_PROJECT_ID} SET_MERGE=${SET_MERGE} \
      /bin/bash ./doc/devtools/gitlab/auto_merge_request.sh "${COMMIT_MESSAGE} (${DATE})"
  only:
    refs:
      - schedules
    variables:
      - $SCHEDULER == "update_vendor_bundled"