.gitlab-ci.yml

stages:
  - prepare
  - cs-fix
  - audit
  - lint
  - build
  - tests
  - sentry
  - deploy

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_TAG == null

variables:
  # renovate: datasource=github-releases depName=maglnet/ComposerRequireChecker
  COMPOSER_REQUIRE_CHECKER_VERSION: 4.14.0
  # renovate: datasource=github-releases depName=composer-unused/composer-unused
  COMPOSER_UNUSED_VERSION: 0.8.11
  DRENSO_PHP_VERSION: 8.3-d3-sury
  NODE_VERSION: 20
  # renovate: datasource=github-releases depName=fabpot/local-php-security-checker
  PHP_SEC_CHECK_VERSION: 2.1.3
  SASSLINT_VERSION: 1.12.1-d1
  SHELLCHECK_VERSION: v0.7.2
  TSLINT_VERSION: 5.18.0
  YAMLLINT_DIRECTORIES: config
  YAMLLINT_VERSION: 1.0.0
  YARN_AUDIT_EXCLUDE_LIST: ""

# Prepare
install-dependencies:
  stage: prepare
  image: "registry.drenso.dev/open/docker-images/php:${DRENSO_PHP_VERSION}"
  interruptible: true
  cache:
    key:
      files:
        - composer.lock
      prefix: ${CI_PROJECT_PATH_SLUG}_composer
    paths:
      - vendor/
  artifacts:
    name: "${CI_JOB_NAME}_${CI_COMMIT_REF_NAME}_php"
    expire_in: 1 day
    paths:
      # Default paths from this stage. If you need more, make sure to copy these in your build step
      - assets/js/_fos_routes.json
      - vendor/friendsofsymfony/jsrouting-bundle/Resources/public/js
      - vendor/drenso/symfony-shared/src/Resources/translations
      - .secrets.json
      # Extra paths
      - assets/js/_fos_routes.json
      - vendor/studio-42/elfinder/css
      - vendor/studio-42/elfinder/img
      - vendor/studio-42/elfinder/js
      - vendor/studio-42/elfinder/sounds
  before_script:
    - cp .secrets.json.dist .secrets.json
    - >- # Fix for http-host used in fos-js routing
      if [ "$CI_COMMIT_REF_NAME" = "master" ]; then
        export HTTP_HOST="${STAGING_HOST}"
      elif [ "$CI_COMMIT_REF_NAME" = "research" ]; then
        export HTTP_HOST="${RESEARCH_HOST}"
      else
        export HTTP_HOST="${PRODUCTION_HOST}"
      fi
    - "sed -i \"s/HTTP_HOST=.*/HTTP_HOST=${HTTP_HOST}/g\" .env" # Set HTTP_HOST in env file, as env only no longer works
    - if [ -z ${COMPOSER_USER+x} ]; then echo "COMPOSER_USER not set, skipping composer auth configuration" ; else composer config http-basic.composer.drenso.dev ${COMPOSER_USER} ${COMPOSER_PASSWORD}; fi
  script:
    - composer validate --no-check-all
    - composer install --no-interaction --no-progress
  after_script:
    - find vendor/ -name .git -type d -exec rm -rf {} \+
  tags:
    - docker
  except:
    - schedules

install-js-dependencies:
  stage: prepare
  image: "node:${NODE_VERSION}"
  interruptible: true
  cache:
    key:
      files:
        - yarn.lock
      prefix: ${CI_PROJECT_PATH_SLUG}_yarn
    paths:
      - node_modules/
  script:
    # Install the dependencies
    - yarn install
    - >- # Use upstream dotron version when triggered from dotron repo
      if [ -n "${UPSTREAM_DOTRON_VERSION}" ]; then
        echo "Using updated dotron version ${UPSTREAM_DOTRON_VERSION}"
        yarn add @utwente/dotron-app@${UPSTREAM_DOTRON_VERSION}
      fi
  tags:
    - docker
  except:
    - schedules

# Code style fixer
code-style-fixer:
  stage: cs-fix
  image: "registry.drenso.dev/open/docker-images/php:${DRENSO_PHP_VERSION}"
  needs:
    - job: install-dependencies
      artifacts: false
  cache:
    - key:
        files:
          - composer.lock
        prefix: ${CI_PROJECT_PATH_SLUG}_composer
      paths:
        - vendor/
      policy: pull
    - key: # See https://getrector.com/documentation/cache-in-ci
        files:
          - composer.lock
          - rector.php
        prefix: ${CI_PROJECT_PATH_SLUG}_rector
      paths:
        - var/cache/rector
    - key:
        files:
          - composer.lock
          - .php-cs-fixer.dist.php
        prefix: ${CI_PROJECT_PATH_SLUG}_phpcsfixer
      paths:
        - .php-cs-fixer.cache
    - key:
        files:
          - composer.lock
          - .twig-cs-fixer.dist.php
        prefix: ${CI_PROJECT_PATH_SLUG}_twigcsfixer
      paths:
        - .twig-cs-fixer.cache
  script:
    - >-
      if [[ "skip" == $(php -r "echo (str_starts_with('$CI_COMMIT_REF_NAME', 'renovate/') && "'!'"str_contains('$CI_COMMIT_REF_NAME', 'rector-rector') && "'!'"str_contains('$CI_COMMIT_REF_NAME', 'friendsofphp-php-cs-fixer') && "'!'"str_contains('$CI_COMMIT_REF_NAME', 'vincentlanglet-twig-cs-fixer') && "'!'"str_contains('$CI_COMMIT_REF_NAME', 'intern-runner-templates')) ? 'skip' : '';") ]]; then echo "Skipping automated code style fix tasks"; exit 0; fi
    - if [[ -f .secrets.json.dist ]]; then cp .secrets.json.dist .secrets.json; fi
    - "[[ -d public/email/ ]] || mkdir public/email" # Create email folder for cache clear.
    - if [[ -f bin/console ]]; then bin/console cache:clear --env=dev; fi # Build cache so it can be used by Rector
    - vendor/bin/rector --no-progress-bar --no-diffs
    - vendor/bin/php-cs-fixer fix
    - "[[ -f vendor/bin/twig-cs-fixer ]] && vendor/bin/twig-cs-fixer lint --fix --report junit > twigcs.xml || echo 'Twig CS Fixer not installed, skipping'"
    - if [[ $(git status --porcelain | wc -l) -eq "0" ]]; then echo "All looks good 👍🏻"; exit 0; fi
    - echo "Changes required 👎🏻"
    - git config gc.auto 0 # Disable automatic GC
    - git config user.name "CS Fixer" # Set commit use
    - git config user.email "cs-fixer@drenso.nl"
    - export CS_FIX_BRANCH="cs-fixer-${CI_PIPELINE_IID}-${RANDOM}" # Generate a branch name
    - git checkout -b ${CS_FIX_BRANCH}
    - git commit -a -m "Automated CS fixes" # Make the commit
    - git remote set-url origin git@gitlab.utwente.nl:${CI_PROJECT_NAMESPACE}/${CI_PROJECT_NAME}.git # Setup remote
    - mkdir -p ~/.ssh
    - echo "${GITLAB_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - eval $(ssh-agent -s)
    - ssh-add <(echo "${CS_FIXER_KEY}")
    - git push -u origin ${CS_FIX_BRANCH}:${CI_COMMIT_REF_NAME}
  artifacts:
    reports:
      junit: twigcs.xml
  tags:
    - docker
  except:
    - schedules
    - master
    - production

# Security audit
php-cve-check:
  stage: audit
  image: alpine:latest
  needs: []
  interruptible: true
  before_script:
    - wget -q -O local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v${PHP_SEC_CHECK_VERSION}/local-php-security-checker_linux_amd64
    - chmod +x local-php-security-checker
  script:
    - ./local-php-security-checker
  tags:
    - docker

composer-audit:
  stage: audit
  image: "registry.drenso.dev/open/docker-images/php:${DRENSO_PHP_VERSION}"
  interruptible: true
  script:
    - composer audit --locked
  tags:
    - docker

yarn-audit:
  stage: audit
  image: "node:${NODE_VERSION}"
  needs: []
  interruptible: true
  script:
    - yarn global add improved-yarn-audit
    - improved-yarn-audit --ignore-dev-deps --exclude ${YARN_AUDIT_EXCLUDE_LIST}
  tags:
    - docker

# Lint
composer-require-checker:
  stage: lint
  image: "registry.drenso.dev/open/docker-images/php:${DRENSO_PHP_VERSION}"
  interruptible: true
  needs:
    - job: install-dependencies
      artifacts: false
  cache:
    key:
      files:
        - composer.lock
      prefix: ${CI_PROJECT_PATH_SLUG}_composer
    paths:
      - vendor/
    policy: pull
  before_script:
    - curl -JOL https://github.com/maglnet/ComposerRequireChecker/releases/download/${COMPOSER_REQUIRE_CHECKER_VERSION}/composer-require-checker.phar
    # Remove files that are not used but break due to the usage of reserved keywords
    - rm vendor/jms/serializer/src/Annotation/ReadOnly.php
  script:
    - if [[ -f composer-require-checker.json ]]; then php composer-require-checker.phar --config-file=$(pwd)/composer-require-checker.json; else php composer-require-checker.phar; fi;
  tags:
    - docker
  except:
    - schedules
    - master
    - production

composer-unused:
  stage: lint
  image: "registry.drenso.dev/open/docker-images/php:${DRENSO_PHP_VERSION}"
  interruptible: true
  needs:
    - job: install-dependencies
      artifacts: false
  cache:
    key:
      files:
        - composer.lock
      prefix: ${CI_PROJECT_PATH_SLUG}_composer
    paths:
      - vendor/
    policy: pull
  artifacts:
    reports:
      codequality: composer-unused.json
  before_script:
    - curl -JOL https://github.com/composer-unused/composer-unused/releases/download/${COMPOSER_UNUSED_VERSION}/composer-unused.phar
  script:
    - php composer-unused.phar --no-progress --output-format=gitlab > composer-unused.json
    - cat composer-unused.json
  tags:
    - docker
  except:
    - schedules
    - master
    - production

shellcheck:
  stage: lint
  image: "koalaman/shellcheck-alpine:${SHELLCHECK_VERSION}"
  needs: []
  interruptible: true
  before_script:
    - shellcheck --version
  script:
    - find . -name "*.sh" -not -path "./vendor/*" -exec shellcheck {} +
  tags:
    - docker
  except:
    - schedules
    - master
    - production

phpstan:
  stage: lint
  image: "registry.drenso.dev/open/docker-images/php:${DRENSO_PHP_VERSION}"
  interruptible: true
  needs:
    - job: install-dependencies
      artifacts: false
  cache:
    - key:
        files:
          - composer.lock
        prefix: ${CI_PROJECT_PATH_SLUG}_composer
      paths:
        - vendor/
      policy: pull
    - key:
        files:
          - composer.lock
          - phpstan.dist.neon
        prefix: ${CI_PROJECT_PATH_SLUG}_phpstan
      paths:
        - var/cache/phpstan
  script:
    - if [[ -f .secrets.json.dist ]]; then cp .secrets.json.dist .secrets.json; fi
    - if [[ -f bin/console ]]; then bin/console cache:clear --env=dev; fi # Build cache so it can be used by PHPStan
    - sed -i "s/OIDC_WELL_KNOWN=.*/OIDC_WELL_KNOWN=https:\/\/connect.surfconext.nl\/\.well-known\/openid-configuration/g" .env # Set OIDC_WELL_KNOWN to a known good url in env file
    - vendor/bin/phpstan analyse --error-format gitlab > phpstan.json
  after_script:
    - if [[ -f phpstan.json ]]; then cat phpstan.json; fi
  artifacts:
    reports:
      codequality: phpstan.json
  tags:
    - docker
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule" || $CI_PIPELINE_SOURCE == "merge_request_event" || $CI_COMMIT_TAG != null
      when: never
    - if: $CI_COMMIT_REF_NAME != "master" && $CI_COMMIT_REF_NAME != "production"
      when: on_success
    - when: never

js-analysis:
  stage: lint
  image:
    name: eeacms/jshint:latest
    entrypoint: [ "" ]
  needs: [ ]
  before_script:
    - cp tests/jshint/.jshintignore .
  script:
    - /usr/bin/jshint src --verbose --config tests/jshint/config
  tags:
    - docker
  except:
    - schedules
    - master
    - production

ts-analysis:
  stage: lint
  image: "registry.drenso.dev/open/docker-images/tslint:${TSLINT_VERSION}"
  needs: []
  interruptible: true
  script:
    - tslint --project .
  tags:
    - docker
  except:
    - schedules
    - master
    - production

yaml-analysis:
  stage: lint
  image: "registry.gitlab.utwente.nl/idb/docker-images/yamllint:${YAMLLINT_VERSION}"
  needs: []
  interruptible: true
  script:
    - yamllint -c tests/yamllint/config ${YAMLLINT_DIRECTORIES}
  tags:
    - docker
  except:
    - schedules
    - master
    - production

sass-analysis:
  stage: lint
  image: "registry.drenso.dev/open/docker-images/sasslint:${SASSLINT_VERSION}"
  needs: []
  interruptible: true
  script:
    - sass-lint -v -c tests/sass-lint/.sass-lint.yml
  tags:
    - docker
  except:
    - schedules
    - master
    - production

# Build
build-assets:
  stage: build
  image: "node:${NODE_VERSION}"
  interruptible: true
  needs:
    - install-dependencies
    - install-js-dependencies
  cache:
    - key:
        files:
          - yarn.lock
        prefix: ${CI_PROJECT_PATH_SLUG}_yarn
      paths:
        - node_modules/
      policy: pull
    - key:
        files:
          - yarn.lock
          - webpack.config.js
        prefix: ${CI_PROJECT_PATH_SLUG}_webpack_persistent_cache
      paths:
        - node_modules/.cache/webpack
  artifacts:
    name: "${CI_JOB_NAME}_${CI_COMMIT_REF_NAME}_assets"
    expire_in: 1 day
    paths:
      - public/build
      - public/email
  script:
    - yarn build
  tags:
    - docker
  except:
    - schedules

# Tests
phpunit:
  stage: tests
  image:
    name: "registry.drenso.dev/open/docker-images/php:${DRENSO_PHP_VERSION}"
    entrypoint: [""]
  interruptible: true
  needs:
    - install-dependencies
  cache:
    key:
      files:
        - composer.lock
      prefix: ${CI_PROJECT_PATH_SLUG}_composer
    paths:
      - vendor/
    policy: pull
  before_script:
    - cp phpunit.xml.dist phpunit.xml
  script:
    - vendor/bin/phpunit --log-junit report.xml
  tags:
    - docker
  except:
    - schedules
    - master
    - production

action-security-check:
  stage: tests
  image: "registry.drenso.dev/open/docker-images/php:${DRENSO_PHP_VERSION}"
  interruptible: true
  needs:
    - install-dependencies
  cache:
    key:
      files:
        - composer.lock
      prefix: ${CI_PROJECT_PATH_SLUG}_composer
    paths:
      - vendor/
    policy: pull
  script:
    - php bin/console drenso:check:action-security
  tags:
    - docker
  except:
    - schedules
    - master
    - production

# Sentry
sentry-release-staging:
  stage: sentry
  image: getsentry/sentry-cli
  dependencies: []
  script:
    - sentry-cli releases new -p ${SENTRY_PROJECT} ${SENTRY_PROJECT}@${CI_COMMIT_SHA:0:8}
  tags:
    - docker
  only:
    - master
  except:
    - schedules

sentry-release-production:
  stage: sentry
  image: getsentry/sentry-cli
  dependencies: []
  script:
    - sentry-cli releases finalize ${SENTRY_PROJECT}@${CI_COMMIT_SHA:0:8}
    - sentry-cli releases deploys ${SENTRY_PROJECT}@${CI_COMMIT_SHA:0:8} new --env prod
  tags:
    - docker
  only:
    - production
  except:
    - schedules

# Deploy
deploy-staging:
  stage: deploy
  image: registry.drenso.dev/open/docker-images/release:1.0
  resource_group: deploy-staging
  dependencies: []
  variables:
    GIT_STRATEGY: none
  before_script:
    - mkdir -p ~/.ssh
    - echo "${STAGING_HOST_SSH} ${STAGING_HOST_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - echo "[${STAGING_HOST_SSH}]:${STAGING_HOST_SSH_PORT} ${STAGING_HOST_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - eval $(ssh-agent -s)
    - ssh-add <(echo "${STAGING_HOST_SSH_PRIVATE_KEY}")
  script:
    - ssh -tt ${STAGING_USER}@${STAGING_HOST_SSH} -p ${STAGING_HOST_SSH_PORT} ${CI_PIPELINE_ID}
  environment:
    name: Staging
    url: https://${STAGING_HOST}
  tags:
    - docker-deploy
  only:
    - master
  except:
    - schedules

deploy-research:
  stage: deploy
  image: registry.drenso.dev/open/docker-images/release:1.0
  resource_group: deploy-staging
  dependencies: []
  variables:
    GIT_STRATEGY: none
  before_script:
    - mkdir -p ~/.ssh
    - echo "${JUMP_HOST} ${JUMP_HOST_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - echo "${RESEARCH_HOST_SSH} ${RESEARCH_HOST_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - echo "[${RESEARCH_HOST_SSH}]:${RESEARCH_HOST_SSH_PORT} ${RESEARCH_HOST_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - eval $(ssh-agent -s)
    - ssh-add <(echo "${RESEARCH_HOST_SSH_PRIVATE_KEY}")
    - ssh-add <(echo "${JUMP_HOST_SSH_PRIVATE_KEY}")
  script:
    - ssh -tt -J ${JUMP_USER}@${JUMP_HOST} ${RESEARCH_USER}@${RESEARCH_HOST_SSH} -p ${RESEARCH_HOST_SSH_PORT} ${CI_PIPELINE_ID}
  environment:
    name: Research
    url: https://${RESEARCH_HOST}
  tags:
    - docker-deploy
  only:
    - research
  except:
    - schedules

deploy-production:
  stage: deploy
  image: registry.drenso.dev/open/docker-images/release:1.0
  resource_group: deploy-production
  dependencies: []
  variables:
    GIT_STRATEGY: none
  before_script:
    - mkdir -p ~/.ssh
    - echo "${JUMP_HOST} ${JUMP_HOST_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - echo "${PRODUCTION_HOST_SSH} ${PRODUCTION_HOST_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - echo "[${PRODUCTION_HOST_SSH}]:${PRODUCTION_HOST_SSH_PORT} ${PRODUCTION_HOST_SSH_FINGERPRINT}" >> ~/.ssh/known_hosts
    - eval $(ssh-agent -s)
    - ssh-add <(echo "${PRODUCTION_HOST_SSH_PRIVATE_KEY}")
    - ssh-add <(echo "${JUMP_HOST_SSH_PRIVATE_KEY}")
  script:
    - ssh -tt -J ${JUMP_USER}@${JUMP_HOST} ${PRODUCTION_USER}@${PRODUCTION_HOST_SSH} -p ${PRODUCTION_HOST_SSH_PORT} ${CI_PIPELINE_ID}
  release:
    name: Release ${CI_COMMIT_SHORT_SHA}
    tag_name: release-$(date "+%Y%m%d")-${CI_COMMIT_SHORT_SHA}
    description: Production release
  environment:
    name: Production
    url: https://${PRODUCTION_HOST}
  tags:
    - docker-deploy
  only:
    - production
  except:
    - schedules