# You can override the included template(s) by including variable overrides
# See https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#priority-of-environment-variables

stages:
#- test
- build
- push_local
#- release
#- push_dockerhub

.docker_base:
  image: docker:24.0.5
  services:
    - name: docker:24.0.5-dind
      command: ["--tls=false"]
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_HOST: tcp://docker:2376
    #DOCKER_TLS_CERTDIR: "/certs"
    #DOCKER_TLS_VERIFY: 1
    #DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
    IMAGE_TAG: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG"
    FF_GITLAB_REGISTRY_HELPER_IMAGE: 1
  before_script:
    - docker version
    - docker info
    - nslookup registry.evanshome.io
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

build:
  extends:
    - .docker_base
  stage: build
  script:
  - nslookup registry.evanshome.io
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
  #- docker pull $CI_REGISTRY_IMAGE:latest || true
  - >
    docker build
    --pull
    --cache-from $CI_REGISTRY_IMAGE:latest
    --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    --build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
    --build-arg VCS_REF=$CI_COMMIT_SHORT_SHA
    ./Docker/
  - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

push local:
  extends:
    - .docker_base
  stage: push_local
  variables:
    GIT_STRATEGY: none
  only:
  - master
  script:
  - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
  - docker push $CI_REGISTRY_IMAGE:latest

# push dockerhub:
#   extends:
#     - .docker_base
#   stage: push_dockerhub
#   variables:
#     GIT_STRATEGY: none
#     CI_DOCKERHUB_IMAGE: index.docker.io/evanrich/py-eagle-mqtt
#     CI_DOCKERHUB_REGISTRY: docker.io
#   only:
#   - tags
#   script:
#   - docker pull $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
#   - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_DOCKERHUB_IMAGE:$CI_COMMIT_REF_NAME 
#   - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_DOCKERHUB_IMAGE:latest
#   - docker login -u "$CI_DOCKERHUB_USER" -p "$CI_DOCKERHUB_PASSWORD" $CI_DOCKERHUB_REGISTRY
#   - docker push $CI_DOCKERHUB_IMAGE --all-tags

# release:
#   image: node:19-alpine3.15
#   stage: release
#   only:
#     refs:
#     - master
#     - alpha
#     # This matches maintenance branches
#     - /^(([0-9]+)\.)?([0-9]+)\.x/
#     # This matches pre-releases
#     - /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/ 
#   except:
#     refs:
#       - tags
#   script:
#     - touch CHANGELOG.md
#     - apk add --no-cache git
#     - npm install @semantic-release/gitlab@10.1.4 @semantic-release/changelog@6.0.2
#       @semantic-release/git@10.0.1 conventional-changelog-eslint@3.0.9
#     - npx semantic-release
#   artifacts:
#     paths:
#     - CHANGELOG.md

# sast:
#   stage: test
# include:
# - template: Security/SAST.gitlab-ci.yml

#sonarqube-check:
#  stage: test
#  image: 
#    name: sonarsource/sonar-scanner-cli:4.7
#    entrypoint: [""]
#  variables:
#    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
#    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
#  cache:
#    key: "${CI_JOB_NAME}"
#    paths:
#      - .sonar/cache
#  script: 
#    - sonar-scanner
#  allow_failure: true
#  only:
#    - master # or the name of your main branch
#    - branches

# trivy:
#   stage: test
#   extends:
#     - .docker_base
#   before_script:
#     - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
#     - echo $TRIVY_VERSION
#     - wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz -O - | tar -zxvf -
#   allow_failure: true
#   script:
#     # Build image
#     - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA ./Docker/
#     # Build report
#     - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --format template --template "@contrib/gitlab.tpl" -o gl-container-scanning-report.json $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
#     # Print report
#     - ./trivy --cache-dir .trivycache/ image --exit-code 0 --no-progress --severity HIGH $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
#     # Fail on severe vulnerabilities
#     - ./trivy --cache-dir .trivycache/ image --exit-code 1 --severity CRITICAL --no-progress $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
#   cache:
#     paths:
#       - .trivycache/
#   # Enables https://docs.gitlab.com/ee/user/application_security/container_scanning/ (Container Scanning report is available on GitLab EE Ultimate or GitLab.com Gold)
#   artifacts:
#     reports:
#       container_scanning: gl-container-scanning-report.json