.gitlab-ci.yml

stages:
  - test-lint-build
  #  the test stage is required for sast-iac scanning
  - test
  - publish
  - container-scanning
  - dast
  - release-ui
  - deploy

default:
  image: registry.gitlab.com/medicines-discovery-catapult/informatics/docker-images/ci/node:lts-20

variables:
  FF_NETWORK_PER_BUILD: "true" # enable network per build so all services can communicate on the same network

test-lint-build-ui:
  stage: test-lint-build
  variables:
    CLIENT_ORIGIN_URL: "$DEV_CLIENT_ORIGIN_URL"
    AUTH0_DOMAIN: "$DEV_AUTH0_DOMAIN"
    AUTH0_AUDIENCE: "$DEV_AUTH0_AUDIENCE"
    AUTH0_CLIENT_ID: "$DEV_AUTH0_CLIENT_ID"
    DEPLOYMENT_ENV: "dev"
    BACKEND_URL: "$DEV_BACKEND_URL"
  before_script:
    - apt-get -yqq update && apt-get upgrade -yqq chromium libxss1 xvfb
    - export CHROME_BIN=/usr/bin/chromium
    - npm ci
  script:
    - npx eslint .
    - npm run test:ci
    - npm run build --configuration=development
  coverage: /Lines\s+:\s(\d+\.?\d*)%\s\(\s\d+\/\d+\s\)/
  except:
    variables:
      - $CI_COMMIT_MESSAGE =~ /^Setting version to.*/

publish-ui-azure:
  stage: publish
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint:
      - ''
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
  script:
    - >
      /kaniko/executor
      --context $CI_PROJECT_DIR
      --build-arg VERSION_HASH=$CI_COMMIT_SHORT_SHA
      --build-arg CLIENT_ORIGIN_URL=$AZURE_CLIENT_ORIGIN_URL
      --build-arg AUTH0_DOMAIN=$AZURE_AUTH0_DOMAIN
      --build-arg AUTH0_AUDIENCE=$AZURE_AUTH0_AUDIENCE
      --build-arg AUTH0_CLIENT_ID=$AZURE_AUTH0_CLIENT_ID
      --build-arg DEPLOYMENT_ENV=prod
      --build-arg BACKEND_URL=$AZURE_BACKEND_URL
      --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
      --dockerfile $CI_PROJECT_DIR/Dockerfile
  except:
    refs:
      - main
      - tags
      - develop
    variables:
      - $CI_COMMIT_MESSAGE =~ /^Setting version to.*/

publish-ui:
  stage: publish
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint:
      - ''
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
  script:
    - >
      /kaniko/executor
      --context $CI_PROJECT_DIR
      --build-arg VERSION_HASH=$CI_COMMIT_SHORT_SHA
      --build-arg CLIENT_ORIGIN_URL=$DEV_CLIENT_ORIGIN_URL
      --build-arg AUTH0_DOMAIN=$DEV_AUTH0_DOMAIN
      --build-arg AUTH0_AUDIENCE=$DEV_AUTH0_AUDIENCE
      --build-arg AUTH0_CLIENT_ID=$DEV_AUTH0_CLIENT_ID
      --build-arg DEPLOYMENT_ENV=dev
      --build-arg BACKEND_URL=$DEV_BACKEND_URL
      --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
      --dockerfile $CI_PROJECT_DIR/Dockerfile-dev
  except:
    refs:
      - main
      - tags
    variables:
      - $CI_COMMIT_MESSAGE =~ /^Setting version to.*/

publish-ui-main:
  stage: publish
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint:
      - ""
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
  script:
    - >
      /kaniko/executor
      --context $CI_PROJECT_DIR
      --build-arg VERSION_HASH=$CI_COMMIT_SHORT_SHA
      --build-arg CLIENT_ORIGIN_URL=$PROD_CLIENT_ORIGIN_URL
      --build-arg AUTH0_DOMAIN=$PROD_AUTH0_DOMAIN
      --build-arg AUTH0_AUDIENCE=$PROD_AUTH0_AUDIENCE
      --build-arg AUTH0_CLIENT_ID=$PROD_AUTH0_CLIENT_ID
      --build-arg DEPLOYMENT_ENV=prod
      --build-arg BACKEND_URL=$PROD_BACKEND_URL
      --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
      --dockerfile $CI_PROJECT_DIR/Dockerfile
  rules:
    - if: $CI_COMMIT_BRANCH == 'main'

publish-ui-tags:
  stage: publish
  image:
    name: gcr.io/kaniko-project/executor:debug
    entrypoint:
      - ''
  before_script:
    - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
  script:
    - >
      /kaniko/executor
      --context $CI_PROJECT_DIR
      --build-arg VERSION_HASH=$CI_COMMIT_SHORT_SHA
      --build-arg CLIENT_ORIGIN_URL=$PROD_CLIENT_ORIGIN_URL
      --build-arg AUTH0_DOMAIN=$PROD_AUTH0_DOMAIN
      --build-arg AUTH0_AUDIENCE=$PROD_AUTH0_AUDIENCE
      --build-arg AUTH0_CLIENT_ID=$PROD_AUTH0_CLIENT_ID
      --build-arg DEPLOYMENT_ENV=prod
      --build-arg BACKEND_URL=$PROD_BACKEND_URL
      --destination $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME
      --destination $CI_REGISTRY_IMAGE:latest
      --dockerfile $CI_PROJECT_DIR/Dockerfile
  only:
    refs:
      - tags
    variables:
      - "$CI_COMMIT_MESSAGE =~ /^Setting version to.*/"

release-ui:
  stage: release-ui
  script:
    - git checkout main; git pull
    - cictl exec release node
  only:
    refs:
     - main
  except:
    variables:
      - "$CI_COMMIT_MESSAGE =~ /^Setting version to.*/"

deploy:
  stage: deploy
  image:
    name: bitnami/kubectl:latest
    entrypoint: ['']
  script:
    - kubectl config use-context medicines-discovery-catapult/informatics/coshh/coshh-api:coshh-gitlab-agent
    - kubectl rollout restart deployment -n coshh-prod coshh-ui
  only:
    - main
  inherit:
    default: false

deploy-dev:
  stage: deploy
  image:
    name: bitnami/kubectl:latest
    entrypoint: ['']
  script:
    - kubectl config use-context medicines-discovery-catapult/informatics/coshh/coshh-api:coshh-gitlab-agent
    - kubectl rollout restart deployment -n coshh-dev coshh-dev-ui
  only:
    - develop
  inherit:
    default: false

container_scanning:
  stage: container-scanning
  allow_failure: false
  variables:
    CS_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG

dast:
  allow_failure: false
  dependencies: [] # override default download of all artifacts defined by previous jobs in the pipeline
  services: # use services to link your app container to the dast job
    - name: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
      alias: coshhui
  variables:
    # why won't this work with https????
    DAST_WEBSITE: http://coshhui
    DAST_FULL_SCAN_ENABLED: "true" # do a full scan
    DAST_BROWSER_SCAN: "true" # use the browser-based GitLab DAST crawler

dependency_scanning:
    stage: test-lint-build
    allow_failure: false

sast:
  stage: test-lint-build
  allow_failure: false

secret_detection:
  stage: test-lint-build
  allow_failure: false

include:
  - template: DAST.gitlab-ci.yml
  - template: Jobs/Secret-Detection.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/SAST-IaC.gitlab-ci.yml