image: archlinux:base-devel
cache:
  key: system-v1
  paths:
    # For some reason Gitlab CI only supports storing cache/artifacts in a path relative to the build directory
    - .pkg-cache
    - .venv
    - .pre-commit

variables:
  AUR_CONFIG: conf/config # Default PostgresSQL config setup in before_script.
  DB_HOST: localhost
  TEST_RECURSION_LIMIT: 10000
  CURRENT_DIR: "$(pwd)"
  LOG_CONFIG: logging.test.conf
  DEV_FQDN: aurweb-$CI_COMMIT_REF_SLUG.sandbox.archlinux.page
  INFRASTRUCTURE_REPO: https://gitlab.archlinux.org/archlinux/infrastructure.git

lint:
  stage: .pre
  before_script:
    - pacman -Sy --noconfirm --noprogressbar --cachedir .pkg-cache
      archlinux-keyring
    - pacman -Syu --noconfirm --noprogressbar --cachedir .pkg-cache
      git python python-pre-commit
  script:
    - export XDG_CACHE_HOME=.pre-commit
    - pre-commit run -a

test:
  stage: test
  before_script:
    - export PATH="$HOME/.poetry/bin:${PATH}"
    - ./docker/scripts/install-deps.sh
    - virtualenv -p python3 .venv
    - source .venv/bin/activate # Enable our virtualenv cache
    - ./docker/scripts/install-python-deps.sh
    - useradd -U -d /aurweb -c 'AUR User' aur
    - ./docker/postgres-entrypoint.sh
    - su postgres -c '/usr/bin/postgres -D /var/lib/postgres/data' &
    - 'until : > /dev/tcp/127.0.0.1/5432; do sleep 1s; done'
    - cp -v conf/config.dev conf/config
    - sed -i "s;YOUR_AUR_ROOT;$(pwd);g" conf/config
    - ./docker/test-postgres-entrypoint.sh # Create postgres AUR_CONFIG.
    - make -C po all install # Compile translations.
    - make -C doc # Compile asciidoc.
    - make -C test clean # Cleanup coverage.
  script:
    # Run sharness.
    - make -C test sh
    # Run pytest.
    - pytest --junitxml="pytest-report.xml"
    - make -C test coverage # Produce coverage reports.
  coverage: '/(?i)total.*? (100(?:\.0+)?\%|[1-9]?\d(?:\.\d+)?\%)$/'
  artifacts:
    reports:
      junit: pytest-report.xml
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml

.init_tf: &init_tf
  - pacman -Syu --needed --noconfirm --cachedir .pkg-cache terraform
  - export TF_VAR_name="aurweb-${CI_COMMIT_REF_SLUG}"
  - TF_ADDRESS="${CI_API_V4_URL}/projects/${TF_STATE_PROJECT}/terraform/state/${CI_COMMIT_REF_SLUG}"
  - cd ci/tf
  - >
    terraform init \
      -backend-config="address=${TF_ADDRESS}" \
      -backend-config="lock_address=${TF_ADDRESS}/lock" \
      -backend-config="unlock_address=${TF_ADDRESS}/lock" \
      -backend-config="username=x-access-token" \
      -backend-config="password=${TF_STATE_GITLAB_ACCESS_TOKEN}" \
      -backend-config="lock_method=POST" \
      -backend-config="unlock_method=DELETE" \
      -backend-config="retry_wait_min=5"

deploy_review:
  stage: deploy
  script:
    - *init_tf
    - terraform apply -auto-approve
  environment:
    name: review/$CI_COMMIT_REF_NAME
    url: https://$DEV_FQDN
    on_stop: stop_review
    auto_stop_in: 1 week
  rules:
    - if: $CI_COMMIT_REF_NAME =~ /^renovate\//
      when: never
    - if: $CI_MERGE_REQUEST_ID && $CI_PROJECT_PATH == "archlinux/aurweb"
      when: manual

provision_review:
  stage: deploy
  needs:
    - deploy_review
  script:
    - *init_tf
    - pacman -Syu --noconfirm --needed --cachedir .pkg-cache ansible git openssh jq
      # Get ssh key from terraform state file
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - terraform show -json |
      jq -r '.values.root_module.resources[] |
      select(.address == "tls_private_key.this") |
      .values.private_key_openssh' > ~/.ssh/id_ed25519
    - chmod 400 ~/.ssh/id_ed25519
      # Clone infra repo
    - git clone $INFRASTRUCTURE_REPO
    - cd infrastructure
      # Remove vault files
    - rm $(git grep -l 'ANSIBLE_VAULT;1.1;AES256$')
      # Remove vault config
    - sed -i '/^vault/d' ansible.cfg
      # Add host config
    - mkdir -p host_vars/$DEV_FQDN
    - 'echo "filesystem: btrfs" > host_vars/$DEV_FQDN/misc'
      # Add host
    - echo "$DEV_FQDN" > hosts
      # Add our pubkey and hostkeys
    - ssh-keyscan $DEV_FQDN >> ~/.ssh/known_hosts
    - ssh-keygen -f ~/.ssh/id_ed25519 -y > pubkeys/aurweb-dev.pub
      # Run our ansible playbook
    - >
      ansible-playbook playbooks/aur-dev.archlinux.org.yml \
        -e "aurdev_fqdn=$DEV_FQDN" \
        -e "aurweb_repository=$CI_REPOSITORY_URL" \
        -e "aurweb_version=$CI_COMMIT_SHA" \
        -e "{\"vault_mariadb_users\":{\"root\":\"aur\"}}" \
        -e "vault_aurweb_db_password=aur" \
        -e "vault_aurweb_gitlab_instance=https://does.not.exist" \
        -e "vault_aurweb_error_project=set-me" \
        -e "vault_aurweb_error_token=set-me" \
        -e "vault_aurweb_secret=aur" \
        -e "vault_goaurrpc_metrics_token=aur" \
        -e '{"root_additional_keys": ["moson.pub", "aurweb-dev.pub"]}'
  environment:
    name: review/$CI_COMMIT_REF_NAME
    action: access
  rules:
    - if: $CI_COMMIT_REF_NAME =~ /^renovate\//
      when: never
    - if: $CI_MERGE_REQUEST_ID && $CI_PROJECT_PATH == "archlinux/aurweb"

stop_review:
  stage: deploy
  needs:
    - deploy_review
  script:
    - *init_tf
    - terraform destroy -auto-approve
    - 'curl --silent --show-error --fail --header "Private-Token: ${TF_STATE_GITLAB_ACCESS_TOKEN}" --request DELETE "${CI_API_V4_URL}/projects/${TF_STATE_PROJECT}/terraform/state/${CI_COMMIT_REF_SLUG}"'
  environment:
    name: review/$CI_COMMIT_REF_NAME
    action: stop
  rules:
    - if: $CI_COMMIT_REF_NAME =~ /^renovate\//
      when: never
    - if: $CI_MERGE_REQUEST_ID && $CI_PROJECT_PATH == "archlinux/aurweb"
      when: manual