.gitlab-ci.yml

# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
image: php:8.2

stages:
  - build
  - test
  - deploy
  - review
  - dast
  - staging
  - canary
  - production
  - incremental rollout 10%
  - incremental rollout 25%
  - incremental rollout 50%
  - incremental rollout 100%
  - performance
  - cleanup
  - release

variables:
  POSTGRES_USER: db_user
  POSTGRES_PASSWORD: db_pass
  POSTGRES_DB: db_name
  POSTGRES_HOST_AUTH_METHOD: trust
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: ""

services:
  - name: postgres:15-alpine
    alias: database
  - name: redis:latest
    alias: redis

build_backend:
  image: docker:20.10.21-dind
  stage: build
  variables:
    IMAGE_TAG_BACKEND: $CI_REGISTRY_IMAGE/backend:$CI_COMMIT_REF_SLUG
    IMAGE_TAG_PHP: $CI_REGISTRY_IMAGE/php:$CI_COMMIT_REF_SLUG
    DOCKER_TLS_CERTDIR: ''
    DOCKER_BUILDKIT: 1
  services:
    - name: 'docker:20.10.21-dind'
      command: [ '--tls=false', '--host=tcp://0.0.0.0:2375' ]
      alias: docker
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build --no-cache --target php_prod -t backend .
    - docker tag backend $IMAGE_TAG_BACKEND
    - docker tag backend $IMAGE_TAG_PHP
    - docker push $IMAGE_TAG_BACKEND
    - docker push $IMAGE_TAG_PHP

build_caddy:
  image: docker:20.10.21-dind
  stage: build
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE/caddy:$CI_COMMIT_REF_SLUG
    DOCKER_TLS_CERTDIR: ''
    DOCKER_BUILDKIT: 1
  services:
    - name: 'docker:20.10.21-dind'
      command: ['--tls=false', '--host=tcp://0.0.0.0:2375']
      alias: docker
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build --no-cache --target caddy_prod -t caddy .
    - docker tag caddy $IMAGE_TAG
    - docker push $IMAGE_TAG

build_nginx:
  image: docker:20.10.21-dind
  stage: build
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE/nginx:$CI_COMMIT_REF_SLUG
    DOCKER_TLS_CERTDIR: ''
    DOCKER_BUILDKIT: 1
  services:
    - name: 'docker:20.10.21-dind'
      command: ['--tls=false', '--host=tcp://0.0.0.0:2375']
      alias: docker
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build --no-cache --target nginx_prod -t nginx .
    - docker tag nginx $IMAGE_TAG
    - docker push $IMAGE_TAG

test:
  image: php:8.2
  variables:
    POSTGRES_USER: db_user
    POSTGRES_PASSWORD: db_pass
    POSTGRES_DB: db_name
    POSTGRES_HOST_AUTH_METHOD: trust
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: ""
  services:
    - name: postgres:15-alpine
      alias: database
    - name: redis:latest
      alias: redis
  before_script:
    - apt-get update -yqq
    - apt-get install gnupg openssl acl -yqq
    - mkdir -p config/jwt
    - export jwt_passphrase=${JWT_PASSPHRASE:-$(grep ''^JWT_PASSPHRASE='' .env | cut
      -f 2 -d ''='')}
    - echo "$jwt_passphrase" | openssl genpkey -out config/jwt/private.pem -aes256 -algorithm
      rsa -pkeyopt rsa_keygen_bits:4096 --pass stdin
    - echo "$jwt_passphrase" | openssl pkey -in config/jwt/private.pem -out config/jwt/public.pem
      -pubout --passin stdin
    - setfacl -R -m u:www-data:rX -m u:"$(whoami)":rwX config/jwt
    - setfacl -dR -m u:www-data:rX -m u:"$(whoami)":rwX config/jwt
    - curl -sL https://deb.nodesource.com/setup_14.x | bash -
    - apt-get install git unzip libcurl4-gnutls-dev libicu-dev libonig-dev libzip-dev
      libmcrypt-dev libvpx-dev libjpeg-dev libpng-dev libxpm-dev zlib1g-dev libfreetype6-dev
      libxml2-dev libexpat1-dev libbz2-dev libgmp3-dev libldap2-dev unixodbc-dev libpq-dev
      libsqlite3-dev libaspell-dev libsnmp-dev libpcre3-dev libtidy-dev -yqq
    - docker-php-ext-install pdo_pgsql zip
    - pecl install xdebug
    - docker-php-ext-enable xdebug
    - curl -sS https://getcomposer.org/installer | php
    - curl -sS https://get.symfony.com/cli/installer | bash
    - export PATH="$HOME/.symfony5/bin:$PATH"
    - echo "xdebug.mode=develop,coverage,debug" >> /usr/local/etc/php/php.ini
    - echo "memory_limit = -1;" >> /usr/local/etc/php/php.ini
    - symfony composer install
    - php bin/console doctrine:database:drop --force
    - php bin/console doctrine:database:create
    - php bin/console doctrine:migrations:migrate --no-interaction
    - php bin/console doctrine:fixtures:load --no-interaction
    - symfony server:ca:install
    - symfony serve -d
  script:
    - php bin/console cache:clear
    - php bin/phpunit --coverage-text --colors=never --log-junit test-report.xml
  cache:
    key: cacheTest
    paths:
      - node_modules/
  artifacts:
    when: always
    reports:
      junit: test-report.xml

sast:
  stage: test

workflow:
  rules:
    - if: '$BUILDPACK_URL || $AUTO_DEVOPS_EXPLICITLY_ENABLED == "1" || $DOCKERFILE_PATH'

# todo: change the DAST_WEBSITE to DAST_API_SPECIFICATION when the cluster is ready
dast:
  variables:
    DAST_FULL_SCAN_ENABLED: "true"
    DAST_WEBSITE: "$DAST_WEBSITE"

deploy_package:
  stage: deploy
  before_script:
    - apt-get update -y && apt dist-upgrade -y && apt install curl -y
  script:
    - 'curl --header "Job-Token: $CI_JOB_TOKEN" --data tag=$CI_COMMIT_TAG "${CI_API_V4_URL}/projects/$CI_PROJECT_ID/packages/composer"'
  rules:
    - if: $CI_COMMIT_TAG
      allow_failure: true
  cache:
    key: cacheDeploy
    paths:
      - node_modules/

deploy_backend_to_registries:
  image: docker:20.10.21-dind
  stage: deploy
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    DOCKER_TLS_CERTDIR: ''
    DOCKER_BUILDKIT: 1
  services:
    - name: 'docker:20.10.21-dind'
      command: ['--tls=false', '--host=tcp://0.0.0.0:2375']
      alias: dockercompose
  before_script:
    - docker build --no-cache --target php_prod -t app-php:latest .
  script:
    - docker login -u "$DOCKER_REGISTRY_USER" -p "$DOCKER_REGISTRY_PASSWORD"
    - docker tag app-php:latest dadang/iam_backend:$CI_COMMIT_TAG
    - docker tag app-php:latest dadang/iam_backend:latest
    - docker tag app-php:latest dadang/iam_php:$CI_COMMIT_TAG
    - docker tag app-php:latest dadang/iam_php:latest
    - docker push dadang/iam_backend:$CI_COMMIT_TAG
    - docker push dadang/iam_backend:latest
    - docker push dadang/iam_php:$CI_COMMIT_TAG
    - docker push dadang/iam_php:latest
    - docker logout
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker tag app-php:latest $CI_REGISTRY_IMAGE/backend:$CI_COMMIT_TAG
    - docker tag app-php:latest $CI_REGISTRY_IMAGE/backend:latest
    - docker tag app-php:latest $CI_REGISTRY_IMAGE/php:$CI_COMMIT_TAG
    - docker tag app-php:latest $CI_REGISTRY_IMAGE/php:latest
    - docker push $CI_REGISTRY_IMAGE/backend:$CI_COMMIT_TAG
    - docker push $CI_REGISTRY_IMAGE/backend:latest
    - docker push $CI_REGISTRY_IMAGE/php:$CI_COMMIT_TAG
    - docker push $CI_REGISTRY_IMAGE/php:latest
  rules:
    - if: $CI_COMMIT_TAG
      allow_failure: true
  cache:
    key: cacheBuildDocker
    paths:
      - node_modules/

deploy_nginx_to_registries:
  image: docker:20.10.21-dind
  stage: deploy
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    DOCKER_TLS_CERTDIR: ''
    DOCKER_BUILDKIT: 1
  services:
    - name: 'docker:20.10.21-dind'
      command: ['--tls=false', '--host=tcp://0.0.0.0:2375']
      alias: dockercompose
  before_script:
    - docker build --no-cache --target nginx_prod -t app-nginx:latest .
  script:
    - docker login -u "$DOCKER_REGISTRY_USER" -p "$DOCKER_REGISTRY_PASSWORD"
    - docker tag app-nginx:latest dadang/iam_nginx:$CI_COMMIT_TAG
    - docker tag app-nginx:latest dadang/iam_nginx:latest
    - docker push dadang/iam_nginx:$CI_COMMIT_TAG
    - docker push dadang/iam_nginx:latest
    - docker logout
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker tag app-nginx:latest $CI_REGISTRY_IMAGE/nginx:$CI_COMMIT_TAG
    - docker tag app-nginx:latest $CI_REGISTRY_IMAGE/nginx:latest
    - docker push $CI_REGISTRY_IMAGE/nginx:$CI_COMMIT_TAG
    - docker push $CI_REGISTRY_IMAGE/nginx:latest
  rules:
    - if: $CI_COMMIT_TAG
      allow_failure: true
  cache:
    key: cacheBuildDocker
    paths:
      - node_modules/

deploy_caddy_to_registries:
  image: docker:20.10.21-dind
  stage: deploy
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    DOCKER_TLS_CERTDIR: ''
    DOCKER_BUILDKIT: 1
  services:
    - name: 'docker:20.10.21-dind'
      command: ['--tls=false', '--host=tcp://0.0.0.0:2375']
      alias: dockercompose
  before_script:
    - docker build --no-cache --target caddy_prod -t app-caddy:latest .
  script:
    - docker login -u "$DOCKER_REGISTRY_USER" -p "$DOCKER_REGISTRY_PASSWORD"
    - docker tag app-caddy:latest dadang/iam_caddy:$CI_COMMIT_TAG
    - docker tag app-caddy:latest dadang/iam_caddy:latest
    - docker push dadang/iam_caddy:$CI_COMMIT_TAG
    - docker push dadang/iam_caddy:latest
    - docker logout
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker tag app-caddy:latest $CI_REGISTRY_IMAGE/caddy:$CI_COMMIT_TAG
    - docker tag app-caddy:latest $CI_REGISTRY_IMAGE/caddy:latest
    - docker push $CI_REGISTRY_IMAGE/caddy:$CI_COMMIT_TAG
    - docker push $CI_REGISTRY_IMAGE/caddy:latest
  rules:
    - if: $CI_COMMIT_TAG
      allow_failure: true
  cache:
    key: cacheBuildDocker
    paths:
      - node_modules/

deploy_redis_to_registries:
  image: docker:20.10.21-dind
  stage: deploy
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    DOCKER_TLS_CERTDIR: ''
    DOCKER_BUILDKIT: 1
  services:
    - name: 'docker:20.10.21-dind'
      command: ['--tls=false', '--host=tcp://0.0.0.0:2375']
      alias: dockercompose
  before_script:
    - docker pull redis:latest
  script:
    - docker login -u "$DOCKER_REGISTRY_USER" -p "$DOCKER_REGISTRY_PASSWORD"
    - docker tag redis:latest dadang/iam_redis:$CI_COMMIT_TAG
    - docker tag redis:latest dadang/iam_redis:latest
    - docker push dadang/iam_redis:$CI_COMMIT_TAG
    - docker push dadang/iam_redis:latest
    - docker logout
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker tag redis:latest $CI_REGISTRY_IMAGE/redis:$CI_COMMIT_TAG
    - docker tag redis:latest $CI_REGISTRY_IMAGE/redis:latest
    - docker push $CI_REGISTRY_IMAGE/redis:$CI_COMMIT_TAG
    - docker push $CI_REGISTRY_IMAGE/redis:latest
  rules:
    - if: $CI_COMMIT_TAG
      allow_failure: true
  cache:
    key: cacheBuildDocker
    paths:
      - node_modules/

deploy_postgres_to_registries:
  image: docker:20.10.21-dind
  stage: deploy
  variables:
    IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
    DOCKER_TLS_CERTDIR: ''
    DOCKER_BUILDKIT: 1
  services:
    - name: 'docker:20.10.21-dind'
      command: ['--tls=false', '--host=tcp://0.0.0.0:2375']
      alias: dockercompose
  before_script:
    - docker pull postgres:15-alpine
  script:
    - docker login -u "$DOCKER_REGISTRY_USER" -p "$DOCKER_REGISTRY_PASSWORD"
    - docker tag postgres:15-alpine dadang/iam_database:$CI_COMMIT_TAG
    - docker tag postgres:15-alpine dadang/iam_database:latest
    - docker push dadang/iam_database:$CI_COMMIT_TAG
    - docker push dadang/iam_database:latest
    - docker logout
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker tag postgres:15-alpine $CI_REGISTRY_IMAGE/database:$CI_COMMIT_TAG
    - docker tag postgres:15-alpine $CI_REGISTRY_IMAGE/database:latest
    - docker push $CI_REGISTRY_IMAGE/database:$CI_COMMIT_TAG
    - docker push $CI_REGISTRY_IMAGE/database:latest
  rules:
    - if: $CI_COMMIT_TAG
      allow_failure: true
  cache:
    key: cacheBuildDocker
    paths:
      - node_modules/

deploy_staging:
  image: ubuntu:latest
  stage: staging
  before_script:
    - command -v ssh-agent || ( apt-get update -y && apt-get install openssh-client curl
      -y )
    - eval $(ssh-agent -s)
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh
    - echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config
    - touch ~/.ssh/known_hosts
    - echo "$KNOWN_HOST" > ~/.ssh/known_hosts
  script:
    - 'curl --header "Job-Token: $CI_JOB_TOKEN" --data branch=master "${CI_API_V4_URL}/projects/$CI_PROJECT_ID/packages/composer"'
    - ssh -q $SERVER ". ~/.asdf/asdf.sh; sh deploy.sh; exit;"
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      allow_failure: true
  cache:
    key: cacheDeploy
    paths:
      - vendor/
      - node_modules/

browser_performance:
  variables:
    URL: "$DAST_WEBSITE"

release_job:
  stage: release
  image: registry.gitlab.com/gitlab-org/release-cli:latest
  rules:
    - if: $CI_COMMIT_TAG
  script:
    - echo 'running release_job'
  release:
    name: 'Release $CI_COMMIT_TAG'
    description: 'Created using the release-cli $EXTRA_DESCRIPTION'
    tag_name: '$CI_COMMIT_TAG'
    ref: '$CI_COMMIT_TAG'

include:
  - template: Jobs/Build.gitlab-ci.yml
  - template: Jobs/Test.gitlab-ci.yml
  - template: Jobs/Code-Quality.gitlab-ci.yml
  - template: Jobs/Code-Intelligence.gitlab-ci.yml
  - template: Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml
  - template: Verify/Browser-Performance.gitlab-ci.yml
  - template: Security/DAST.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml