.gitlab-ci.yml

include:
  - template: SAST.gitlab-ci.yml
  - template: Dependency-Scanning.gitlab-ci.yml
  - template: License-Scanning.gitlab-ci.yml
  - template: Secret-Detection.gitlab-ci.yml

# run the pipeline only on MRs, tags, and default branch
workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_TAG
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH

default:
  tags:
    - gitlab-org

image: node:14-slim

stages:
  - test
  - package
  - publish

lint:
  stage: test
  script:
    - npm ci
    - cd src/webview && npm ci && cd ../.. # webview dependencies
    - npm run lint

lint_commit:
  stage: test
  script:
    - apt-get update && apt-get install -y git
    - git fetch origin $CI_MERGE_REQUEST_TARGET_BRANCH_NAME && git checkout $CI_MERGE_REQUEST_TARGET_BRANCH_NAME && git checkout $CI_COMMIT_SHA
    - cd scripts/commit-lint && npm ci
    - node lint.js
  rules:
    - if: '$CI_MERGE_REQUEST_IID && $CI_PROJECT_VISIBILITY == "public"' # lint.js script makes an API call without authentication
      when: always

check-ci-variables:
  stage: test
  script:
    - npm ci
    - npm run update-ci-variables
  allow_failure: true # could be caused by changes in gitlab-org/gitlab repo, not related to current branch

test-unit:
  stage: test
  script:
    - apt-get update && apt-get install -y git
    - npm ci
    - npm run test-unit -- --coverage
  artifacts:
    when: always
    reports:
      junit:
        - reports/unit.xml

test-integration:
  stage: test
  variables:
    DISPLAY: ':99.0'
  script:
    - apt-get update
    - apt-get install -y xvfb libxtst6 libnss3 libgtk-3-0 libxss1 libasound2 libsecret-1-0 git
    - npm ci
    - echo $DISPLAY
    - /usr/bin/Xvfb :99 -screen 0 1024x768x24 > /dev/null 2>&1 &
    - npm run test-integration
  artifacts:
    when: always
    reports:
      junit:
        - reports/integration.xml

test-webview:
  stage: test
  script:
    - cd src/webview
    - npm ci
    - npm run test

.package:
  stage: package
  script:
    - npm ci
    - cd src/webview && npm install && npm run build && cd ../.. # build webview
    - npx vsce package
  artifacts:
    paths:
      - '*.vsix'

package_release:
  extends: .package
  artifacts:
      expire_in: 1 year
  only:
    - tags

# We test that packaging works to prevent failed releases
# Without this task we would only find out packaging errors after tagging a release
package_test:
  extends: .package
  artifacts:
      expire_in: 10 days

publish_marketplace:
  stage: publish
  script:
    - npx vsce publish --packagePath *.vsix -p $AZURE_ACCESS_TOKEN
  when: manual
  only:
    - tags

publish_open_vsx:
  stage: publish
  script:
    - npx ovsx publish *.vsix -p $OPENVSX_ACCESS_TOKEN
  when: manual
  only:
    - tags

# Override security scanning rules to run every time this pipeline does
# This potentially can be made obsolete once:
# https://gitlab.com/gitlab-org/gitlab/-/issues/217668 lands
.secure-jobs-config: &secure-jobs-config
  needs: []
  rules:
    - when: on_success

retire-js-dependency_scanning:
  <<: *secure-jobs-config

gemnasium-dependency_scanning:
  <<: *secure-jobs-config

license_scanning:
  <<: *secure-jobs-config

eslint-sast:
  <<: *secure-jobs-config

nodejs-scan-sast:
  <<: *secure-jobs-config

secret_detection:
  <<: *secure-jobs-config
  # We can't run the secrets detection on tags: https://gitlab.com/gitlab-org/gitlab/-/issues/254199
  rules:
    - if: $CI_COMMIT_TAG
      when: 'never'