.gitlab-ci.yml

include:
  - file: /Scan/trivy.yml
    project: jitesoft/gitlab-ci-lib
  - file: /OCI/sign.yml
    project: jitesoft/gitlab-ci-lib

stages:
  - check
  - download
  - build
  - sign
  - scan

check:
  image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
  stage: check
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: always
    - if: '$CI_PIPELINE_SOURCE == "web"'
      when: always
    - if: '$CI_PIPELINE_SOURCE == "trigger"'
      when: never
  variables:
    GIT_STRATEGY: none
  parallel:
    matrix:
      - { VERSION: "18.04", DIST: "bionic", TAGS: "bionic,18.04" }
      - { VERSION: "20.04", DIST: "focal", TAGS: "focal,20.04,latest,lts" }
      - { VERSION: "21.10", DIST: "impish", TAGS: "impish,21.10" }
      - { VERSION: "22.04", DIST: "jammy", TAGS: "jammy,22.04,next" }
  script:
    - curl -OsS "https://partner-images.canonical.com/core/${DIST}/current/SHA256SUMS"
    - touch sha-${DIST}.txt
    - CURR=$(cat sha-${DIST}.txt)
    - |
      if [ ! -z "${FORCE_BUILD+x}" ] || [ "${CURR}" != "$(cat SHA256SUMS)" ]; then
        echo "Build ${DIST}"
        curl -F token=${CI_JOB_TOKEN} -F ref=master -F "variables[DIST]=${DIST}" -F "variables[TAGS]=${TAGS}" -F "variables[VERSION]=${VERSION}" -F "variables[BUILD]=true" https://gitlab.com/api/v4/projects/${CI_PROJECT_ID}/trigger/pipeline
      else
        echo "Only scan ${DIST}"
        curl -F token=${CI_JOB_TOKEN} -F ref=master -F "variables[DIST]=${DIST}" -F "variables[VERSION]=${VERSION}" -F "variables[SCAN]=true" https://gitlab.com/api/v4/projects/${CI_PROJECT_ID}/trigger/pipeline
      fi
  artifacts:
    paths:
      - sha-${DIST}.txt
  cache:
    policy: pull
    key: ubuntu-${DIST}-sha
    paths:
      - sha-${DIST}.txt

gpg:
  image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
  stage: check
  rules:
    - if: "$BUILD"
      when: always
    - if: "$SCAN"
      when: never
    - when: never
  variables:
    GPG_KEY: "D2EB44626FDDC30B513D5BB71A5D6C4C7DB87C81"
  script:
    - if [ -f keys.out ]; then gpg --import keys.out; fi
    - gpg --list-keys ${GPG_KEY} || (gpg --keyserver pgp.mit.edu --recv-keys "${GPG_KEY}" || gpg --keyserver keyserver.pgp.com --recv-keys "${GPG_KEY}" || gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "${GPG_KEY}")
    - gpg --export > keys.out
  artifacts:
    paths:
      - keys.out
  cache:
    key: ubuntu.gpg.keyring
    policy: pull
    paths:
      - keys.out

download:
  rules:
    - if: "$SCAN"
      when: never
    - if: '$BUILD'
      when: always
    - when: never
  needs:
    - job: gpg
      artifacts: true
  stage: download
  parallel:
    matrix:
      - { ARCH: "amd64", DISTS: "trusty xenial bionic focal impish jammy" }
      - { ARCH: "arm64", DISTS: "trusty xenial bionic focal impish jammy" }
      - { ARCH: "armhf", DISTS: "trusty xenial bionic focal impish jammy" }
      - { ARCH: "ppc64el", DISTS: "trusty xenial bionic focal impish jammy" }
      - { ARCH: "s390x", DISTS: "xenial bionic focal groovy impish jammy" }
      - { ARCH: "i386", DISTS: "trusty xenial bionic" }
  variables:
    GIT_STRATEGY: none
  image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
  before_script:
    - gpg --import keys.out
  script:
    - |
      if [ "$(echo ${DISTS} | grep ${DIST} || echo false)" == "false" ]; then
          echo "Arch is ${ARCH}, can not build ${DIST} for ${ARCH} (only ${DISTS}) so skipping job"
          exit 0
      fi
    - curl -OsS "https://partner-images.canonical.com/core/${DIST}/current/SHA256SUMS"
    - curl -OsS "https://partner-images.canonical.com/core/${DIST}/current/SHA256SUMS.gpg"
    - curl -OsS "https://partner-images.canonical.com/core/${DIST}/current/ubuntu-${DIST}-core-cloudimg-${ARCH}-root.tar.gz"
    - gpg --verify SHA256SUMS.gpg SHA256SUMS
    - grep "${ARCH}" SHA256SUMS | sha256sum -c -
    - DOCKER_ARCH=$(helper arch ${ARCH})
    - mkdir -p artifacts/${DOCKER_ARCH}
    - mv ubuntu-${DIST}-core-cloudimg-${ARCH}-root.tar.gz artifacts/${DOCKER_ARCH}/ubuntu-root.tar.gz
    - mv SHA256SUMS sha-${DIST}.txt
  artifacts:
    when: on_success
    paths:
      - artifacts/
      - sha-${DIST}.txt

.build:
  stage: build
  variables:
  image: registry.gitlab.com/jitesoft/dockerfiles/misc:latest
  script:
    - echo "Building ${DIST} image."
    - TAG_LIST=$(helper "${CI_REGISTRY_IMAGE},jitesoft/ubuntu,ghcr.io/jitesoft/ubuntu,quay.io/jitesoft/ubuntu" "${TAGS}")
    - ARCH_LIST=$(helper archlist ${ARCHITECTURES})
    - docker buildx build --platform ${ARCH_LIST} --push ${TAG_LIST} --progress plain --build-arg BUILD_TIME=$(date -Iseconds) --build-arg VERSION=${VERSION} --build-arg NAME=${DIST} .
  cache:
    policy: push
    key: ubuntu-${DIST}-sha
    paths:
      - sha-${DIST}.txt
  tags: [ jitesoft, buildx, protected ]

build:trusty:
  extends: .build
  rules:
    - if: "$SCAN"
      when: never
    - if: '$DIST == "trusty" && $BUILD'
      when: on_success
    - when: never
  needs:
    - download
  variables:
    ARCHITECTURES: "amd64 arm64 armhf ppc64el i386"

build:xenial-bionic:
  extends: .build
  rules:
    - if: "$SCAN"
      when: never
    - if: '($DIST == "xenial" || $DIST == "bionic") && $BUILD'
      when: on_success
    - when: never
  needs:
    - download
  variables:
    ARCHITECTURES: "amd64 arm64 armhf ppc64el s390x i386"

build:
  rules:
    - if: "$SCAN"
      when: never
    - if: '($DIST != "xenial" && $DIST != "trusty" && $DIST != "bionic") && $BUILD'
      when: on_success
    - when: never
  extends: .build
  needs:
    - download
  variables:
    ARCHITECTURES: "amd64 arm64 armhf ppc64el s390x"

sign:
  extends: .sign
  variables:
    SIGN_IMAGES: "${CI_REGISTRY_IMAGE},jitesoft/ubuntu,ghcr.io/jitesoft/ubuntu"
    SIGN_TAGS: "${TAGS}"
    COSIGN_ANNOTATIONS: "-a sig=jitesoft-bot"
  tags: [ jitesoft, protected, buildx ]
  stage: sign
  rules:
    - if: "$BUILD"
      when: on_success
    - when: never

scan:
  tags: [ protected, jitesoft ]
  rules:
    - if: '$DIST'
      when: always
    - when: never
  extends: .container_scanning
  variables:
    SCANNING_IMAGE_NAME: "${CI_REGISTRY_IMAGE}:${DIST}"
    GIT_STRATEGY: none