---
image: ubuntu:latest

# XXX - add a deploy stage to publish man pages, docs, and coverage
# reports

workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
    - if: $CI_COMMIT_TAG
    - if: $CI_COMMIT_BRANCH

stages:
  - build
  - test

.ubuntu-common:
  before_script:
    # Install build-dependencies by loading the package list from the ubuntu/debian cloud-init profile.
    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_deps "Installing dependencies..."
    - apt-get update -qq
    - apt-get install --yes yq make lsb-release
    - |
      printf 'include .image-garden.mk\n$(info $(UBUNTU_CLOUD_INIT_USER_DATA_TEMPLATE))\n.PHONY: nothing\nnothing:\n' \
      | make -f - nothing \
      | yq '.packages | .[]' \
      | xargs apt-get install --yes --no-install-recommends
    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_deps
  after_script:
    # Inspect the kernel and lsb-release.
    - lsb_release -a
    - uname -a

build-all:
  stage: build
  extends:
    - .ubuntu-common
  script:
    # Run the spread prepare section to build everything.
    - yq -r '.prepare' <spread.yaml | SPREAD_PATH=. bash -xeu
  artifacts:
    name: ${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
    expire_in: 30 days
    untracked: true
    paths:
      - libraries/libapparmor/
      - parser/
      - binutils/
      - utils/
      - changehat/mod_apparmor/
      - changehat/pam_apparmor/
      - profiles/

test-libapparmor:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-common
  script:
    # This is to touch the built files in the test stage to avoid needless rebuilding
    - make -C libraries/libapparmor --touch
    - make -C libraries/libapparmor check

test-parser:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-common
  script:
    # This is to touch the built files in the test stage to avoid needless rebuilding
    - make -C parser --touch
    - make -C parser -j $(nproc) tst_binaries
    - make -C parser check

test-binutils:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-common
  script:
    - make -C binutils check

test-utils:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-common
  script:
    # This is to touch the built files in the test stage to avoid needless rebuilding
    - make -C utils --touch

    # TODO: move those to cloud-init list?
    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
    - apt-get install --no-install-recommends -y libc6-dev libjs-jquery libjs-jquery-throttle-debounce libjs-jquery-isonscreen libjs-jquery-tablesorter flake8 python3-coverage python3-notify2 python3-psutil python3-setuptools python3-tk python3-ttkthemes python3-gi
    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps

    # See apparmor/apparmor#221
    - make -C parser/tst gen_dbus
    - make -C parser/tst gen_xtrans
    - make -C utils check
    - make -C utils/test coverage-regression
  artifacts:
    paths:
      - utils/test/htmlcov/
    when: always

test-mod-apparmor:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-common
  script:
    # This is to touch the built files in the test stage to avoid needless rebuilding
    - make -C changehat/mod_apparmor --touch
    - make -C changehat/mod_apparmor check

test-profiles:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-common
  script:
    # This is to touch the built files in the test stage to avoid needless rebuilding
    - make -C profiles --touch
    - make -C profiles check-parser
    - make -C profiles check-abstractions.d
    - make -C profiles check-local

# Build the regression tests (don't run them because that needs kernel access)
test-build-regression:
  stage: test
  needs: ["build-all"]
  extends:
    - .ubuntu-common
  script:
    # Additional dependencies required by regression tests
    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
    - apt-get install --no-install-recommends -y attr fuse-overlayfs libdbus-1-dev liburing-dev
    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
    - make -C tests/regression/apparmor -j $(nproc)

shellcheck:
  stage: test
  needs: []
  extends:
    - .ubuntu-common
  script:
    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
    - apt-get install --no-install-recommends -y python3-minimal file shellcheck xmlstarlet
    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
    - shellcheck --version
    - "./tests/bin/shellcheck-tree --format=checkstyle
      | xmlstarlet tr tests/checkstyle2junit.xslt
      > shellcheck.xml"
  artifacts:
    when: always
    reports:
      junit: shellcheck.xml

# Disabled due to aa-logprof dependency on /sbin/apparmor_parser existing
#   - make -C profiles check-profiles

# test-pam_apparmor:
#  - stage: test
#  - script:
#    - cd changehat/pam_apparmor && make check

include:
  - template: SAST.gitlab-ci.yml
  - template: Secret-Detection.gitlab-ci.yml

variables:
  SAST_EXCLUDED_ANALYZERS: "eslint,flawfinder,semgrep,spotbugs"
  SAST_BANDIT_EXCLUDED_PATHS: "*/tst/*, */test/*"

coverity:
  stage: .post
  extends:
    - .ubuntu-common
  script:
    - printf '\e[0K%s:%s:%s[collapsed=true]\r\e[0K%s\n' section_start "$(date +%s)" install_extra_deps "Installing additional dependencies..."
    - apt-get install --no-install-recommends -y curl git texlive-latex-recommended
    - printf '\e[0K%s:%s:%s\r\e[0K\n' section_end "$(date +%s)" install_extra_deps
    - curl -o /tmp/cov-analysis-linux64.tgz https://scan.coverity.com/download/linux64
      --form project=$COVERITY_SCAN_PROJECT_NAME --form token=$COVERITY_SCAN_TOKEN
    - tar xfz /tmp/cov-analysis-linux64.tgz
    - COV_VERSION=$(ls -dt cov-analysis-linux64-* | head -1)
    - PATH=$PATH:$(pwd)/$COV_VERSION/bin
    - make coverity
    - curl https://scan.coverity.com/builds?project=$COVERITY_SCAN_PROJECT_NAME
      --form token=$COVERITY_SCAN_TOKEN --form email=$GITLAB_USER_EMAIL
      --form file=@$(ls apparmor-*-cov-int.tar.gz) --form version="$(git describe --tags)"
      --form description="$(git describe --tags) / $CI_COMMIT_TITLE / $CI_COMMIT_REF_NAME:$CI_PIPELINE_ID"
  artifacts:
    paths:
      - "apparmor-*.tar.gz"
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "apparmor/apparmor"