.gitlab-ci.yml

default:
    image: python:3.9
    cache:
        -   key:
                files:
                    - ${CI_PROJECT_DIR}/poetry.lock
            paths:
                - ${CI_PROJECT_DIR}/.venv
        -   key: "${CI_PROJECT_ID}"
            paths:
                - ${CI_PROJECT_DIR}/.cache/pip
        -   key: "${CI_JOB_ID}"
            paths:
                - ${CI_PROJECT_DIR}/**/__pycache__/


stages:
    - 🎨 format 🎨
    - 🦄 quality 🦄
    - 🔒️ security 🔒️
    - 🤞 test 🤞
    - 🚀 release 🚀

workflow:
    rules:
        -   if: $CI_COMMIT_TAG
        -   if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"
            when: never
        -   if: $CI_PIPELINE_SOURCE == "merge_request_event"
        -   if: $CI_COMMIT_BRANCH


variables:
    FF_USE_FASTZIP: "true"
    # These can be specified per job or per pipeline
    ARTIFACT_COMPRESSION_LEVEL: "fast"
    CACHE_COMPRESSION_LEVEL: "fast"
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    VENV: "$CI_PROJECT_DIR/.venv"
    ACTIVATE_VENV: "$VENV/bin/activate"
    PYTHONPATH: "."
    GIT_STRATEGY: "fetch"
    GIT_SUBMODULE_STRATEGY: "recursive"
    ASDF_PYTHON_VERSION: "3.9"
    LM_PYTHON_VERSION: "3.9"
    SAFETY_POLICY_FILE: "$CI_PROJECT_DIR/.safety-policy.yml"
    SAFETY_COLOR: "True"
    CI_SERVER_URL: "https://etulab.univ-amu.fr"

include:
    -   template: Jobs/Dependency-Scanning.gitlab-ci.yml
    -   template: Jobs/Secret-Detection.latest.gitlab-ci.yml


# Define good stage for includes

dependency_scanning:
    cache: [ ]
    stage: 🔒️ security 🔒️
    interruptible: true

.secret-analyzer:
    cache: [ ]
    stage: 🔒️ security 🔒️
    interruptible: true


# Install dependencies

🔧 build env 🔧:
    cache:
        -   key:
                files:
                    - poetry.lock
            paths:
                - ${CI_PROJECT_DIR}/.venv
            policy: pull-push
        -   key: "${CI_PROJECT_ID}"
            paths:
                - ${CI_PROJECT_DIR}/.cache/pip
            policy: pull-push
    stage: .pre
    interruptible: true
    before_script:
        - python --version
        - pip install --upgrade pip
        - export PATH="$PATH":"$HOME/.local/bin"
        - pip install --user pipx
        - pipx ensurepath
        - pipx install virtualenv
        - pipx install poetry
        - poetry --version
    script:
        - virtualenv $VENV
        - source $ACTIVATE_VENV
        - pip install --upgrade pip
        - poetry install
        - poetry update
    artifacts:
        paths:
            - $VENV


# Pre script

.load_env:
    interruptible: true
    cache:
        -   key:
                files:
                    - poetry.lock
            paths:
                - ${CI_PROJECT_DIR}/.venv
            policy: pull
        -   key: "${CI_PROJECT_ID}"
            paths:
                - ${CI_PROJECT_DIR}/.cache/pip
            policy: pull
    needs:
        - 🔧 build env 🔧
    before_script:
        - source $ACTIVATE_VENV


# Format code

.common_format:
    extends: .load_env
    stage:
        🎨 format 🎨

🩹 isort 🎨:
    extends: .common_format
    script:
        - isort src --check

🩹 black 🎨:
    extends: .common_format
    script:
        - black src --check

🩹 yamllint 🎨:
    extends: .common_format
    rules:
        -   changes:
                - $CI_PROJECT_DIR/**/*.yml
                - $CI_PROJECT_DIR/**/*.yaml
        - if: $CI_PIPELINE_SOURCE == 'merge_request_event'
        - if: $CI_COMMIT_TAG
    script:
        - yamllint src tests

🩹 markdownlint 🎨:
    cache: [ ]
    image: node:slim
    rules:
        -   changes:
                - $CI_PROJECT_DIR/**/*.md
        -   if: $CI_PIPELINE_SOURCE == 'merge_request_event'
        -   if: $CI_COMMIT_TAG
    stage:
        🎨 format 🎨
    before_script:
        - node --version
        - npm install markdownlint
        - npm install markdownlint-cli
    script:
        - ./node_modules/markdownlint-cli/markdownlint.js src tests -j -o markdownlint.json -c .markdownlint.yaml
    artifacts:
        paths:
            - markdownlint.json


# Security check

.common_security:
    extends: .load_env
    stage: 🔒️ security 🔒️

.common_security_after_format:
    extends: .common_security
    needs:
        - !reference [ .common_security, needs ]
        - 🩹 black 🎨
        - 🩹 isort 🎨

🔍️ bandit 🔒️ 1/2:
    extends: .common_security_after_format
    script:
        - bandit -r src -f xml -o bandit.xml
    artifacts:
        reports:
            junit: bandit.xml

🔍️ bandit 🔒️ 2/2:
    extends: .common_security_after_format
    script:
        - bandit -r src -f html -o bandit.html
    artifacts:
        paths:
            - bandit.html

🔍️ mypy 🏷️:
    extends: .common_security_after_format
    cache:
        key: "mypy-${$CI_COMMIT_BRANCH}"
        paths:
            - ${CI_PROJECT_DIR}/.mypy_cache
        policy: pull-push
    script:
        - mypy src --install-types --non-interactive --html-report html_mypy --junit-xml mypy.xml
    artifacts:
        reports:
            junit: mypy.xml
        paths:
            - html_mypy

🔍️ safety 🔒️:
    extends: .common_security
    # Ignore CVS 51457, the project uses GIT not SVN
    script:
        - safety check -i 51457 -o html --save-html safety.html -o json --save-json safety.json
    artifacts:
        paths:
            - safety.json
            - safety.html

🔍️ dodgy 🔐:
    extends: .common_security
    script:
        - dodgy src


# Quality tests

.common_quality:
    extends: .load_env
    stage: 🦄 quality 🦄
    needs:
        - !reference [ .load_env, needs ]
        - 🩹 black 🎨
        - 🩹 isort 🎨

🔍️ pycodestyle 🎨:
    extends: .common_quality
    script:
        - pycodestyle src

🔍️ pydocstyle 📝:
    extends: .common_quality
    script:
        - pydocstyle src

🔍️ pylint 🧐:
    extends: .common_quality
    script:
        - pylint src --output-format json --output pylint.json
    artifacts:
        reports:
            codequality: pylint.json

🔍️ ruff 🧐:
    extends: .common_quality
    cache:
        key: "ruff-${$CI_COMMIT_BRANCH}"
        paths:
            - ${CI_PROJECT_DIR}/.ruff_cache
        policy: pull-push
    script:
        - ruff src --format gitlab > ruff.json
    artifacts:
        reports:
            codequality: ruff.json

🔍️ vulture ⚰️:
    extends: .common_quality
    script:
        - vulture src

🔍️ interrogate 📝:
    extends: .common_quality
    script:
        - interrogate src --generate-badge .
    artifacts:
        paths:
            - interrogate_badge.svg

🔍️ deptry ⚰️:
    extends: .load_env
    stage: 🦄 quality 🦄
    script:
        - deptry src -o deptry.json
    artifacts:
        paths:
            - deptry.json


# Tests

.common_test:
    extends: .load_env
    stage: 🤞 test 🤞
    cache:
        key: "pytest-${$CI_COMMIT_BRANCH}"
        paths:
            - ${CI_PROJECT_DIR}/.pytest_cache
        policy: pull-push
    before_script:
        - !reference [ .load_env, before_script ]
        - export PYTHONPATH="./src"

🤞 unittests 🤞:
    extends: .common_test
    needs:
        - !reference [ .common_test, needs ]
        - 🔍️ bandit 🔒️ 1/2
        - 🔍️ bandit 🔒️ 2/2
        - 🔍️ pycodestyle 🎨
        - 🔍️ pydocstyle 📝
        - 🔍️ pylint 🧐
        - 🔍️ ruff 🧐
        - 🔍️ mypy 🏷️
        - 🔍️ vulture ⚰️
        - 🔍️ safety 🔒️
        - 🔍️ dodgy 🔐
        - 🔍️ interrogate 📝
        - 🔍️ deptry ⚰️
    script:
        - pytest

🤞 coverage 🔍️:
    extends: .common_test
    needs:
        - !reference [ .common_test, needs ]
        - 🤞 unittests 🤞
    coverage: /TOTAL\s+[\d\.]+\s+[\d\.]+\s+[\d\.]+\s+[\d\.]+\s+([\d\.]+)/
    script:
        - pytest --cov=src --cov=tests --junit-xml=coverage.xml --cov-report=html:coverage_html
        - coverage report
    allow_failure: true
    artifacts:
        when: always
        paths:
            - coverage.xml
            - coverage_html
        reports:
            junit: coverage.xml


# Build the package

.common_release:
    stage: 🚀 release 🚀
    rules:
        # Run this job when a tag is created manually
        -   if: $CI_COMMIT_TAG

🔧 publish package 🚧:
    extends:
        - .load_env
        - .common_release
    needs:
        - !reference [ .load_env, needs ]
        - 🤞 coverage 🔍️
    before_script:
        - export PATH="$PATH":"$HOME/.local/bin"
        - pip install --user pipx
        - pipx ensurepath
        - pipx install poetry
    script:
        - poetry config repositories.gitlab $CI_API_V4_URL/projects/$CI_PROJECT_ID/packages/pypi
        - poetry build
        - poetry publish -r gitlab --username=ci_cd --password=$PUBLISHER_PASSWORD
    artifacts:
        when: on_success
        paths:
            - dist

🔖 release version 🚧:
    cache: []
    extends: .common_release
    needs:
        - 🔧 publish package 🚧
    image: registry.gitlab.com/gitlab-org/release-cli:latest
    script:
        - echo "Release created"
    release:
        tag_name: $CI_COMMIT_TAG
        name: 'Release ${CI_COMMIT_TAG}'
        description: 'Release created using the release-cli.'
        assets:
            links:
                -   name: '${CI_PROJECT_NAME} PyPi package'
                    url: '${CI_SERVER_URL}/${CI_PROJECT_PATH}/-/packages'