stages:
  - check
  - prepare
  - tests
  - post-test
  - update-cache
  - package
  - image
  - scan-dependencies
  - staging_upload
  - package-and-image-release
  - qa-release
  - validate
  - metrics
  - aws-marketplace-release
  - notification_fail
  - qa
  - verify

include:
  - local: '/gitlab-ci-config/workflow-rules.yml'
  - local: '/gitlab-ci-config/dev-gitlab-org.yml'
  - local: '/gitlab-ci-config/gitlab-com.yml'
    rules:
      - if: '$CI_SERVER_HOST == "gitlab.com"'

default:
  tags:
    - gitlab-org

variables:
  # BUILDER_IMAGE_REGISTRY is set to
  # `dev.gitlab.org:5005/cookbooks/gitlab-omnibus-builder` in the project
  # settings of omnibus-gitlab mirror in dev.gitlab.org so that builds there
  # will use images from that registry and not depend on GitLab.com
  BUILDER_IMAGE_REGISTRY: "registry.gitlab.com/gitlab-org/gitlab-omnibus-builder"
  # To be used for images that exist only on dev.gitlab.org
  DEV_BUILDER_IMAGE_REGISTRY: 'dev.gitlab.org:5005/cookbooks/gitlab-omnibus-builder'
  PUBLIC_BUILDER_IMAGE_REGISTRY: "registry.gitlab.com/gitlab-org/gitlab-omnibus-builder"
  BUILDER_IMAGE_REVISION: "5.12.1"
  # The registry to pull the assets image from
  ASSET_REGISTRY: "${CI_REGISTRY}"
  ASSET_SYNC_EXISTING_REMOTE_FILES: "keep"
  ASSET_SYNC_GZIP_COMPRESSION: "true"
  ASSET_PATH: "assets-${CI_COMMIT_REF_SLUG}"
  COMPILE_ASSETS: "false"
  RUBY_IMAGE: "ruby:3.0"
  BUNDLE_PATH__SYSTEM: "false"
  # Format of the auto-deploy tag for auto-deploy builds.
  # https://gitlab.com/gitlab-org/release/docs/blob/master/general/deploy/auto-deploy.md#auto-deploy-tagging
  AUTO_DEPLOY_TAG_REGEX: '^\d+\.\d+\.\d+\+[^ ]{7,}\.[^ ]{7,}$'
  # Default environment for auto-deploy
  AUTO_DEPLOY_ENVIRONMENT: 'pre'
  OMNIBUS_GITLAB_MIRROR_ID: "14588374"
  DOCS_GITLAB_REPO_SUFFIX: "omnibus"
  CACHE_KEY_SUFFIX: '-v3'
  CACHE_EDITION: "CE"
  CACHE_POLICY: 'pull-push'
  ISSUE_BOT_LABELS_EXTRA: "group::distribution"
  BUNDLER_VERSION: "2.5.9"
  # NOTE: When `NEXT_RUBY_VERSION` is updated, flip
  # `USE_NEXT_RUBY_VERSION_IN_*` variables to false to avoid surprises.
  NEXT_RUBY_VERSION: "3.1.4"
  GET_GEO_TAG: "0.7.4"
  CANONICAL_PROJECT_PATH: 'gitlab-org/omnibus-gitlab'
  SECURITY_PROJECT_PATH: 'gitlab-org/security/omnibus-gitlab'
  DEV_PROJECT_PATH: 'gitlab/omnibus-gitlab'
  QA_PROJECT_PATH: 'gitlab-org/build/omnibus-gitlab-mirror'
  ARM64_RUNNER_TAG: 'arm64'
  PACKAGE_PROMOTION_RUNNER_TAG: 'promotion'
  NIGHTLY_REPO: 'nightly-builds'
  NIGHTLY_FIPS_REPO: 'nightly-fips-builds'

.distribution-amd64-tags:
  - distribution-runner
  - amd64

.distribution-arm64-tags:
  - distribution-runner
  - ${ARM64_RUNNER_TAG}

.distribution-armhf-tags:
  - distribution-runner
  - armhf

### For services that need a docker daemon
.docker_job: &docker_job
  image: "${BUILDER_IMAGE_REGISTRY}/distribution_ci_tools:${BUILDER_IMAGE_REVISION}"
  variables:
    DOCKER_DRIVER: overlay2
    DOCKER_HOST: tcp://docker:2375
  services:
    - name: docker:23.0.5-dind
      alias: localhost
  tags:
    - gitlab-org-docker

.gems-cache:
  cache:
    key: "gems-cache-${BUILDER_IMAGE_REVISION}${CACHE_KEY_SUFFIX}"
    paths:
      - gems
    policy: pull

.gems-cache-os-dependent:
  cache:
    key: "gems-cache-${CI_JOB_IMAGE}${CACHE_KEY_SUFFIX}"
    paths:
      - gems

.build-package: &build-package
  - bundle exec rake cache:populate
  - bundle exec rake cache:restore
  - bundle exec rake build:project
  - bundle exec rake build:package:sync
  - bundle exec rake cache:bundle
  - bundle exec rake build:component_shas

before_script:
  - echo "PIPELINE_TYPE detected as ${PIPELINE_TYPE}"
  # Exit early if building on an OS for which we don't provide the specified
  # package edition (CE/EE). For child pipelines from
  # TRIGGERED_(CE|EE)_PIPELINE, we don't want exit early, but try to build
  # everything.
  - if [[ "${CI_PIPELINE_SOURCE}" != "parent_pipeline" ]]; then
      export CE_ONLY=(Raspberry);
      export EE_ONLY=(SLES RAT);
      for job in "${CE_ONLY[@]}"; do
        if [[ "${CI_JOB_NAME}" =~ ${job} ]]; then
          if ./support/is_gitlab_ee.sh; then
            echo "EE build found. ${CI_JOB_NAME} is run only on CE builds";
            exit 0 ;
          fi;
        fi;
      done;
      for job in "${EE_ONLY[@]}"; do
        if [[ "${CI_JOB_NAME}" =~ ${job} ]]; then
          if ! ./support/is_gitlab_ee.sh; then
            echo "CE build found. ${CI_JOB_NAME} is run only on EE builds";
            exit 0 ;
          fi;
        fi;
      done
    fi
  - echo $NIGHTLY
  - mkdir -p ~/.ssh
  - mkdir -p ~/.aws
  - mkdir -p cache
  - if [ -n "$DEV_GITLAB_SSH_KEY" ]; then
      echo "$DEV_GITLAB_SSH_KEY" > ~/.ssh/id_rsa;
      cp support/known_hosts ~/.ssh/known_hosts;
      chmod -R 0600 ~/.ssh/;
    fi
  - bash scripts/ci/prepare_bundle.sh
  - if [ -n "$NIGHTLY" ]; then
      export STAGING_REPO=${NIGHTLY_REPO};
      export FIPS_STAGING_REPO=${NIGHTLY_FIPS_REPO};
    fi

fetch-assets:
  extends: .docker_job
  stage: prepare
  timeout: 1 hour
  before_script: []
  script:
    - export VERSION=${GITLAB_ASSETS_TAG-${GITLAB_REF_SLUG-$(ruby -I. -e 'require "lib/gitlab/version"; puts Gitlab::Version.new("gitlab-rails").print')}}
    - support/fetch_assets "${VERSION}"
  artifacts:
    paths:
      - ${ASSET_PATH}
  rules:
    - if: '$COMPILE_ASSETS == "true"'
      when: never
    # NOTE (rspeicher): Checking `$AUTO_DEPLOY_COMPILE_ASSETS` as a feature flag
    # See https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5805
    - if: '$AUTO_DEPLOY_COMPILE_ASSETS && $PIPELINE_TYPE =~ /AUTO_DEPLOY_BUILD_PIPELINE$/'
      when: never
    # Run on all pipelines including a package build (except auto-deploy tag
    # covered above)
    - if: '$PIPELINE_TYPE =~ /_BUILD_PIPELINE$/'
    - if: '$PIPELINE_TYPE =~ /TRIGGERED_(CE|EE)_PIPELINE/'
    - if: '$PIPELINE_TYPE == "TRIGGER_CACHE_UPDATE_PIPELINE"'
    - if: '$PIPELINE_TYPE == "DURATION_PLOTTER_PIPELINE"'
  retry: 2

generate-facts:
  extends: .gems-cache
  stage: prepare
  image: "${BUILDER_IMAGE_REGISTRY}/distribution_ci_tools:${BUILDER_IMAGE_REVISION}"
  script:
    - mkdir -p build_facts
    - bundle exec omnibus manifest gitlab -l nothing > build_facts/version-manifest.json
    - bundle exec rake build:generate_facts
  artifacts:
    paths:
      - build_facts
    reports:
      dotenv: build_facts/env_vars
  rules:
    - if: '$PIPELINE_TYPE =~ /_BUILD_PIPELINE$/'
    - if: '$PIPELINE_TYPE == "TRIGGER_CACHE_UPDATE_PIPELINE"'
    - if: '$PIPELINE_TYPE =~ /_TEST_PIPELINE$/'
    - if: '$PIPELINE_TYPE == "GITLAB_MR_PIPELINE"'
    - if: '$PIPELINE_TYPE =~ /TRIGGERED_(CE|EE)_PIPELINE/'
    - if: '$PIPELINE_TYPE == "DEPS_IO_VERSION_BUMP_PIPELINE"'
    - if: '$PIPELINE_TYPE == "DEPENDENCY_SCANNING_PIPELINE"'
    - if: '$PIPELINE_TYPE == "FORK_MR_PIPELINE"'
    - when: never
  needs: []
  retry: 2

.notify:
  before_script:
    - apk add --no-cache curl
  image: "alpine"
  stage: notification_fail

notify:slack-fail:scheduled-master:
  extends:
    - .notify
  script:
    - ./support/notify_slack.sh "#qa-master" "☠️ Scheduled omnibus-build against master failed! ☠️ See $CI_PIPELINE_URL (triggered from $TOP_UPSTREAM_SOURCE_JOB)"
  rules:
    - if: '$TOP_UPSTREAM_SOURCE_JOB == null || $TOP_UPSTREAM_SOURCE_REF != "master"'
      when: never
    - if: '$PIPELINE_TYPE == "TRIGGERED_EE_PIPELINE"'
      when: on_failure

issue-bot:
  stage: notification_fail
  image: registry.gitlab.com/gitlab-org/distribution/issue-bot:latest
  script: /issue-bot
  rules:
    - if: '$CI_COMMIT_REF_NAME != $CI_DEFAULT_BRANCH'
      when: never
    - if: '$PIPELINE_TYPE == "PROTECTED_TEST_PIPELINE"'
      when: on_failure