stages:
  - build
  - security
  - ops
  - deploy

before_script:
  - set -e
  - set -u
  - set -o pipefail

build:
  stage: build
  image: mcr.microsoft.com/dotnet/core/sdk:2.2
  artifacts:
    expire_in: 1h
    paths:
      - Geekbot.net/Binaries/
  script:
    - dotnet restore -s https://api.nuget.org/v3/index.json -s https://www.myget.org/F/discord-net/api/v3/index.json
    - dotnet test Tests
    - dotnet publish --version-suffix ${CI_COMMIT_SHA:0:8} --configuration Release -o Binaries ./

sast:
  stage: security
  image: docker:stable
  variables:
    DOCKER_DRIVER: overlay2
  allow_failure: true
  services:
    - docker:stable-dind
  script:
    - export SAST_VERSION=${SP_VERSION:-$(echo "$CI_SERVER_VERSION" | sed 's/^\([0-9]*\)\.\([0-9]*\).*/\1-\2-stable/')}
    - |
      docker run \
        --env SAST_ANALYZER_IMAGES \
        --env SAST_ANALYZER_IMAGE_PREFIX \
        --env SAST_ANALYZER_IMAGE_TAG \
        --env SAST_DEFAULT_ANALYZERS \
        --env SAST_BRAKEMAN_LEVEL \
        --env SAST_GOSEC_LEVEL \
        --env SAST_FLAWFINDER_LEVEL \
        --env SAST_DOCKER_CLIENT_NEGOTIATION_TIMEOUT \
        --env SAST_PULL_ANALYZER_IMAGE_TIMEOUT \
        --env SAST_RUN_ANALYZER_TIMEOUT \
        --volume "$PWD:/code" \
        --volume /var/run/docker.sock:/var/run/docker.sock \
        "registry.gitlab.com/gitlab-org/security-products/sast:$SAST_VERSION" /app/bin/run /code
  dependencies: []
  artifacts:
    reports:
      sast: gl-sast-report.json

sentry:
  stage: ops
  image: getsentry/sentry-cli
  only:
    - master
  dependencies:
    - build
  script: 
    - sentry-cli releases new -p geekbot 4.1.0-${CI_COMMIT_SHA:0:8}
    - sentry-cli releases set-commits --auto 4.1.0-${CI_COMMIT_SHA:0:8}
    - sentry-cli releases deploys 4.1.0-${CI_COMMIT_SHA:0:8} new -e Production

deploy:
  stage: deploy
  image: runebaas/rsync-ssh-git
  only:
    - master
  dependencies:
    - build
    - sentry
  environment:
      name: Production
      url: https://discordapp.com/oauth2/authorize?client_id=171249478546882561&scope=bot&permissions=1416834054
  before_script:
    - eval $(ssh-agent -s)
    - mkdir -p ~/.ssh
    - '[[ -f /.dockerenv ]] && echo -e "Host *\n    StrictHostKeyChecking no" > ~/.ssh/config'
    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
    - chmod 700 ~/.ssh
  script:
    - rsync -rav -e "ssh -p 65432" ./Geekbot.net/Binaries/* geekbot@$DEPIP:$DEPPATH
    - ssh -p 65432 geekbot@$DEPIP "sudo systemctl restart geekbot.service"

mirror:
  stage: deploy
  image: runebaas/rsync-ssh-git
  only:
    - master
  dependencies:
    - build
    - sentry
  script:
    - git push https://runebaas:$TOKEN@github.com/pizzaandcoffee/Geekbot.net.git origin/master:master -f