.gitlab-ci.yml

stages:
  - pre-build
  - test
  - build
  - deploy
  - publish
  - manual

default:
  interruptible: true
  artifacts:
    expire_in: 30 days
  tags:
    - gitlab-org

variables:
  PUPPETEER_VERSION: '11.0.0'
  PUPPETEER_IMAGE: $CI_REGISTRY_IMAGE/puppeteer:$PUPPETEER_VERSION
  # We want to utilize the faster SAST and Dependency Scanning which are not docker in docker
  SAST_DISABLE_DIND: 'true'
  DS_DISABLE_DIND: 'true'
  # We only need javascript scanning, unfortunately our Danger code would lead to execution of ruby analysis as well
  SAST_DEFAULT_ANALYZERS: 'nodejs-scan, eslint'
  CYPRESS_CACHE_FOLDER: $CI_PROJECT_DIR/.cypress_cache/Cypress

include:
  - template: Code-Quality.gitlab-ci.yml
  - template: Dependency-Scanning.gitlab-ci.yml
  - template: License-Scanning.gitlab-ci.yml
  - template: Container-Scanning.gitlab-ci.yml
  - template: SAST.gitlab-ci.yml
  - template: Secret-Detection.gitlab-ci.yml
  - project: gitlab-org/frontend/frontend-build-images
    file: /semantic-release/.gitlab-ci-template.rules.yml
  - project: gitlab-org/frontend/untamper-my-lockfile
    file: 'templates/merge_request_pipelines.yml'

# Ensure that the scanning is only executed on MRs and the default branch
# This potentially can be made obsolete once:
# https://gitlab.com/gitlab-org/gitlab/-/issues/217668 lands
.secure-jobs-config: &secure-jobs-config
  needs: []
  rules:
    - when: always

gemnasium-dependency_scanning:
  <<: *secure-jobs-config

code_quality:
  <<: *secure-jobs-config
  tags:
    - gitlab-org-docker

license_scanning:
  <<: *secure-jobs-config

eslint-sast:
  <<: *secure-jobs-config

nodejs-scan-sast:
  <<: *secure-jobs-config

secret_detection:
  <<: *secure-jobs-config

container_scanning:
  variables:
    CI_APPLICATION_REPOSITORY: $CI_REGISTRY_IMAGE/puppeteer
    CI_APPLICATION_TAG: $PUPPETEER_VERSION
  needs: ['build_docker_image']
  rules:
    - when: always

.puppeteer:
  image: $PUPPETEER_IMAGE
  needs: ['build_docker_image']

.node:
  image: node:16-buster
  variables:
    PUPPETEER_SKIP_DOWNLOAD: 'true'

# This is a cache template for caching node_modules
# As a cache key we are using a SHA of .gitlab-ci.yml and yarn.lock
# The latter is obvious, because it updates when we update dependencies
# The former is to invalidate caches, in case we touch our CI config, which
# could mean changing something in our caching logic
.cache-template: &cache-template
  paths:
    - node_modules/
    - .cypress_cache/Cypress
  key:
    files:
      - .gitlab-ci.yml
      - yarn.lock
    prefix: node_modules

.yarn_install:
  before_script:
    - yarn install --frozen-lockfile
  cache:
    <<: *cache-template
    policy: pull

# Only start pipelines on Merge Requests or the default branch
workflow:
  rules:
    - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH
      when: always
    - if: $CI_MERGE_REQUEST_IID
      when: always
    - when: never

# Only run on GitLab UI default branches
.rules:gitlab-ui-default-branch:
  rules:
    - if: '$CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH && $CI_PROJECT_PATH == "gitlab-org/gitlab-ui"'

# Only run on merge requests that come from GitLab UI or
# from forks when a GitLab UI team member triggered a pipeline
.if-gitlab-ui-mr: '$CI_MERGE_REQUEST_IID && $CI_PROJECT_PATH == "gitlab-org/gitlab-ui"'

.rules:gitlab-ui-mr:
  rules:
    - if: !reference [.if-gitlab-ui-mr]

.rules:gitlab-ui-mr-manual:
  rules:
    - if: !reference [.if-gitlab-ui-mr]
      when: manual
      allow_failure: true

build_docker_image:
  variables:
    DOCKER_HOST: tcp://docker:2375/
  tags:
    - gitlab-org-docker
  image: docker:20.10.16
  services:
    - docker:20.10.16-dind
  stage: pre-build
  script:
    - docker info
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY
    - ./bin/build-docker.sh

# As we are caching based on the contents of our CI config and dependency lock file
# We only need to execute when these change. However, we give a manual job as an escape hatch
populate_npm_cache:
  extends: [.node, .yarn_install]
  stage: pre-build
  script:
    - echo "successfully installed dependencies"
  cache:
    <<: *cache-template
    policy: push
  rules:
    - changes:
        - .gitlab-ci.yml
        - yarn.lock
      when: always
    - when: never

danger-review:
  variables:
    DANGER_GITLAB_API_TOKEN: $GITLAB_TOKEN
  rules:
    - if: '$GITLAB_TOKEN && $CI_MERGE_REQUEST_IID'
      when: always
  image: registry.gitlab.com/gitlab-org/gitlab-build-images:danger
  stage: test
  needs: []
  script:
    - danger --fail-on-errors=true

build_package:
  extends: [.node, .yarn_install]
  variables:
    TAR_ARCHIVE_NAME: gitlab-ui.$CI_COMMIT_REF_SLUG.tgz
  needs: []
  stage: build
  script:
    - yarn build
    - yarn pack --filename $TAR_ARCHIVE_NAME
    - DEPENDENCY_URL="$CI_PROJECT_URL/-/jobs/$CI_JOB_ID/artifacts/raw/$TAR_ARCHIVE_NAME"
    - echo "The package.json dependency URL is $DEPENDENCY_URL"
    - echo "DEPENDENCY_URL=$DEPENDENCY_URL" > build_package.env
  artifacts:
    when: always
    reports:
      dotenv: build_package.env
    paths:
      - dist
      - src/scss/utilities.scss
      - scss_to_js/scss_variables.*
      - $TAR_ARCHIVE_NAME

build_storybook:
  extends: [.node, .yarn_install]
  needs: []
  stage: build
  script:
    - apt-get update
    - apt-get install -y brotli gzip
    - echo "Building storybook..."
    - yarn storybook-static
    - mkdir public
    - mv storybook/* public
    # See: https://docs.gitlab.com/ee/user/project/pages/introduction.html#serving-compressed-assets
    - echo "Compressing assets..."
    - find public -type f -regex '.*\.\(htm\|html\|txt\|text\|js\|json\|css\|svg\|xml\)$' -exec gzip -f -k {} \;
    - find public -type f -regex '.*\.\(htm\|html\|txt\|text\|js\|json\|css\|svg\|xml\)$' -exec brotli -f -k {} \;
    - ls -alth public/
  artifacts:
    paths:
      - public

lint:
  extends: [.node, .yarn_install]
  needs: []
  stage: test
  script:
    - yarn build-scss-variables
    - yarn eslint
    - yarn prettier
    - yarn stylelint
    - yarn markdownlint
    - >
      grep -r -i '<style' --include \*.vue components
      && echo "Vue components should not contain <style tags"
      && exit 1
      || echo "No Vue component contains <style tags"

generate_utility_classes:
  extends: [.node, '.yarn_install']
  needs: []
  stage: test
  script:
    - yarn generate-utilities

visual:
  extends:
    - .puppeteer
    - .yarn_install
  needs:
    - build_docker_image
  stage: test
  script:
    - yarn test:visual
  rules:
    - !reference ['.rules:gitlab-ui-default-branch', rules]
    - if: '$CI_MERGE_REQUEST_IID'
      when: manual
      allow_failure: true
  artifacts:
    when: always
    paths:
      - tests/__image_snapshots__/

visual_minimal:
  extends: [.puppeteer, .yarn_install]
  needs:
    - build_docker_image
  stage: test
  script:
    - yarn test:visual:minimal
  rules:
    - if: '$CI_MERGE_REQUEST_IID'
      when: always
  artifacts:
    when: always
    paths:
      - tests/__image_snapshots__/

integration_tests:
  image: cypress/browsers:node14.17.0-chrome91-ff89
  extends: [.node, .yarn_install]
  needs: []
  stage: test
  script:
    - yarn test:integration
  artifacts:
    when: on_failure
    expire_in: 1 week
    paths:
      - cypress

unit_tests:
  extends: [.node, .yarn_install]
  needs: []
  stage: test
  script:
    - yarn test:unit

update_screenshots:
  extends:
    - .puppeteer
    - .yarn_install
    - .rules:gitlab-ui-mr-manual
  stage: manual
  script:
    - yarn test:visual:update
    - ./bin/update-screenshots.sh

review:
  extends:
    - .rules:gitlab-ui-mr
  stage: deploy
  needs:
    - build_storybook
  script:
    - rsync -av --delete public /srv/nginx/pages/$CI_COMMIT_REF_SLUG
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    url: http://$CI_COMMIT_REF_SLUG.$APPS_DOMAIN
    on_stop: review_stop
  tags:
    - nginx
    - review-apps
    - deploy

review_stop:
  extends:
    - .rules:gitlab-ui-mr-manual
  stage: manual
  needs:
    - review
  script:
    - rm -rf public /srv/nginx/pages/$CI_COMMIT_REF_SLUG
  environment:
    name: review/$CI_COMMIT_REF_SLUG
    action: stop
  tags:
    - nginx
    - review-apps
    - deploy

pages:
  extends:
    - .rules:gitlab-ui-default-branch
  stage: deploy
  needs:
    - build_storybook
  script:
    - echo "Deploying to Pages"
  artifacts:
    paths:
      - public

create_integration_branch:
  extends:
    - .node
    - .rules:gitlab-ui-mr-manual
  stage: manual
  needs:
    - build_package
  script:
    - INTEGRATION_BRANCH="gitlab-ui-integration-$CI_COMMIT_REF_NAME"
    - git config --global user.email "gitlab-bot@gitlab.com"
    - git config --global user.name "GitLab Bot"
    - git clone https://gitlab.com/gitlab-org/gitlab.git gitlab --depth=1
    - cd gitlab
    - (git remote set-branches origin '*' && git fetch origin $INTEGRATION_BRANCH && git checkout $INTEGRATION_BRANCH) || git checkout -b $INTEGRATION_BRANCH
    - yarn add @gitlab/ui@$DEPENDENCY_URL
    - git add package.json yarn.lock
    - 'git commit -m "GitLab UI integration branch for $CI_COMMIT_REF_NAME"'
    - git push -u https://gitlab-bot:$GITLAB_TOKEN@gitlab.com/gitlab-org/gitlab.git HEAD

publish_to_npm:
  extends:
    - .semantic-release
    - .rules:gitlab-ui-default-branch
  # We need to run `publish` after pages, so that pages will get deployed
  # properly, as the publish-to-npm step will create a new commit and this
  # could lead to a side-effect where pages don't get published because of
  # the commit being made before `pages` had a chance to run
  stage: publish
  # This job doesn't use the DAG feature, because we don't want it to
  # run in case another job in the previous stages fails
  dependencies:
    - build_package