# -*- coding: utf-8 -*-
image: alpine:latest

variables:
  DOCKER_DRIVER: overlay2

  #Dependency Scan remote is  ULTIMATE GOLD only Gemnasiumでのライブラリ脆弱性
  DEP_SCAN_DISABLE_REMOTE_CHECKS: local
  #SAST_CONFIDENCE_LEVEL: 1 #低リスクも挙がる
  GITLAB_FEATURES: "$GITLAB_FEATURES container_scanning dependency_scanning license_scanning sast "
  SAST_BANDIT_EXCLUDED_PATHS: "node_modules/*, src/lib/*"
  #SECRET_DETECTION_HISTORIC_SCAN: "true" # 時間を掛けて履歴もチェック

stages:
  - build
  - test
  - deploy # for Pages # dummy stage to follow the template guidelines
#  - review
  - dast
#  - staging
#  - canary
#  - production
#  - incremental rollout 10%
#  - incremental rollout 25%
#  - incremental rollout 50%
#  - incremental rollout 100%
#  - performance
#  - cleanup


include:
  - template: Jobs/Build.gitlab-ci.yml
#  - template: Jobs/Test.gitlab-ci.yml
  - template: Jobs/Code-Quality.gitlab-ci.yml
  - template: Jobs/Code-Intelligence.gitlab-ci.yml
#  - template: Jobs/Deploy.gitlab-ci.yml
#  - template: Jobs/Browser-Performance-Testing.gitlab-ci.yml
#  - template: Security/DAST.gitlab-ci.yml
#コンテナではない  - template: Security/Container-Scanning.gitlab-ci.yml
  - template: Jobs/Dependency-Scanning.gitlab-ci.yml
  - template: Jobs/License-Scanning.gitlab-ci.yml
  - template: Jobs/SAST.gitlab-ci.yml
#  - template: Jobs/Code-Intelligence.gitlab-ci.yml #for go
  - template: Jobs/Secret-Detection.gitlab-ci.yml
#  - template: Security/Secure-Binaries.gitlab-ci.yml # GitLabのScecureプロダクトのDockerイメージをローカルに持ってくる

# https://docs.gitlab.com/ee/ci/caching/#inherit-global-configuration-but-override-specific-settings-per-job
.cache: &default_cache
  key:
    files:
    - package-lock.json
    #npm-$CI_COMMIT_REF_SLUG
  paths:
  - .npm/
  - node_modules/
  policy: pull #pull-push

.owasp_cache: &owasp_cache
  key: OWASP
  paths:
    - data/
  policy: pull-push
  when: 'always' #OWASPが自動更新するので (default)on_success

build: #上書きと追加項目
  image: "node:alpine" #11.10.1-alpine <- alpine:2.9
  tags:
  - Docker
  needs: []
  cache:
    <<: *default_cache
    policy: pull-push   #Use npm cache & create node_modules
  script:
  - |
    function install_crxmake() {
      apk add --no-cache ruby zip #ruby-dev openssl-dev gcc musl-dev make
      export PATH=`gem environment gempath|sed 's/:.*$//'`/bin:$PATH
      gem install --user-install --no-document crxmake  #ruby-rdocパッケージいれず-no-..
      #gem install --user-install --no-document openssl_pkcs8 #Chrome WebStore need PKCS8
    }
    function build() {
      install_crxmake
      if [ -n "$PRIVATE_KEY" -a  ! -f src.pem ];then
        # 正式版の鍵があれば使う 上書きしない
        cp "$PRIVATE_KEY" src.pem
      fi
      ./build.sh
    }
    build
  artifacts:
    paths:
    - ${CI_PROJECT_NAME}.zip

#コードインテリジェンス https://docs.gitlab.com/ee/user/project/code_intelligence.html
code_intelligence_ts:
  stage: deploy
  needs: [ build ]
  allow_failure: true # recommended
  image: "node:alpine" #11.10.1-alpine <- alpine:2.9
  cache:
    <<: *default_cache
  rules:
    - if: $CODE_INTELLIGENCE_DISABLED
      when: never
    - if: $CI_COMMIT_BRANCH
      exists:
        - '**/*.ts'
  script:
    - npx lsif-tsc --project ./tsconfig.json --out dump.lsif
  artifacts:
    reports:
      lsif: dump.lsif

code_quality:  #STARTER BRONZE->CORE FREE
  services: # Shut off Docker-in-Docker
  tags:
    - cq-sans-dind

code_quality_html:
  extends: code_quality
  services: # Shut off Docker-in-Docker
  tags:
    - cq-sans-dind
  variables:
    REPORT_FORMAT: html
  artifacts:
    paths: [gl-code-quality-report.html]

code_quality_eslint:
  image: node:alpine
  needs: [ build ]
  cache:
    <<: *default_cache
    policy: pull   #Not update
  script:
    - npx eslint src --ext ts --format gitlab
  artifacts:
    reports:
      codequality: gl-code-quality.json

# コンテナではない
# container_scanning: #Docker image形式を検査する
#   tags: #追加項目
#   - DinD
#   needs: []
#   artifacts:
#     expose_as: 'Container Scanning Report JSON'
#     paths:
#       - gl-container-scanning-report.json

dependency_scanning:  #ULTIMATE GOLD
  tags: #追加項目
  - DinD
  needs: []
  artifacts:
    # *ファイル名には使えない expose_as: "Dependency JSON"
    paths:
      - "**/cyclonedx-*.json"
      - "gl-dependency-scanning-report.json"

license_scanning: #ULTIMATE GOLD
  tags: #追加項目
  - DinD
  needs: []
  artifacts:
    expose_as: "License Scanning Report json"
    paths: [ "gl-license-scanning-report.json", "gl-license-scanning-report.html", $LM_REPORT_FILE ]

secret_detection:
  tags: #追加項目
  - DinD
  variables:
    SECRET_DETECTION_EXCLUDED_PATHS: "src/lib/ipag00303/ipag-ttf.js" # カンマ区切りでglab
  artifacts:
    expose_as: "Secret detection JSON"
    paths:
      - "gl-secret-detection-report.json"

sast: #ULTIMATE GOLD->CORE FREE(ESLint)
  #SAST_CONFIDENCE_LEVEL=1で低リスクも挙がる
  tags: #追加項目
  - DinD

#のこりのテストはreviewが必要
# dast:
# performance:

cov-test:
  image: "node:alpine" #15.5.0-alpine3.11
  stage: test
  needs: [ build ]
  cache:
    <<: *default_cache
    policy: pull   #Not update
  script:
    - npx nyc --reporter cobertura mocha  # npm run coverage
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage/cobertura-coverage.xml
  rules:
    - if: '$TEST_DISABLED'
      when: never
    - if: '$CI_COMMIT_BRANCH'
      exists:
        - .nycrc

pages:
  stage: deploy
  needs:
    - code_quality
    - code_quality_html
  #  - cov-test  # This depend on .nycrc
  #  - container_scanning # $CONTAINER_SCANNING_DISABLED
  #  - dependency_scanning
    - gemnasium-dependency_scanning
  #  - retire-js-dependency_scanning 15.0で無くなった
    - license_scanning
    - owasp-dependency-check
  #  - sast                        テンプレート Artifactsはすべて gl-sast-report.json
  #  - brakeman-sast               # for Ruby
  #  - eslint-sast                 Removed 15.4
  #  - flawfiinder-sast            # for C, C++
  #  - kubesec-sast
  #  - mobsf-android-sast
  #  - mobst-ios-sast
    - nodejs-scan-sast
  #  - phpcs-security-audit-sast
  #  - pmd-apex-sast               # *.cls
  #  - security-code-scan-sast     # *.csproj *.vbproj
    - semgrep-sast                 # python, JavaScript, TypeScript Go Java C# HTML
  #  - sobelow-sast                # mix.exs
  #  -  spotbugs-sast              # groovy scala kt
  script:
  - |
    mkdir .public
    cp -r -p \
        gl-code-quality-report.json \
        gl-code-quality-report.html \
        coverage/cobertura-coverage.xml \
        gl-container-scanning-report.json \
        gl-dependency-scanning-report.json \
        gl-license-scanning-report.html \
        gl-sast-report.json \
        report \
        .public/ || true
    echo "<html><header><title>CI Reports ${CI_JOB_ID}</title></header><body>
          <ul>" >index.html
    (cd .public;
      for file in *;do
        set +e
        [[ -e "$file" ]] &&  echo '<li><a href="'$file'">'$file'</a></li>' # "
        set -e
      done )>>index.html
    echo '</ul>
          </body></html>' >>index.html
    mv index.html .public
    mv .public public
  artifacts:
    expose_as: "CI Reports"
    paths:
    - public
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'

# OSS脆弱性チェック  OWASP Dependency Check https://knowledge-swimmer.com/gitlab-ci-owasp-dependency-check
owasp-dependency-check:
  stage: test
#  only:
#  - schedules
  needs: [ build ]
  image:
    name: owasp/dependency-check:latest
    entrypoint: [""]
  cache:
    - <<: *default_cache
    - <<: *owasp_cache
  script:
  - /usr/share/dependency-check/bin/dependency-check.sh --out report
    --failOnCVSS 3 --project "OWASP $CI_PROJECT_TITLE" --scan .
    --suppression owasp-dependency-check-suppressions.xml
    --data data
    #--noupdate
  allow_failure: true # CIに失敗してもMRをMerge可能なようにする設定
  artifacts:
    when: on_failure
    paths:
    - report
  rules:
    - if: '$TEST_DISABLED'
      when: never
    - if: '$CI_COMMIT_BRANCH'

reviewdog:
  stage: test
  needs: [ build ]
  image: "node:alpine" #11.10.1-alpine <- alpine:2.9
  cache:
    <<: *default_cache
  allow_failure: true # CIに失敗してもMRをMerge可能なようにする設定
  variables:
    # see: https://kiririmode.hatenablog.jp/entry/20220327/1648344999
    GIT_STRATEGY: clone
    GIT_DEPTH: "0"
  script:
  - |
    apk add --no-cache --update git
    # apk add --update npm
    # npm install # package.jsonに登録したtextlintのインストール
    # reviewdogのinstall
    # bin/ 以下に実行ファイルがインストールされます
    wget -O - -q https://raw.githubusercontent.com/reviewdog/reviewdog/master/install.sh | sh -s
    # textlintとreviewdogの実行
    # *.md ファイルを対象にlinterを実行しています
    npx stylelint "src/**/*.css" | bin/reviewdog -f=stylelint -name="stylelint" -reporter=gitlab-mr-discussion || true
    npx tsc --pretty false --noEmit |bin/reviewdog -f=tsc -name="tsc" -reporter=gitlab-mr-discussion || true
    npx textlint -f checkstyle --no-color "**/*.md" | bin/reviewdog -f=checkstyle -name="textlint" -reporter=gitlab-mr-discussion || true
    #npx textlint -f stylish "**/*.md" | bin/reviewdog -f=eslint -name="textlint" -reporter=gitlab-mr-discussion
    npx htmlhint -f checkstyle --nocolor "src/**/*.html" | bin/reviewdog -f=checkstyle -name="htmlhint" -reporter=gitlab-mr-discussion || true
  rules:
    - if: '$BUILD_DISABLED'
      when: never
    - if: '$AUTO_DEVOPS_PLATFORM_TARGET == "EC2"'
      when: never
    - if: '( $CI_COMMIT_TAG || $CI_COMMIT_BRANCH ) && $CI_OPEN_MERGE_REQUESTS'

# ---------------------------------------------------------------------------
.auto_devops: &auto_devops |
  # Auto DevOps variables and functions
  [[ "$TRACE" ]] && set -x

before_script:
  - *auto_devops