.gitlab-ci.yml

image: quay.io/tike/alpine-oc-java-17

variables:
  MAVEN_OPTS: "-Dmaven.repo.local=$CI_PROJECT_DIR/.m2/repository"
  PROJECT_NAME: "orgrek-db"
  PROJECT_VERSION: "1.0.0"

cache:
  paths:
    - .m2/repository


# Define the stages
stages:
  - clean-cache
  - build
  - dtrack-sbom
  - dependency-track-submit
  - dependency-check
  - sonarqube-check
  - test
  - audit_scan
  - deploy

# Define the process for each stage

clean-cache:
  stage: clean-cache
  tags:
    - ohtu-build-4
  script:
    - echo "Clearing Maven repository cache."
    - rm -rf $CI_PROJECT_DIR/.m2/repository

build :
  stage: build
  tags:
    - ohtu-build-4
  script:
    - mvn clean install
    - mvn --version
  artifacts:
    name: orgrek-db-build-$CI_BUILD_ID-$CI_BUILD_REF
    paths:
      - target/*.jar
    expire_in: 1h

dtrack-sbom:
  tags:
    - ohtu-build-4
  stage: dtrack-sbom
  script:
    - mvn org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom
  artifacts:
    expire_in: 1h
    paths:
      - target/bom.xml

submit-sbom:
  image: alpine:latest
  stage: dependency-track-submit
  only:
    - main
  tags:
    - ohtu-build-4
  dependencies:
    - dtrack-sbom
  before_script:
    - apk add --no-cache curl
  script:
    - "curl -X POST ${DTRACK_TEST_API_URL} -H 'Content-Type: multipart/form-data' -H 'X-Api-Key: '${DTRACK_TEST_API_KEY} -F 'projectName='${PROJECT_NAME} -F 'autoCreate=true' -F 'projectVersion='${PROJECT_VERSION} -F 'bom=@target/bom.xml'"

test :
  stage: test
  tags:
    - ohtu-build-4
  script:
    - mvn test
    - cat target/site/jacoco/index.html | grep -o 'Total[^%]*%'
  coverage: "/Total.*?([0-9]{1,3})%/"
  artifacts:
    paths:
      - target/site/jacoco
    expire_in: 1 week


# Dependency-Check Stage
dependency-check:
  stage: dependency-check
  only:
    - main
  tags:
    - ohtu-build-4
  image:
    name: owasp/dependency-check:latest
    entrypoint: [""]
  script:
    - >
      /usr/share/dependency-check/bin/dependency-check.sh
      --project orgrek-db --scan .
      --format JSON --format HTML  -nvdApiKey $NVD_API_KEY
  artifacts:
    when: always
    expire_in: 1 hour
    paths:
      - dependency-check-report.json
      - dependency-check-report.html


sonarqube-check:
  stage: sonarqube-check
  tags:
    - ohtu-build-4
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script:
    - mvn verify sonar:sonar -Dsonar.projectKey=orgrek-db -Dsonar.host.url=${SONAR_HOST_URL} -Dsonar.token=${SONAR_TOKEN} -Dsonar.dependencyCheck.jsonReportPath=dependency-check-report.json -Dsonar.dependencyCheck.htmlReportPath=dependency-check-report.html
  only:
    - main
  needs:
    - job: dependency-check
      artifacts: true

  # Define the process for deploy stage to development environment
deploy_dev:
  stage: deploy
  tags:
    - ohtu-build-4
  environment:
    name: development
  only:
    - main
  except:
    - schedules
  script:
    # set home path for openshift 1001 user
    - export HOME=/home/1001
    # before any action, I connect to the OpenShift server with the appropriate credentials
    - oc login https://$OPENSHIFT_ADDR_TEST:$OPENSHIFT_PORT --token=$OPENSHIFT_TOKEN_TEST
    - oc project organisaatiorekisteri
    # add secrets here
    - oc delete secret generic db-dev-password --ignore-not-found
    - oc create secret generic db-dev-password --from-literal=password=$DB_DEV_PASSWORD
    # list environment variables here
    - oc set env --from=secret/db-dev-password deploy/organisaatiorekisteri-db-dev
    - oc set env deploy/organisaatiorekisteri-db-dev URL=$DB_DEV_URL
    - oc set env deploy/organisaatiorekisteri-db-dev PORT=$DB_PORT
    - oc set env deploy/organisaatiorekisteri-db-dev USERNAME=$DB_DEV_USERNAME
    - oc set env deploy/organisaatiorekisteri-db-dev TZ="Europe/Helsinki"
    # Start build process
    - oc start-build organisaatiorekisteri-db-dev --from-dir=. --follow
    # patch openshift buildConfig file
    - oc patch bc/organisaatiorekisteri-db-dev --patch '{"spec":{"successfulBuildsHistoryLimit":1}}'
    - oc patch bc/organisaatiorekisteri-db-dev --patch '{"spec":{"failedBuildsHistoryLimit":1}}'
    # set pod memory quota to 300 MB and limit to 500 MB
    - oc set resources deploy/organisaatiorekisteri-db-dev --limits=memory=500Mi --requests=memory=300Mi

deploy_test:
  stage: deploy
  tags:
    - ohtu-build-4
  environment:
    name: test
  only:
    - test
  script:
    # set home path for openshift 1001 user
    - export HOME=/home/1001
    # before any action, I connect to the OpenShift server with the appropriate credentials
    - oc login https://$OPENSHIFT_ADDR_TEST:$OPENSHIFT_PORT --token=$OPENSHIFT_TOKEN_TEST
    - oc project organisaatiorekisteri
    # add secrets here
    - oc delete secret generic db-test-password --ignore-not-found
    - oc create secret generic db-test-password --from-literal=password=$DB_TEST_PASSWORD
    # list environment variables here
    - oc set env --from=secret/db-test-password deploy/organisaatiorekisteri-db-test
    - oc set env deploy/organisaatiorekisteri-db-test URL=$DB_TEST_URL
    - oc set env deploy/organisaatiorekisteri-db-test PORT=$DB_PORT
    - oc set env deploy/organisaatiorekisteri-db-test USERNAME=$DB_TEST_USERNAME
    - oc set env deploy/organisaatiorekisteri-db-test TZ="Europe/Helsinki"
    # start build process
    - oc start-build organisaatiorekisteri-db-test --from-dir=. --follow
    # patch openshift buildConfig file
    - oc patch bc/organisaatiorekisteri-db-test --patch '{"spec":{"successfulBuildsHistoryLimit":1}}'
    - oc patch bc/organisaatiorekisteri-db-test --patch '{"spec":{"failedBuildsHistoryLimit":1}}'
    # set pod memory quota to 300 MB and limit to 500 MB
    - oc set resources deploy/organisaatiorekisteri-db-test --limits=memory=500Mi --requests=memory=300Mi

deploy_prod:
  stage: deploy
  tags:
    - ohtu-build-4
  environment:
    name: prod
  only:
    - prod
  when: manual
  script:
    # set home path for openshift 1001 user
    - export HOME=/home/1001
    # before any action, I connect to the OpenShift server with the appropriate credentials
    - oc login https://$OPENSHIFT_ADDR_PROD:$OPENSHIFT_PORT --token=$OPENSHIFT_TOKEN_PROD
    - oc project organisaatiorekisteri
    # add secrets here
    - oc delete secret generic db-prod-password --ignore-not-found
    - oc create secret generic db-prod-password --from-literal=password=$DB_PROD_PASSWORD
    # list environment variables here
    - oc set env --from=secret/db-prod-password deploy/organisaatiorekisteri-db-prod
    - oc set env deploy/organisaatiorekisteri-db-prod URL=$DB_PROD_URL
    - oc set env deploy/organisaatiorekisteri-db-prod PORT=$DB_PORT
    - oc set env deploy/organisaatiorekisteri-db-prod USERNAME=$DB_PROD_USERNAME
    - oc set env deploy/organisaatiorekisteri-db-prod TZ="Europe/Helsinki"
    # start build process
    - oc start-build organisaatiorekisteri-db-prod --from-dir=. --follow
    # patch openshift buildConfig file
    - oc patch bc/organisaatiorekisteri-db-prod --patch '{"spec":{"successfulBuildsHistoryLimit":1}}'
    - oc patch bc/organisaatiorekisteri-db-prod --patch '{"spec":{"failedBuildsHistoryLimit":1}}'
    # set pod memory quota to 300 MB and limit to 500 MB
    - oc set resources deploy/organisaatiorekisteri-db-prod --limits=memory=500Mi --requests=memory=300Mi

# Rules for the scheduled npm audit and outdated scans
dependency scanning:
  stage: audit_scan
  tags:
    - ohtu-build-4
  allow_failure: true
  only:
    - schedules
  script:
    # Run OWASP audit and write outputs to a txt file.
    - echo "=== Running OWASP diagnostics ==="
    - export RESULT_FILE="./target/dependency-check-report.html"
    - mvn clean install -Powasp-dependency-check
    - echo "Done with OWASP diagnostics."
    - echo "Sending results to Slack..."
    # Send result file to "audit-logs" channel in Ohtu's Slack space (see https://api.slack.com/methods/files.upload).
    - "curl -F file=@${CI_PROJECT_DIR}/$RESULT_FILE -F 'initial_comment=Orgrek-db audit scan report' -F channels=${AUDIT_RESULT_SLACK_CHANNEL_ID} -F filename=$RESULT_FILE -F filetype=text -H 'Authorization: Bearer '${SLACK_FILE_UPLOAD_TOKEN} https://slack.com/api/files.upload"
    - echo "Done with sending results to Slack."
    - export RESULT_NEW_VERSIONS_FILE="./new-versions.txt"
    - echo " === Scanning maven dependencies with newer versions ===" >> $RESULT_NEW_VERSIONS_FILE
    - echo "" >> $RESULT_NEW_VERSIONS_FILE
    - mvn versions:display-dependency-updates >> $RESULT_NEW_VERSIONS_FILE
    - echo "" >> $RESULT_NEW_VERSIONS_FILE
    - echo " === Scanning maven dependencies with plugin updates ===" >> $RESULT_NEW_VERSIONS_FILE
    - echo "" >> $RESULT_NEW_VERSIONS_FILE
    - mvn versions:display-plugin-updates >> $RESULT_NEW_VERSIONS_FILE
    # Send result file to "audit-logs" channel in Ohtu's Slack space (see https://api.slack.com/methods/files.upload).
    - "curl -F file=@${CI_PROJECT_DIR}/$RESULT_NEW_VERSIONS_FILE -F 'initial_comment=Orgrek-db new maven dependencies versions / plugins report' -F channels=${AUDIT_RESULT_SLACK_CHANNEL_ID} -F filename=$RESULT_NEW_VERSIONS_FILE -F filetype=text -H 'Authorization: Bearer '${SLACK_FILE_UPLOAD_TOKEN} https://slack.com/api/files.upload"
    - echo "Done with sending results to Slack."