include:
- template: 'Workflows/MergeRequest-Pipelines.gitlab-ci.yml'
- project: unboundsoftware/ci-templates
  file: Release.gitlab-ci.yml

stages:
- build
- test
- deploy-prod
- release

variables:
  UNBOUND_RELEASE_TAG_ONLY: true
  DOCKER_HOST: tcp://docker:2376
  DOCKER_TLS_CERTDIR: "/certs"
  DOCKER_TLS_VERIFY: 1
  DOCKER_CERT_PATH: "$DOCKER_TLS_CERTDIR/client"
  DOCKER_DRIVER: overlay2

.buildtools:
  image: buildtool/build-tools:${BUILDTOOLS_VERSION}
  services:
  - docker:${DOCKER_DIND_VERSION}

run-pre-commit:
  stage: .pre
  image: unbound/pre-commit@sha256:92fce44d8a7e40b4d30b777e50a5189d9b3031f72e563e3f3c9deb49c75f35c0
  variables:
    PRE_COMMIT_HOME: ${CI_PROJECT_DIR}/.cache/pre-commit
  cache:
  - key:
      files:
      - .pre-commit-config.yaml
    paths:
    - ${PRE_COMMIT_HOME}
  script:
  - pre-commit run --all-files

check:
  stage: .pre
  image: golang:1.23.3@sha256:d56c3e08fe5b27729ee3834854ae8f7015af48fd651cd25d1e3bcf3c19830174
  script:
  - go install mvdan.cc/gofumpt@latest
  - go install golang.org/x/tools/cmd/goimports@latest
  - go generate ./...
  - git diff --stat  --exit-code

build:
  extends: .buildtools
  stage: build
  script:
  - build
  - curl -Os https://uploader.codecov.io/latest/linux/codecov
  - chmod +x codecov
  - ./codecov -t ${CODECOV_TOKEN} -R $CI_PROJECT_DIR -C $CI_COMMIT_SHA -r $CI_PROJECT_PATH
  - push

vulnerabilities:
  stage: build
  image: golang:1.23.3@sha256:d56c3e08fe5b27729ee3834854ae8f7015af48fd651cd25d1e3bcf3c19830174
  script:
  - go install golang.org/x/vuln/cmd/govulncheck@latest
  - govulncheck ./...

deploy-prod:
  extends: .buildtools
  stage: deploy-prod
  before_script:
  - echo Deploy to prod
  script:
  - deploy prod
  rules:
  - if: $CI_COMMIT_BRANCH == "main"
  environment:
    name: prod

check_release:
  stage: test
  image:
    name: goreleaser/goreleaser:v2.4.4@sha256:1f5ae36e41ede8b994a93c66e5c1fb1b1111de2ce88f25b6378e341771ed963e
    entrypoint: [ '' ]
  script: |
    goreleaser check
    goreleaser release --snapshot --clean

release:
  stage: release
  needs:
  - unbound_release_prepare_release
  image:
    name: goreleaser/goreleaser:v2.4.4@sha256:1f5ae36e41ede8b994a93c66e5c1fb1b1111de2ce88f25b6378e341771ed963e
    entrypoint: [ '' ]
  variables:
    # Disable shallow cloning so that goreleaser can diff between tags to
    # generate a changelog.
    GIT_DEPTH: 0
    GITLAB_TOKEN: $GITLAB_CI_TOKEN
  # Only run this release job for tags, not every commit (for example).
  rules:
  - if: $CI_COMMIT_TAG
  script: |
    goreleaser release --clean --release-notes=CHANGES.md