.gitlab-ci.yml

stages:
  - lint
  - build
  - check
  - deploy

image: docker:latest

services:
  - docker:dind

variables:
  DOCKER_DRIVER: overlay2
  DOCKER_HOST: tcp://docker:2375
  DOCKER_IMAGE: $CI_REGISTRY_IMAGE/commit:$CI_COMMIT_SHA

.registry_login: &registry_login
  echo "$CI_REGISTRY_PASSWORD" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"

before_script:
  - *registry_login

after_script:
  - docker logout "$CI_REGISTRY"

hadolint:
  stage: lint
  image: hadolint/hadolint:latest-debian
  only:
    changes:
      - Dockerfile
      - .hadolint.yaml
  services: []
  before_script: []
  script:
    - hadolint Dockerfile
  after_script: []

build:
  stage: build
  only:
    changes:
      - Dockerfile
  before_script:
    - token=$( wget -q -O - "https://gitlab.com/jwt/auth?service=container_registry&scope=repository:${CI_PROJECT_PATH}/commit:pull" | sed -e 's/^{"token":"\(.*\)"}$/\1/g' )
    - >-
        wget -q -O - --header="Authorization: Bearer ${token}" "https://${CI_REGISTRY}/v2/${CI_PROJECT_PATH}/commit/tags/list" |
        sed -e 's/^.*"tags":\[\(.*\)\].*$/\1/g' |
        tr -d \" | tr , '\n' |
        grep -E -q -e "$CI_COMMIT_SHA" &&
        {
        echo "Image for commit $CI_COMMIT_SHA already exists. No need to build it again." ;
        exit 0 ;
        } || true
    - *registry_login
  script:
    - docker build --pull -t "$DOCKER_IMAGE" .
    - docker push "$DOCKER_IMAGE"

container_scanning:
  stage: check
  allow_failure: true
  only:
    changes:
      - Dockerfile
  except:
    refs:
      - tags
  before_script:
    - *registry_login
    - docker pull "$DOCKER_IMAGE"
  script:
    - docker run -d --name db arminc/clair-db:latest
    - docker run -p 6060:6060 --link db:postgres -d --name clair --restart on-failure arminc/clair-local-scan:v2.0.1
    - apk add -q -U wget ca-certificates
    - wget -q -O clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
    - chmod +x clair-scanner
    - while( ! wget -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; done
    - ( retries=0 ; while( ! wget -T 10 -q -O /dev/null http://docker:6060/v1/namespaces ) ; do sleep 1 ; if [ $retries -eq 10 ] ; then echo "Timeout when connecting to claire daemon." >&2 ; exit 1 ; fi ; retries=$(($retries+1)) ; done )
    - ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-container-scanning-report.json -l clair.log ${DOCKER_IMAGE} || true
  artifacts:
    reports:
      container_scanning: gl-container-scanning-report.json

.deploy: &deploy
  stage: deploy
  dependencies:
    - build

.registry: &registry
  <<: *deploy
  before_script:
    - *registry_login
    - docker pull "$DOCKER_IMAGE"

registry-latest:
  <<: *registry
  only:
    refs:
      - master
    changes:
      - Dockerfile
  environment:
    name: GitLab Registry
    url: $CI_PROJECT_URL/container_registry
  script:
    - docker tag "$DOCKER_IMAGE" "$CI_REGISTRY_IMAGE:latest"
    - docker push "$CI_REGISTRY_IMAGE:latest"

registry-tag:
  <<: *registry
  only:
    refs:
      - tags
    changes:
      - Dockerfile
  script:
    - docker tag "$DOCKER_IMAGE" "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"

.hub: &hub
  <<: *deploy
  before_script:
    - *registry_login
    - echo "$HUB_PASSWORD" | docker login -u "$GITLAB_USER_LOGIN" --password-stdin
    - docker pull "$DOCKER_IMAGE"
  after_script:
    - docker logout
    - docker logout "$CI_REGISTRY"

hub-latest:
  <<: *hub
  only:
    refs:
      - master
    changes:
      - Dockerfile
  environment:
    name: Docker Hub
    url: https://hub.docker.com/r/$CI_PROJECT_PATH
  script:
    - docker tag "$DOCKER_IMAGE" "$CI_PROJECT_PATH:latest"
    - docker push "$CI_PROJECT_PATH:latest"

hub-tag:
  <<: *hub
  only:
    refs:
      - tags
    changes:
      - Dockerfile
  script:
    - docker tag "$DOCKER_IMAGE" "$CI_PROJECT_PATH:$CI_COMMIT_TAG"
    - docker push "$CI_PROJECT_PATH:$CI_COMMIT_TAG"