# You can override the included template(s) by including variable overrides
# SAST customization: https://docs.gitlab.com/ee/user/application_security/sast/#customizing-the-sast-settings
# Secret Detection customization: https://docs.gitlab.com/ee/user/application_security/secret_detection/#customizing-settings
# Dependency Scanning customization: https://docs.gitlab.com/ee/user/application_security/dependency_scanning/#customizing-the-dependency-scanning-settings
# Container Scanning customization: https://docs.gitlab.com/ee/user/application_security/container_scanning/#customizing-the-container-scanning-settings
# Note that environment variables can be set in several places
# See https://docs.gitlab.com/ee/ci/variables/#cicd-variable-precedence
stages:
  - 'test'
  - 'code_quality'
  - 'deploy'

sast:
  stage: 'test'
include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/SAST-IaC.gitlab-ci.yml

unittest:
  stage: 'test'
  image: python
  only:
    - test
  cache:
    paths:
      - $CI_PROJECT_DIR/venv/
  before_script:
    - cd $CI_PROJECT_DIR
    - python -m venv venv
    - chmod u+x venv/bin/activate
    - source venv/bin/activate
    - pip install --quiet -U -r requirements.txt
    - cd tests
  script:
    - pytest -v

qodana:
  stage: 'code_quality'
  needs: ['gemnasium-python-dependency_scanning', 'semgrep-sast', 'kics-iac-sast']
  image:
    name: jetbrains/qodana-python-community
    entrypoint:
      - ''
  cache:
    - key: qodana-2023.3-$CI_DEFAULT_BRANCH-$CI_COMMIT_REF_SLUG
      fallback_keys:
        - qodana-2023.3-$CI_DEFAULT_BRANCH-
        - qodana-2023.3-
      paths:
        - ".qodana/cache"
        - $CI_PROJECT_DIR/venv
  variables:
    QODANA_TOKEN: "$qodana_token2"
  before_script:
    - cd $CI_PROJECT_DIR/
    - python -m venv venv
    - chmod u+x venv/bin/activate
    - source venv/bin/activate
  script:
    - qodana --save-report --results-dir=$CI_PROJECT_DIR/.qodana/results --cache-dir=$CI_PROJECT_DIR/.qodana/cache
  artifacts:
    expose_as: 'Qodana report'
    expire_in: 1 week
    paths:
      - ".qodana/results/"


push:
  stage: 'deploy'
  image: 'alpine'
  needs: ['qodana']
  only:
    - master
  before_script:
    - apk add openssh-client > /dev/null
    - eval $(ssh-agent -s)
    - chmod 400 $SSH_PRIVATE_KEY

    - mkdir -p ~/.ssh
    - chmod 700 ~/.ssh

    - cp $SSH_PRIVATE_KEY ~/.ssh/id_rsa

    - ssh-add ~/.ssh/id_rsa
  script:
    - ssh $BOT_HOST -oStrictHostKeyChecking=accept-new 'cd /opt/discord/tarkov && git pull'