ci_main.gitlab-ci.yml

stages:
#  - main_pulling_repo
  - main_secrets_in_repo
  - main_linting_code
  - main_linting_docker
  - main_security
  - main_build_and_push

variables:
  CI_JOB_TOKEN: $CI_JOB_TOKEN
  CI_DEBUG_TRACE: "false"
  CI_REGISTRY_USER: $CI_REGISTRY_USER
  CI_REGISTRY: $CI_REGISTRY
  CAPIF_DOCKER_REGISTRY: $CAPIF_DOCKER_REGISTRY

.main_common: &main_common
  only:
    - merge_requests
  except:
    variables:
      - $CI_MERGE_REQUEST_TARGET_BRANCH_NAME != "main"
  tags:
    - shell

main_secrets_in_repo:
  stage: main_secrets_in_repo
  script:
    - |
      sudo pip install trufflehog
      cd ../
      #trufflehog capif --exclude_paths capif/cicd/exclusions --max_depth=5
  <<: *main_common

# define the process to do linting code: Sonarque, ruff?
main_linting_code:
  stage: main_linting_code
  script:
    - |
      echo "###ruff checks###"
      #pip install ruff
      #ruff check --config cicd/ruff.toml . || true
  needs: ["main_secrets_in_repo"]
  <<: *main_common

main_linting_docker:
  stage: main_linting_docker
  script:
   - |
    # Download hadolint binary
    wget https://github.com/hadolint/hadolint/releases/download/v2.8.0/hadolint-Linux-x86_64 -O hadolint    

    # Make it executable
    chmod +x hadolint    

    # Move it to your binaries folder
    mv hadolint ../    

    # Verify the installation
    echo "### hadolint version ###"
    ../hadolint --version    

    # Array of service names
    SERVICES=("capif-client" "vault" "nginx" "register" "TS29222_CAPIF_Access_Control_Policy_API" "TS29222_CAPIF_API_Invoker_Management_API" 
      "TS29222_CAPIF_API_Provider_Management_API" "TS29222_CAPIF_Auditing_API" "TS29222_CAPIF_Discover_Service_API" "TS29222_CAPIF_Events_API" 
      "TS29222_CAPIF_Logging_API_Invocation_API" "TS29222_CAPIF_Publish_Service_API" "TS29222_CAPIF_Routing_Info_API" "TS29222_CAPIF_Security_API"
      "vault")

    # Loop over service names
    for SERVICE in "${SERVICES[@]}"; do
      echo "### $SERVICE ###"
      
      # Run hadolint on Dockerfile
      #../hadolint services/$SERVICE/Dockerfile || true
      
      echo "----------------------------------------------------"
    done

#  artifacts:
#    name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
#    when: always
#    reports:
#      codequality:
#        - docker-lint.json
#  interruptible: true    
  needs: ["main_linting_code"]
  <<: *main_common


main_cvs:
  needs: ["main_linting_docker"]
  stage: main_security
  script: 
   - |
    # Install grype
    curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ../
    
    # Print grype version
    echo "### grype version###"
    ../grype version
    
    # Create output directory if it doesn't exist
    DIRECTORY=./grype-outputs
    if [ ! -d "$DIRECTORY" ]; then
      mkdir $DIRECTORY
      echo "Directory created"
    else
      echo "Directory already exists"
    fi
    
    # Save current directory
    export TMP_PWD=$PWD
    echo "TMP_PWD=$TMP_PWD"
    
    # Array of image names
    IMAGE_NAMES=("capif-client" "nginx" "register" "TS29222_CAPIF_Access_Control_Policy_API" "TS29222_CAPIF_API_Invoker_Management_API"
      "TS29222_CAPIF_API_Provider_Management_API" "TS29222_CAPIF_Auditing_API" "TS29222_CAPIF_Discover_Service_API"
      "TS29222_CAPIF_Events_API" "TS29222_CAPIF_Logging_API_Invocation_API" "TS29222_CAPIF_Publish_Service_API"
      "TS29222_CAPIF_Routing_Info_API" "TS29222_CAPIF_Security_API" "vault")
    
    # Loop over image names
    for IMAGE_NAME in "${IMAGE_NAMES[@]}"; do
      # Convert SERVICE to lowercase
      IMAGE_LOWER=${IMAGE_NAME,,}

      echo "---- variable ----"
      echo "### build and push $IMAGE_NAME image###"
      
      # Navigate to service directory
      cd services/$IMAGE_NAME/
      
      # Login to Docker registry
      docker login --username $CI_REGISTRY_USER --password $CAPIF_DOCKER_REGISTRY $CI_REGISTRY
      
      # Build Docker image
      docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/$IMAGE_LOWER:latest .
      
      # Navigate back to original directory
      cd $TMP_PWD
      
      echo "### Container Vulnerability Scanning $IMAGE_NAME###"
      
      # Scan Docker image with grype and save output to file
      #../grype $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/$IMAGE_LOWER:latest --scope all-layers > ./grype-outputs/grype_$IMAGE_NAME-latest.txt
      
      echo "----------------------------------------------------"
    done
  artifacts:
    untracked: false
    paths:
      - ./grype-outputs/*.txt
    when: on_success
    expire_in: "1 week"
  <<: *main_common    

main_build_and_push:
  needs: ["main_security"]
  stage: main_build_and_push
  script:
   - export TMP_PWD=$PWD
   - echo "TMP_PWD=$TMP_PWD"
   - echo "### build and push capif-client image###"
#   - cd services/capif-client/
#   - docker login --username $CI_REGISTRY_USER --password $CAPIF_DOCKER_REGISTRY $CI_REGISTRY
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/capif-client:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/capif-client:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push nginx image###"
#   - cd $TMP_PWD/services/nginx/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/nginx:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push register image###"
#   - cd $TMP_PWD/services/register/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/register:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_Access_Control_Policy_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_Access_Control_Policy_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-access-control-policy-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_API_Invoker_Management_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_API_Invoker_Management_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-invoker-management-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_API_Provider_Management_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_API_Provider_Management_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-api-provider-management-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_Auditing_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_Auditing_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-auditing-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_Discover_Service_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_Discover_Service_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-discover-service-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_Events_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_Events_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-events-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_Logging_API_Invocation_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_Logging_API_Invocation_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-logging-api-invocation-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_Publish_Service_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_Publish_Service_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-publish-service-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_Routing_Info_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_Routing_Info_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-routing-info-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push TS29222_CAPIF_Security_API image###"
#   - cd $TMP_PWD/services/TS29222_CAPIF_Security_API/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/ocf-security-api:latest
#   - echo "----------------------------------------------------"
#   - echo "### build and push vault image###"
#   - cd $TMP_PWD/services/vault/
#   - docker build -t $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:latest .
#   - docker push $CI_REGISTRY/ocf/capif/$CI_COMMIT_REF_SLUG/vault:latest
#   - echo "----------------------------------------------------"
#   - docker logout $CI_REGISTRY
  <<: *main_common