.gitlab-ci.yml

default:
  image: '${DOCKER_CICD_REPO}/ci-container:debian-buster'

stages:
  - sast-oss-scan
  - build
  - sign-binaries
  - package
  - cve-scan
  - sign-packages
  - release
  - sign-metadata
  - github-release

include:
  - project: 'prodsec/scp-scanning/gitlab-checkmarx'
    ref: latest
    file: '/templates/.sast_scan.yml'
  - project: 'ci-cd/templates'
    ref: master
    file: '/prodsec/.oss-scan.yml'
  - project: 'core-ee/signing/api-integration'
    file: '/templates/.sign-client.yml'

semgrep:
  stage: sast-oss-scan
  extends: .sast_scan
  retry: 2
  variables:
    SAST_SCANNER: "Semgrep"
    SEMGREP_EXCLUDE: "examples,internal/buildscripts,tests,*_test.go,cmd/otelcol/Dockerfile.windows,deployments/ansible/molecule"
    alert_mode: "policy"
  after_script:
    - echo "Check results at $CI_PIPELINE_URL/security"
  only:
    - main
    - schedules

fossa:
  extends: .oss-scan
  stage: sast-oss-scan
  only:
    - main
    - schedules
  # allow_failure: false

.get-artifactory-stage: &get-artifactory-stage
  - |
    set -ex
    export STAGE="test"
    if [[ "${CI_COMMIT_TAG:-}" =~ beta ]]; then
      export STAGE="beta"
    elif [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      export STAGE="release"
    fi

.trigger-filter:
  only:
    variables:
      - $CI_COMMIT_BRANCH == "main"
      - $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules

.deploy-release:
  image: '${DOCKER_CICD_REPO}/ci-container:python-3.9'
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  cache:
    key:
      files:
        - internal/buildscripts/packaging/release/requirements.txt
    paths:
      - .cache/pip
  retry: 2
  before_script:
    - *get-artifactory-stage
  script:
    - pip3 install -r internal/buildscripts/packaging/release/requirements.txt
    - |
      for path in ${PATHS:-}; do
        if [ ! -f "$path" ]; then
          echo "$path not found!"
          exit 1
        fi
        python3 internal/buildscripts/packaging/release/release.py --force --stage=${STAGE} --path=$path ${OPTIONS:-}
      done

.go-cache:
  image: '${DOCKER_HUB_REPO}/golang:1.19.0'
  variables:
    GOPATH: "$CI_PROJECT_DIR/.go"
  before_script:
    - mkdir -p $GOPATH
    - make install-tools
    - export PATH=$GOPATH/bin:$PATH
  cache:
    key:
      files:
        - go.mod
        - go.sum
    paths:
      - .go/pkg/mod
      - .go/bin

.docker-reader-role: &docker-reader-role |
  creds-helper init
  eval $(creds-helper docker --eval "artifactory:v2/cloud/role/docker-reader-role")

compile:
  extends:
    - .trigger-filter
    - .go-cache
  stage: build
  parallel:
    matrix:
      - TARGET: [binaries-darwin_amd64, binaries-linux_amd64, binaries-linux_arm64, binaries-windows_amd64, binaries-linux_ppc64le]
  script: make $TARGET
  after_script:
    - if [ -e bin/otelcol ]; then rm -f bin/otelcol; fi  # remove the symlink
    - if [ -e bin/translatesfx ]; then rm -f bin/translatesfx; fi  # remove the symlink
    - if [ -e bin/migratecheckpoint ]; then rm -f bin/migratecheckpoint; fi  # remove the symlink
  artifacts:
    paths:
      - bin/otelcol_*
      - bin/translatesfx_*
      - bin/migratecheckpoint_*

libsplunk:
  extends: .trigger-filter
  stage: build
  retry: 2
  parallel:
    matrix:
      - ARCH: ["amd64", "arm64"]
  script:
    - make -C instrumentation dist ARCH=${ARCH}
  artifacts:
    paths:
      - instrumentation/dist/libsplunk_*.so

.instrumentation-deb-rpm:
  extends: .trigger-filter
  stage: package
  needs:
    - libsplunk
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  before_script:
    - ./instrumentation/packaging/fpm/install-deps.sh
  script:
    - ./instrumentation/packaging/fpm/${PKG_TYPE}/build.sh "${CI_COMMIT_TAG:-}" "$ARCH" "./dist"

instrumentation-deb:
  extends: .instrumentation-deb-rpm
  variables:
    PKG_TYPE: deb
  artifacts:
    paths:
      - dist/*.deb

instrumentation-rpm:
  extends: .instrumentation-deb-rpm
  variables:
    PKG_TYPE: rpm
  artifacts:
    paths:
      - dist/*.rpm

sign-exe:
  extends:
    - .trigger-filter
    - .submit-request
  stage: sign-binaries
  needs:
    - compile
  parallel:
    matrix:
      - TARGET: [otelcol, translatesfx]
  variables:
    ARTIFACT: bin/${TARGET}_windows_amd64.exe
    SIGN_TYPE: WIN
    DOWNLOAD_DIR: dist/signed
  artifacts:
    paths:
      - dist/signed/${TARGET}_windows_amd64.exe

sign-osx:
  extends:
    - .trigger-filter
    - .submit-request
  stage: sign-binaries
  needs:
    - compile
  variables:
    ARTIFACT: bin/packages.tar.gz
    SIGN_TYPE: OSX
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - mkdir -p dist
    - pushd bin && tar -czvf packages.tar.gz otelcol_darwin_amd64 translatesfx_darwin_amd64 && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/otelcol_darwin_amd64
      - dist/signed/translatesfx_darwin_amd64

build-linux-image:
  extends: .trigger-filter
  stage: package
  needs:
    - compile
  parallel:
    matrix:
      - ARCH: [amd64, arm64, ppc64le]
  retry: 2
  script:
    - *docker-reader-role
    - make docker-otelcol ARCH=${ARCH} DOCKER_REPO=${DOCKER_HUB_REPO} SKIP_COMPILE=true
    - arch=$( docker inspect --format='{{.Architecture}}' otelcol:${ARCH} )
    - if [[ "$arch" != "$ARCH" ]]; then exit 1; fi
  after_script:
    - mkdir -p dist
    - docker save -o dist/otelcol-${ARCH}.tar otelcol:${ARCH}
  artifacts:
    paths:
      - dist/otelcol-*.tar

.build-tar-deb-rpm:
  stage: package
  needs:
    - compile
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  before_script:
    - ./internal/buildscripts/packaging/fpm/install-deps.sh
  script:
    - ./internal/buildscripts/packaging/fpm/${PKG_TYPE}/build.sh "${CI_COMMIT_TAG:-}" "$ARCH" "./dist"

build-deb:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: deb
  artifacts:
    paths:
      - dist/*.deb

build-rpm:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: rpm
  artifacts:
    paths:
      - dist/*.rpm

build-tar:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: tar
  artifacts:
    paths:
      - dist/*.tar.gz

build-msi:
  extends: .trigger-filter
  stage: package
  needs:
    - sign-exe
  before_script:
    # build the MSI with the signed exe
    - mkdir -p bin
    - cp -f dist/signed/otelcol_windows_amd64.exe bin/otelcol_windows_amd64.exe
    - cp -f dist/signed/translatesfx_windows_amd64.exe bin/translatesfx_windows_amd64.exe
  script:
    - make msi SKIP_COMPILE=true VERSION=${CI_COMMIT_TAG:-}
  artifacts:
    paths:
      - dist/*.msi

sign-debs:
  extends:
    - .trigger-filter
    - .submit-request
  stage: sign-packages
  needs:
    - build-deb
    - instrumentation-deb
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: DEB
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.deb && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.deb

sign-rpms:
  extends:
    - .trigger-filter
    - .submit-request
  stage: sign-packages
  needs:
    - build-rpm
    - instrumentation-rpm
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: RPM
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.rpm && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.rpm

sign-tar:
  extends:
    - .trigger-filter
    - .submit-request
  stage: sign-packages
  needs:
    - build-tar
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: GPG
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.tar.gz && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - mv dist/splunk-otel-collector*.tar.gz dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.tar.gz
      - dist/signed/*.tar.gz.asc

sign-msi:
  extends:
    - .trigger-filter
    - .submit-request
  stage: sign-packages
  needs:
    - build-msi
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: WIN
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.msi && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.msi

verify-signed-packages:
  extends: .trigger-filter
  stage: sign-packages
  needs:
    - build-deb
    - build-rpm
    - build-msi
    - build-tar
    - instrumentation-deb
    - instrumentation-rpm
    - sign-debs
    - sign-rpms
    - sign-msi
    - sign-tar
  script:
    - |
      set -ex
      for pkg in dist/*.rpm dist/*.deb dist/*.msi dist/*.tar.gz; do
        if [[ ! -f dist/signed/$(basename $pkg) ]]; then
          echo "$pkg was not signed!" >&2
          exit 1
        fi
        if [[ "${pkg##*.}" = "gz" && ! -f dist/signed/$(basename $pkg).asc ]]; then
          echo "$pkg was not signed!" >&2
          exit 1
        fi
      done

push-linux-image:
  extends: .trigger-filter
  stage: release
  dependencies:
    - build-linux-image
  retry: 2
  before_script:
    - docker load -i dist/otelcol-amd64.tar
    - docker load -i dist/otelcol-arm64.tar
    - docker load -i dist/otelcol-ppc64le.tar
  script:
    - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io
    - |
      # Set env vars
      set -e
      if [[ -n "${CI_COMMIT_TAG:-}" ]]; then
        IMAGE_NAME="quay.io/signalfx/splunk-otel-collector"
        MANIFEST_TAG=${CI_COMMIT_TAG#v}
      else
        IMAGE_NAME="quay.io/signalfx/splunk-otel-collector-dev"
        MANIFEST_TAG=$CI_COMMIT_SHA
      fi
    - |
      # Tag and push images
      set -e
      for arch in "amd64" "arm64" "ppc64le"; do
        ARCH_TAG="${MANIFEST_TAG}-${arch}"
        echo "Tagging and pushing ${IMAGE_NAME}:${ARCH_TAG}"
        docker tag otelcol:${arch} ${IMAGE_NAME}:${ARCH_TAG}
        docker push ${IMAGE_NAME}:${ARCH_TAG}
        if [[ "${CI_COMMIT_BRANCH:-}" = "main" ]] || [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
          # only push latest tag for main and stable releases
          LATEST_TAG="latest-${arch}"
          echo "Tagging and pushing ${IMAGE_NAME}:${LATEST_TAG}"
          docker tag ${IMAGE_NAME}:${ARCH_TAG} ${IMAGE_NAME}:${LATEST_TAG}
          docker push ${IMAGE_NAME}:${LATEST_TAG}
        fi
      done
    - |
      # Create and push image manifests
      set -e
      echo "Creating and pushing ${IMAGE_NAME}:${MANIFEST_TAG} manifest"
      docker manifest create ${IMAGE_NAME}:${MANIFEST_TAG} --amend ${IMAGE_NAME}:${MANIFEST_TAG}-amd64 --amend ${IMAGE_NAME}:${MANIFEST_TAG}-arm64 --amend ${IMAGE_NAME}:${MANIFEST_TAG}-ppc64le
      docker manifest push ${IMAGE_NAME}:${MANIFEST_TAG}
      if [[ "${CI_COMMIT_BRANCH:-}" = "main" ]] || [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        # only push latest manifest tag for main and stable releases
        echo "Creating and pushing ${IMAGE_NAME}:latest manifest"
        docker manifest create ${IMAGE_NAME}:latest --amend ${IMAGE_NAME}:latest-amd64 --amend ${IMAGE_NAME}:latest-arm64 --amend ${IMAGE_NAME}:latest-ppc64le
        docker manifest push ${IMAGE_NAME}:latest
      fi
    - docker pull ${IMAGE_NAME}:${MANIFEST_TAG}
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${MANIFEST_TAG}-amd64 | tee dist/linux_amd64_digest.txt
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${MANIFEST_TAG}-arm64 | tee dist/linux_arm64_digest.txt
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${MANIFEST_TAG}-ppc64le | tee dist/linux_ppc64le_digest.txt
    - docker manifest inspect ${IMAGE_NAME}:${MANIFEST_TAG} | tee dist/manifest_digest.txt
  artifacts:
    paths:
      - dist/linux_amd64_digest.txt
      - dist/linux_arm64_digest.txt
      - dist/linux_ppc64le_digest.txt
      - dist/manifest_digest.txt

build-push-windows-image:
  extends: .trigger-filter
  stage: release
  dependencies:
    - sign-exe
  tags:
    - windows
  retry: 2
  before_script:
    - Copy-Item .\dist\signed\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe
    - Copy-Item .\dist\signed\translatesfx_windows_amd64.exe .\cmd\otelcol\translatesfx.exe
  script:
    - docker login -u $env:CIRCLECI_QUAY_USERNAME -p $env:CIRCLECI_QUAY_PASSWORD quay.io
    - |
      $ErrorActionPreference = 'Stop'
      if ($env:CI_COMMIT_TAG) {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows"
        $IMAGE_TAG = $env:CI_COMMIT_TAG.TrimStart("v")
      } else {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows-dev"
        $IMAGE_TAG = $env:CI_COMMIT_SHA
      }
      $SMART_AGENT_RELEASE = $((Get-Content internal\buildscripts\packaging\smart-agent-release.txt).TrimStart("v"))
      echo "Building ${IMAGE_NAME}:${IMAGE_TAG}"
      docker build -t ${IMAGE_NAME}:${IMAGE_TAG} --build-arg BASE_IMAGE=mcr.microsoft.com/windows/servercore:1809 --build-arg SMART_AGENT_RELEASE=${SMART_AGENT_RELEASE} -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\
      echo "Pushing ${IMAGE_NAME}:${IMAGE_TAG}"
      docker push ${IMAGE_NAME}:${IMAGE_TAG}
      if ($env:CI_COMMIT_BRANCH -eq "main" -or $env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        # only push latest tag for main and stable releases
        echo "Tagging and pushing ${IMAGE_NAME}:latest"
        docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest
        docker push ${IMAGE_NAME}:latest
      }
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${IMAGE_TAG} | Tee-Object -FilePath dist/windows_digest.txt
  after_script:
    - docker image prune --all --force
  artifacts:
    paths:
      - dist/windows_digest.txt

build-push-windows2022-image:
  extends: .trigger-filter
  stage: release
  dependencies:
    - sign-exe
  tags:
    - windows2022
  retry: 2
  before_script:
    - Copy-Item .\dist\signed\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe
    - Copy-Item .\dist\signed\translatesfx_windows_amd64.exe .\cmd\otelcol\translatesfx.exe
  script:
    - docker login -u $env:CIRCLECI_QUAY_USERNAME -p $env:CIRCLECI_QUAY_PASSWORD quay.io
    - |
      $ErrorActionPreference = 'Stop'
      if ($env:CI_COMMIT_TAG) {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows"
        $tagNumber = $env:CI_COMMIT_TAG.TrimStart("v")
        $IMAGE_TAG = "${tagNumber}-2022"
      } else {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows-dev"
        $IMAGE_TAG = "${env:CI_COMMIT_SHA}-2022"
      }
      $SMART_AGENT_RELEASE = $((Get-Content internal\buildscripts\packaging\smart-agent-release.txt).TrimStart("v"))
      echo "Building ${IMAGE_NAME}:${IMAGE_TAG}"
      docker build -t ${IMAGE_NAME}:${IMAGE_TAG} --build-arg BASE_IMAGE=mcr.microsoft.com/windows/servercore:ltsc2022 --build-arg SMART_AGENT_RELEASE=${SMART_AGENT_RELEASE} -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\
      echo "Pushing ${IMAGE_NAME}:${IMAGE_TAG}"
      docker push ${IMAGE_NAME}:${IMAGE_TAG}
      if ($env:CI_COMMIT_BRANCH -eq "main" -or $env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        # only push latest tag for main and stable releases
        echo "Tagging and pushing ${IMAGE_NAME}:latest-2022"
        docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest-2022
        docker push ${IMAGE_NAME}:latest-2022
      }
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${IMAGE_TAG} | Tee-Object -FilePath dist/windows_2022_digest.txt
  after_script:
    - docker image prune --all --force
  artifacts:
    paths:
      - dist/windows_2022_digest.txt

release-debs:
  extends:
    - .trigger-filter
    - .deploy-release
  stage: release
  resource_group: artifactory-deb
  dependencies:
    - sign-debs
  variables:
    PATHS: dist/signed/*.deb
  artifacts:
    paths:
      - dist/signed/*.deb
      - Release

release-rpms:
  extends:
    - .trigger-filter
    - .deploy-release
  stage: release
  parallel:
    matrix:
      - ARCH: ['x86_64', 'aarch64']
  resource_group: artifactory-rpm
  dependencies:
    - sign-rpms
  variables:
    PATHS: dist/signed/*${ARCH}.rpm
  after_script:
    - mkdir ${ARCH}
    - mv repomd.xml ${ARCH}/repomd.xml
  artifacts:
    paths:
      - dist/signed/*${ARCH}.rpm
      - ${ARCH}/repomd.xml

choco-release:
  extends: .trigger-filter
  stage: release
  dependencies:
    - sign-msi
  tags:
    - windows
  script:
    - |
      $ErrorActionPreference = 'Stop'
      Set-PSDebug -Trace 1
      $msi_file_name = Resolve-Path .\dist\signed\splunk-otel-collector*.msi | Split-Path -leaf
      if ($msi_file_name -match '(\d+\.\d+\.\d+)(\.\d+)?') {
        $version = $matches[0]
      } else {
        throw "Failed to get version from $msi_file_name"
      }
      .\internal\buildscripts\packaging\choco\make.ps1 build_choco -Version $version -BuildDir .\dist\signed
    - Test-Path .\dist\signed\splunk-otel-collector.${version}.nupkg
    - |
      # Only push the choco package for stable release tags
      if ($env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        choco push -k $env:CHOCO_TOKEN .\dist\signed\splunk-otel-collector.${version}.nupkg
      }
  artifacts:
    paths:
      - dist/signed/*.nupkg

sign-apt-metadata:
  extends:
    - .trigger-filter
    - .submit-request
  stage: sign-metadata
  resource_group: artifactory-deb
  needs:
    - release-debs
  variables:
    ARTIFACT: Release
    SIGN_TYPE: GPG
  after_script:
    - mv Release signed/Release
  artifacts:
    paths:
      - signed/Release
      - signed/Release.asc

sign-yum-metadata:
  extends:
    - .trigger-filter
    - .submit-request
  stage: sign-metadata
  parallel:
    matrix:
      - ARCH: ['x86_64', 'aarch64']
  resource_group: artifactory-rpm
  needs:
    - release-rpms
  variables:
    ARTIFACT: ${ARCH}/repomd.xml
    SIGN_TYPE: GPG
    DOWNLOAD_DIR: signed/${ARCH}
  after_script:
    - mv ${ARCH}/repomd.xml signed/${ARCH}/repomd.xml
  artifacts:
    paths:
      - signed/${ARCH}/repomd.xml
      - signed/${ARCH}/repomd.xml.asc

upload-apt-signature:
  extends: .trigger-filter
  stage: sign-metadata
  resource_group: artifactory-deb
  needs:
    - sign-apt-metadata
  before_script:
    - *get-artifactory-stage
  script:
    - curl -u ${ARTIFACTORY_USERNAME}:${ARTIFACTORY_TOKEN} -X PUT "https://splunk.jfrog.io/artifactory/otel-collector-deb/dists/${STAGE}/Release.gpg" -T signed/Release.asc

upload-yum-signature:
  extends: .trigger-filter
  stage: sign-metadata
  resource_group: artifactory-rpm
  parallel:
    matrix:
      - ARCH: ['x86_64', 'aarch64']
  needs:
    - sign-yum-metadata
  before_script:
    - *get-artifactory-stage
  script:
    - curl -u ${ARTIFACTORY_USERNAME}:${ARTIFACTORY_TOKEN} -X PUT "https://splunk.jfrog.io/artifactory/otel-collector-rpm/${STAGE}/${ARCH}/repodata/repomd.xml.asc" -T signed/${ARCH}/repomd.xml.asc

github-release:
  extends:
    - .trigger-filter
    - .go-cache
  stage: github-release
  dependencies:
    - compile
    - libsplunk
    - sign-exe
    - sign-osx
    - release-debs
    - release-rpms
    - sign-msi
    - sign-tar
    - push-linux-image
    - build-push-windows-image
    - build-push-windows2022-image
    - choco-release
  script:
    - mkdir -p dist/assets
    - cp bin/otelcol_linux_* dist/assets/
    - cp bin/translatesfx_linux_* dist/assets/
    - cp instrumentation/dist/libsplunk_*.so dist/assets/
    - cp dist/signed/* dist/assets/
    - pushd dist/assets && shasum -a 256 * > checksums.txt && popd
    - |
      # only create github release for stable release tags
      set -e
      if [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        release_notes="$( ./internal/buildscripts/packaging/release/gh-release-notes.sh "$CI_COMMIT_TAG" )"
        ghr -t "$GITHUB_TOKEN" -u signalfx -r splunk-otel-collector -n "$CI_COMMIT_TAG" -b "$release_notes" --replace "$CI_COMMIT_TAG" dist/assets/
      fi
  artifacts:
    when: always
    paths:
      - dist/assets

.ansible:
  image: 'cimg/python:3.9'
  only:
    - /^ansible-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - branches
    - schedules
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  cache:
    key: "ansible-pip-cache"
    paths:
      - .cache/pip

ansible-build:
  extends: .ansible
  stage: build
  artifacts:
    paths:
      - dist/
  before_script:
    - pip3 install ansible==3.4.0
  script:
    - ansible-galaxy collection build ./deployments/ansible --output-path ./dist

ansible-release:
  extends: .ansible
  stage: release
  before_script:
    - pip3 install ansible==3.4.0 yq==2.12.0
  script:
    - export COLLECTION_VERSION=$(cat ./deployments/ansible/galaxy.yml | yq .version -r)
    - ansible-galaxy collection publish ./dist/signalfx-splunk_otel_collector-${COLLECTION_VERSION}.tar.gz --token=${ANSIBLE_GALAXY_TOKEN} 

puppet-release:
  image: '${DOCKER_HUB_REPO}/ruby:2.6-buster'
  stage: release
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^puppet-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  before_script:
    - gem install bundler
    - cd deployments/puppet
    - bundle install
    - bundle exec rake module:clean
  script:
    - bundle exec rake module:push
  artifacts:
    paths:
      - deployments/puppet/pkg/*.tar.gz

cve-scan:
  extends: .go-cache
  stage: cve-scan
  retry: 2
  only:
    - main
    - schedules
  before_script:
    - apt-get update
    - apt-get install -y ca-certificates curl gnupg lsb-release
    - curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
    - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
    - apt-get update
    - apt-get install -y docker-ce-cli docker-scan-plugin
  script:
    - *docker-reader-role
    - |
      if [ -f dist/otelcol-amd64.tar ]; then
        docker load -i dist/otelcol-amd64.tar
        docker tag otelcol:amd64 otelcol:latest
      else
        make docker-otelcol DOCKER_REPO=${DOCKER_HUB_REPO}
      fi
    - docker scan --accept-license --login --token ${SNYK_AUTH_TOKEN}
    - docker scan --severity high otelcol
  after_script:
    - |
      if [ "$CI_JOB_STATUS" != "success" ]; then
        curl -X POST ${SLACK_WEBHOOK_URL} -H 'Content-Type: application/json' \
          --data "{\"blocks\": [{\"type\": \"section\",\"text\": {\"type\": \"mrkdwn\",\"text\": \"*@here Gitlab Job #${CI_JOB_ID}*\"}},{\"type\": \"section\",\"text\": {\"type\": \"mrkdwn\",\"text\": \"*:ghost: Vulnerability scan failed on splunk-otel-collector*\"},\"accessory\": {\"type\": \"button\",\"text\": {\"type\": \"plain_text\",\"text\": \"More Info\",\"emoji\": true},\"style\": \"danger\",\"url\": \"${CI_JOB_URL}\",\"action_id\": \"button-action\"}}]}"
      fi

chef-release:
  image: '${DOCKER_HUB_REPO}/ruby:2.7-buster'
  stage: release
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^chef-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  before_script:
    - mkdir -p ~/.chef
    - cat "$CHEF_PEM" > ~/.chef/signalfx.pem
    - cat "$CHEF_KNIFE_RB" > ~/.chef/knife.rb
    - gem install knife
    - mkdir -p /tmp/cookbooks
    - cp -r deployments/chef /tmp/cookbooks/splunk_otel_collector
  script:
    - knife supermarket share -o /tmp/cookbooks splunk_otel_collector