.gitlab-ci.yml

default:
  image: xmmedia/php:8.2-cli
  timeout: 15m

stages:
  - static
  - deploy

# Select what we should cache
cache:
  # cache per job & branch
  key: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
  paths:
    - vendor/
    - node_modules/

variables:
  SERVER_PHP_PATH: php82
  APP_ENV: prod
  RELEASES: "$REMOTE_BASE/releases"
  SHARED: "$REMOTE_BASE/shared"
  TRUSTED_PROXIES: ''

before_script:
  # install composer
  - wget --no-verbose -O composer.phar https://getcomposer.org/composer-2.phar
  # install node with nvm
  - export NVM_DIR="$HOME/.nvm" && . "$NVM_DIR/nvm.sh" --no-use
  - nvm install

.versions-script: &versions-script
  - php -v
  - php composer.phar --version
  - node --version
  - yarn --version

.security-checks: &security-checks
  # check for security issues in PHP libs
  - symfony security:check
  - php composer.phar audit
  # check for JS security issues in libs
  - npm run audit:high

.deploy-setup-script: &deploy-setup-script
  - *versions-script
  # setup vars for paths
  - TIMESTAMP=$(date +%s); RELEASE="$RELEASES/$TIMESTAMP"
  - echo "Paths:"; echo $REMOTE_BASE; echo $RELEASE; echo $SHARED
  - echo "Remote:"; echo $REMOTE_USER@$REMOTE_SERVER:$REMOTE_PORT
  # setup SSH & private key
  - eval $(ssh-agent -s)
  - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add - > /dev/null
  - ssh-keyscan -p $REMOTE_PORT $REMOTE_SERVER >> ~/.ssh/known_hosts
  # the following line is optional (likely remove previous line)
  #- echo "$SSH_SERVER_HOSTKEYS" > ~/.ssh/known_hosts
  - chmod 644 ~/.ssh/known_hosts
  # add .revision file
  - git rev-parse --verify --short HEAD > .revision
  # create partial .env file
  - printf "APP_ENV=$APP_ENV\nREQUEST_CONTEXT_HOST=$REQUEST_CONTEXT_HOST\nREQUEST_CONTEXT_SCHEME=$REQUEST_CONTEXT_SCHEME\n" > .env.local && cat .env.local

.deploy-script: &deploy-script
  # remove temp .env file just in case
  - rm .env.local
  # ensure based paths exist
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "mkdir -p $RELEASES $SHARED $SHARED/var $SHARED/var/log/archive $SHARED/public/uploads"
  # sync files to release directory
  - rsync --archive --stats --human-readable --no-perms --exclude ".git/" --exclude ".idea/" --exclude "node_modules/" -e "ssh -p $REMOTE_PORT" . $REMOTE_USER@$REMOTE_SERVER:$RELEASE
  # make console file executable
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "cd $RELEASE; chmod u+x bin/console"
  # ensure platform has all requirements
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "cd $RELEASE; $SERVER_PHP_PATH -v; echo "\n\n"; $SERVER_PHP_PATH composer.phar check-platform-reqs"
  # link shared folders
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "rm -rf $RELEASE/var || true; ln -s $SHARED/var $RELEASE/var; rm -rf $RELEASE/public/uploads || true; ln -s $SHARED/public/uploads $RELEASE/public/uploads; rm -rf $RELEASE/config/jwt || true; ln -s $SHARED/config/jwt $RELEASE/config/jwt"
  # copy env file into place; dump env
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "cp -a $SHARED/.env.local $RELEASE/.env.local && cd $RELEASE && $SERVER_PHP_PATH composer.phar dump-env"
  # run composer post update cmds on server
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "cd $RELEASE && $SERVER_PHP_PATH composer.phar run-script post-update-cmd"
  # switch to new version
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "ln -sfn $RELEASE $REMOTE_BASE/current"
  # reload php-fpm (to reset cache)
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "sudo /bin/systemctl reload php82-php-fpm"
  # stop/restart the doctrine message customers
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "cd $REMOTE_BASE/current; $SERVER_PHP_PATH bin/console messenger:stop-workers"
  # run migrations
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "cd $REMOTE_BASE/current; $SERVER_PHP_PATH bin/console doctrine:migrations:migrate --no-interaction --no-debug --allow-no-migration"
  # remove >2 releases
  - ssh -p $REMOTE_PORT $REMOTE_USER@$REMOTE_SERVER "ls -1d $RELEASES/* | sort -rg | tail -n +3 | xargs /bin/rm -rf"
  # test if website is up
  - if wget --spider --server-response "$REQUEST_CONTEXT_SCHEME://$REQUEST_CONTEXT_HOST" 2>&1 | grep '200\ OK'; then echo "$REQUEST_CONTEXT_SCHEME://$REQUEST_CONTEXT_HOST is up"; else echo "$REQUEST_CONTEXT_SCHEME://$REQUEST_CONTEXT_HOST is down"; exit 1; fi
  # success message
  - echo "Deployment completed successfully. Release at $RELEASE"

static:
  stage: static
  allow_failure: false
  interruptible: true
  variables:
    APP_ENV: test
  script:
    - *versions-script
    - *security-checks
    # install php dependencies
    - php composer.phar install --no-interaction --no-progress --ignore-platform-reqs
    # make sure composer.lock is up to date
    - php composer.phar normalize --dry-run
    # Install node/JS dependencies
    - yarn install --immutable
    # cache warmup for phpstan
    - php bin/console cache:warmup --env=dev
    - php bin/phpstan analyse --no-progress --memory-limit 1G src
    - bin/console lint:yaml config
    - bin/console lint:twig templates
    - bin/console lint:container
    # lint JS
    - yarn lint:js
    - yarn lint:css
    # run PHP unit tests
    - mkdir -p public/build; printf "{}" > public/build/manifest.json
    - bin/simple-phpunit
    # @todo artifacts

deploy to staging:
  stage: deploy
  allow_failure: false
  environment:
    name: staging
    url: $STAGING_URL
  variables:
    APP_ENV: dev
  rules:
    - if:   '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
      when: on_success
    - if:   '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
      when: manual
  script:
    - *deploy-setup-script
    - *security-checks
    # install dependencies
    - php composer.phar install --classmap-authoritative --no-interaction --no-progress --ignore-platform-reqs
    - yarn install --immutable
    - yarn build --mode development
    - *deploy-script

deploy to prod:
  stage: deploy
  allow_failure: false
  only:
    variables:
      - $CI_DEFAULT_BRANCH == $CI_COMMIT_REF_NAME
  environment:
    name: production
    url: $PROD_URL
  when: manual
  script:
    - *deploy-setup-script
    - *security-checks
    # install dependencies (not php dev dependencies)
    - php composer.phar install --no-dev --classmap-authoritative --no-interaction --no-progress --ignore-platform-reqs
    - yarn install --immutable
    - yarn build
    - *deploy-script