conduit/.gitlab-ci.yml

stages:
  - ci
  - artifacts
  - publish

variables:
  # Makes some things print in color
  TERM: ansi

# Avoid duplicate pipelines
# See: https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines
workflow:
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS
      when: never
    - if: $CI

before_script:
  # Enable nix-command and flakes
  - if command -v nix > /dev/null; then echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf; fi

  # Add conduwuit binary cache
  - if command -v nix > /dev/null; then echo "extra-substituters = https://attic.kennel.juneis.dog/conduwuit" >> /etc/nix/nix.conf; fi
  - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduwuit:lYPVh7o1hLu1idH4Xt2QHaRa49WRGSAqzcfFd94aOTw=" >> /etc/nix/nix.conf; fi

  - if command -v nix > /dev/null; then echo "extra-substituters = https://attic.kennel.juneis.dog/conduit" >> /etc/nix/nix.conf; fi
  - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduit:Isq8FGyEC6FOXH6nD+BOeAA+bKp6X6UIbupSlGEPuOg=" >> /etc/nix/nix.conf; fi

  # Add upstream Conduit binary cache
  - if command -v nix > /dev/null; then echo "extra-substituters = https://nix.computer.surgery/conduit" >> /etc/nix/nix.conf; fi
  - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = conduit:ZGAf6P6LhNvnoJJ3Me3PRg7tlLSrPxcQ2RiE5LIppjo=" >> /etc/nix/nix.conf; fi

  # Add alternate binary cache
  - if command -v nix > /dev/null && [ -n "$ATTIC_ENDPOINT" ]; then echo "extra-substituters = $ATTIC_ENDPOINT" >> /etc/nix/nix.conf; fi
  - if command -v nix > /dev/null && [ -n "$ATTIC_PUBLIC_KEY" ]; then echo "extra-trusted-public-keys = $ATTIC_PUBLIC_KEY" >> /etc/nix/nix.conf; fi

  # Add crane binary cache
  - if command -v nix > /dev/null; then echo "extra-substituters = https://crane.cachix.org" >> /etc/nix/nix.conf; fi
  - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = crane.cachix.org-1:8Scfpmn9w+hGdXH/Q9tTLiYAE/2dnJYRJP7kl80GuRk=" >> /etc/nix/nix.conf; fi

  # Add nix-community binary cache
  - if command -v nix > /dev/null; then echo "extra-substituters = https://nix-community.cachix.org" >> /etc/nix/nix.conf; fi
  - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" >> /etc/nix/nix.conf; fi

  # Install direnv and nix-direnv
  - if command -v nix > /dev/null; then nix-env -iA nixpkgs.direnv nixpkgs.nix-direnv; fi

  # Allow .envrc
  - if command -v nix > /dev/null; then direnv allow; fi

  # Set CARGO_HOME to a cacheable path
  - export CARGO_HOME="$(git rev-parse --show-toplevel)/.gitlab-ci.d/cargo"

ci:
  stage: ci
  image: nixos/nix:2.21.2
  script:
    # Cache the inputs required for the devShell
    - ./bin/nix-build-and-cache .#devShells.x86_64-linux.default.inputDerivation

    - direnv exec . engage
  cache:
    key: nix
    paths:
      - target
      - .gitlab-ci.d
  rules:
    # CI on upstream runners (only available for maintainers)
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $IS_UPSTREAM_CI == "true"
    # Manual CI on unprotected branches that are not MRs
    - if: $CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_REF_PROTECTED == "false"
      when: manual
    # Manual CI on forks
    - if: $IS_UPSTREAM_CI != "true"
      when: manual
    - if: $CI
  interruptible: true

artifacts:
  stage: artifacts
  image: nixos/nix:2.21.2
  script:
    - ./bin/nix-build-and-cache .#static-x86_64-unknown-linux-musl
    - cp result/bin/conduit x86_64-unknown-linux-musl

    - mkdir -p target/release
    - cp result/bin/conduit target/release
    - direnv exec . cargo deb --no-build
    - mv target/debian/*.deb x86_64-unknown-linux-musl.deb

    # Since the OCI image package is based on the binary package, this has the
    # fun side effect of uploading the normal binary too. Conduit users who are
    # deploying with Nix can leverage this fact by adding our binary cache to
    # their systems.
    #
    # Note that although we have an `oci-image-x86_64-unknown-linux-musl`
    # output, we don't build it because it would be largely redundant to this
    # one since it's all containerized anyway.
    - ./bin/nix-build-and-cache .#oci-image
    - cp result oci-image-amd64.tar.gz

    - ./bin/nix-build-and-cache .#static-aarch64-unknown-linux-musl
    - cp result/bin/conduit aarch64-unknown-linux-musl

    - ./bin/nix-build-and-cache .#oci-image-aarch64-unknown-linux-musl
    - cp result oci-image-arm64v8.tar.gz

    - ./bin/nix-build-and-cache .#book
    # We can't just copy the symlink, we need to dereference it https://gitlab.com/gitlab-org/gitlab/-/issues/19746
    - cp -r --dereference result public
  artifacts:
    paths:
      - x86_64-unknown-linux-musl
      - aarch64-unknown-linux-musl
      - x86_64-unknown-linux-musl.deb
      - oci-image-amd64.tar.gz
      - oci-image-arm64v8.tar.gz
      - public
  rules:
    # CI required for all MRs
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    # Optional CI on forks
    - if: $IS_UPSTREAM_CI != "true"
      when: manual
      allow_failure: true
    - if: $CI
  interruptible: true

.push-oci-image:
  stage: publish
  image: docker:26.0.2
  services:
    - docker:26.0.2-dind
  variables:
    IMAGE_SUFFIX_AMD64: amd64
    IMAGE_SUFFIX_ARM64V8: arm64v8
  script:
    - docker load -i oci-image-amd64.tar.gz
    - IMAGE_ID_AMD64=$(docker images -q conduit:main)
    - docker load -i oci-image-arm64v8.tar.gz
    - IMAGE_ID_ARM64V8=$(docker images -q conduit:main)
    # Tag and push the architecture specific images
    - docker tag $IMAGE_ID_AMD64 $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64
    - docker tag $IMAGE_ID_ARM64V8 $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
    - docker push $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64
    - docker push $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
    # Tag the multi-arch image
    - docker manifest create $IMAGE_NAME:$CI_COMMIT_SHA --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
    - docker manifest push $IMAGE_NAME:$CI_COMMIT_SHA
    # Tag and push the git ref
    - docker manifest create $IMAGE_NAME:$CI_COMMIT_REF_NAME --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
    - docker manifest push $IMAGE_NAME:$CI_COMMIT_REF_NAME
    # Tag git tags as 'latest'
    - |
      if [[ -n "$CI_COMMIT_TAG" ]]; then
        docker manifest create $IMAGE_NAME:latest --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_AMD64 --amend $IMAGE_NAME:$CI_COMMIT_SHA-$IMAGE_SUFFIX_ARM64V8
        docker manifest push $IMAGE_NAME:latest
      fi
  dependencies:
    - artifacts
  only:
    - main
    - tags

oci-image:push-gitlab:
  extends: .push-oci-image
  variables:
    IMAGE_NAME: $CI_REGISTRY_IMAGE/conduwuit
  before_script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

pages:
  stage: publish
  dependencies:
    - artifacts
  only:
    - next
  script:
    - "true"
  artifacts:
    paths:
      - public