.gitlab-ci.yml

stages:
  - build-base-image
  - test
  - pack
  - docker
  - stress-test

workflow:
  # See https://docs.gitlab.com/ee/ci/jobs/job_control.html#avoid-duplicate-pipelines
  rules:
    # To avoid duplicate pipelines we disable merge request events,
    # leaving only pushes and manual triggering.
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: never
    - if: $CI_PIPELINE_SOURCE == "push"
    - if: $CI_PIPELINE_SOURCE == "web"

variables:
  REGISTRY: docker-public.binary.picodata.io
  BASE_IMAGE: ${REGISTRY}/picodata-build-base
  BASE_IMAGE_LATEST: latest
  MAIN_BRANCH: &main-branch master
  CARGO_HOME: /data/shared-storage/picodata/.cargo
  CACHE_PATHS: target .venv picodata-webui/node_modules
  CACHE_ARCHIVE: /data/shared-storage/picodata/cache-v2.tar
  # Helps to tolerate spurious network failures
  GET_SOURCES_ATTEMPTS: 3
  NO_CACHE:
    description: "Do not use cache during build phase"

# job:rules explained:
#
# - if build-base changes on master branch (compared to HEAD~1)
#     * build-base-image (with tag latest) and push
#     * test (on base-image:latest)
# - if build-base changes on development branch (compared to master)
#     * build-base-image (with tag sha)
#     * test (on base-image:sha)
# - else (if build-base doesn't change)
#     * skip build-base-image
#     * just test (on base-image:latest)
#
# Anchor syntax explained here:
# https://docs.gitlab.com/ee/ci/yaml/yaml_optimization.html
#
.rules:
  - &if-build-base-changes-on-master-branch
    if: $CI_COMMIT_BRANCH == $MAIN_BRANCH
    changes:
      # implies compare_to HEAD~1
      paths: &build-base-changes-paths
        - docker-build-base/**
        - .gitlab-ci.yml

  - &if-build-base-changes-on-dev-branch
    if: $CI_COMMIT_BRANCH != $MAIN_BRANCH
    changes:
      compare_to: *main-branch
      paths: *build-base-changes-paths

  - &else {}

build-base-image:
  stage: build-base-image
  tags:
    - picodata-shell
  rules:
    - <<: *if-build-base-changes-on-master-branch
      variables:
        BASE_IMAGE_TAG: ${BASE_IMAGE_LATEST}
    - <<: *if-build-base-changes-on-dev-branch
      variables:
        BASE_IMAGE_TAG: ${CI_COMMIT_SHA}
    - <<: *else
      when: never
  variables:
    GIT_DEPTH: 1
    GIT_STRATEGY: fetch
    GIT_SUBMODULE_STRATEGY: none
  script:
    - docker pull ${BASE_IMAGE}:${BASE_IMAGE_LATEST} || true
    - >
      docker build
      --cache-from ${BASE_IMAGE}:${BASE_IMAGE_LATEST}
      --label GIT_COMMIT=${CI_COMMIT_SHA}
      -t ${BASE_IMAGE}:${BASE_IMAGE_TAG}
      -f ./docker-build-base/Dockerfile
      ./docker-build-base
    - |
      # Push image to registry
      if [ "${CI_COMMIT_BRANCH}" == "${MAIN_BRANCH}" ]; then
        echo "Pushing ${BASE_IMAGE}:${BASE_IMAGE_TAG}"
        mkdir -p $CI_PROJECT_DIR/.docker
        echo $DOCKER_AUTH_RW > $CI_PROJECT_DIR/.docker/config.json
        docker --config $CI_PROJECT_DIR/.docker/ push ${BASE_IMAGE}:${BASE_IMAGE_TAG}
      else
        echo "Skip pushing image on a non-master branch"
      fi

.test:
  stage: test
  variables:
    GIT_DEPTH: 100
    GIT_SUBMODULE_STRATEGY: recursive
    RUST_BACKTRACE: full
  before_script:
    # Gitlab CI implicitly clones specific refs (e.g. `refs/pipelines/xxxxxxx`),
    # but it doesn't imply fetching tags. We clone them manually with the
    # `git fetch` command.
    #
    # Tags in `tarantool-sys` and `luajit` submodules are necessary for
    # the build scripts. Without them the job fails.
    - &fetch-tags |
      # Fetch tags
      ci-log-section start "fetch-submodule-tags" Fetching tags for submodules
      for s in . tarantool-sys tarantool-sys/third_party/luajit; do
        echo "Fetching tag for $s"
        pushd $s
        until git describe; do git fetch --deepen 100; done
        popd
      done
      ci-log-section end "fetch-submodule-tags"

    # Gitlab CI caching is shit. So we implement it manually
    - |
      # Restore cache
      git fetch origin master:refs/remotes/origin/master
      git branch -a
      if [[ -n "$NO_CACHE" ]]; then
        echo "Skipping restoring from cache because NO_CACHE is set"
      elif [ "$CI_COMMIT_BRANCH" == "$MAIN_BRANCH" ]; then
        echo "Skip restoring cache on the master branch"
      elif git diff origin/"$MAIN_BRANCH" "$CI_COMMIT_SHA" --submodule=short | grep '^[+-]Subproject commit'; then
        echo "Skip restoring cache because submodule(s) changed"
      elif [ -f "${CACHE_ARCHIVE}" ]; then
        ci-log-section start "restore-cache" Restoring cache from ${CACHE_ARCHIVE} ...
        tar -xf ${CACHE_ARCHIVE}
        echo "Ok"
        du -sh ${CACHE_PATHS} || true
        ci-log-section end "restore-cache"
      else
        echo "No cache found"
      fi
  after_script:
    - |
      # Save cache
      if [ "$CI_COMMIT_BRANCH" == "$MAIN_BRANCH" ]; then
        ci-log-section start "save-cache" Saving cache to ${CACHE_ARCHIVE} ...
        du -sh ${CACHE_PATHS} || true
        TMPEXT=$RANDOM
        tar -cf "${CACHE_ARCHIVE}.${TMPEXT}" ${CACHE_PATHS}
        mv -f "${CACHE_ARCHIVE}.${TMPEXT}" "${CACHE_ARCHIVE}"
        echo Ok
        du -sh ${CACHE_ARCHIVE}
        ci-log-section end "save-cache"
      else
        echo "Skip saving cache on a non-master branch"
      fi

test-linux:
  extends: .test
  tags:
    - picodata-docker
  rules:
    - <<: *if-build-base-changes-on-master-branch
      variables:
        BASE_IMAGE_TAG: ${BASE_IMAGE_LATEST}
    - <<: *if-build-base-changes-on-dev-branch
      variables:
        BASE_IMAGE_TAG: ${CI_COMMIT_SHA}
    - <<: *else
      variables:
        BASE_IMAGE_TAG: ${BASE_IMAGE_LATEST}
  image:
    name: ${BASE_IMAGE}:${BASE_IMAGE_TAG}
    pull_policy: if-not-present

  script:
    - |
      # Check rust version consistency
      ci-log-section start "rust-version" Checking rust version consistency ...
      exec 3>&1 # duplicate stdout fd
      grep_rust_version() { echo "$1: $(sed -nr "s/.*rust-version = \"(\S+)\".*/\1/p" $1)"; }
      grep_toolchain() { echo "$1: $(sed -nr "s/.*--default-toolchain (\S+).*/\1/p" $1)"; }
      UNIQUE_VERSIONS=$(
        {
          grep_rust_version Cargo.toml;
          grep_toolchain Makefile;
          grep_toolchain docker-build-base/Dockerfile;
          grep_toolchain helm/picodata.Dockerfile;
        } \
        | tee /dev/fd/3 \
        | cut -d: -f2- | sort | uniq | wc -l
      );
      ci-log-section end "rust-version"
      if [ "$UNIQUE_VERSIONS" != "1" ]; then
        echo "Error: checking rust version consistency failed"
        exit 1
      fi

    - cargo -V

    - |
      # Pipenv install
      ci-log-section start "pipenv-install" Installing pip dependencies ...
      PIPENV_VENV_IN_PROJECT=1 PIP_NO_CACHE_DIR=true python3.10 -m pipenv install --deploy
      ci-log-section end "pipenv-install"

    # There are no Rust tests for `webui` feature, it's checked in pytest
    - cargo build --locked
    - cargo build -p gostech-audit-log
    - cargo build -p gostech-metrics
    - cargo build -p testplug
    - cargo test --locked

    - cargo build --features webui,error_injection --locked

    # -vv shows extended diff for failures
    - >
      pipenv run pytest -vv
      --color=yes
      --numprocesses auto
      --junitxml=junit_pytest.xml
      --with-webui

    - make lint

    # Now do the same thing as above but for release mode.
    # TODO: cleanup the copypasta
    - cargo build --locked --release
    - cargo build -p testplug --release
    - cp ./target/release/libtestplug.so ./test/testplug/.
    - cargo test --locked --release

    - cargo build --features webui,error_injection --locked --release

    # -vv shows extended diff for failures
    - >
      BUILD_PROFILE=release pipenv run pytest -vv
      --color=yes
      --numprocesses auto
      --junitxml=junit_pytest.xml
      --with-webui

  artifacts:
    when: always
    paths:
      - junit_pytest.xml
    reports:
      junit: junit_pytest.xml

test-mac-m1:
  extends: .test
  tags:
    - mac-dev-m1
  script:
    - export CARGO_HOME=$HOME/.cargo
    - cargo -V
    - cargo build --locked
    - cargo build --features webui --locked
    # There are no Rust tests for `webui` feature.
    # It will be checked during integration tests.
    - cargo test --locked

    - cargo fmt -- -v --check
    - cargo clippy --version
    - cargo clippy --features "load_test webui error_injection" -- --deny clippy::all --no-deps
    # - |
    #   # Pipenv install
    #   ci-log-section start "pipenv-install" Installing pip dependencies ...
    #   PIPENV_VENV_IN_PROJECT=1 PIP_NO_CACHE_DIR=true python3.10 -m pipenv install --deploy
    #   ci-log-section end "pipenv-install"
    # - pipenv run pytest --numprocesses auto -v
    # - pipenv run lint
    # - |

test-helm-docker-image:
  stage: test
  tags:
    - shell
  rules:
    - if: $CI_COMMIT_BRANCH != $MAIN_BRANCH
      changes:
        compare_to: *main-branch
        paths:
          - helm/picodata.Dockerfile
          - helm/picodata-diag.Dockerfile
    - if: $CI_COMMIT_BRANCH == $MAIN_BRANCH
      when: on_success
    - when: manual
      allow_failure: true
  variables:
    GIT_DEPTH: 100
    GIT_STRATEGY: fetch
    GIT_SUBMODULE_STRATEGY: recursive
  before_script:
    - export PATH=docker-build-base:$PATH
    - *fetch-tags
  script:
    - |
      # Build docker images
      for image in picodata picodata-diag; do
        ci-log-section start "test-docker-${image}" Building docker image ${image}
        docker build \
          --label GIT_COMMIT=${CI_COMMIT_SHA} \
          -f helm/${image}.Dockerfile .
        ci-log-section end "test-docker-${image}"
      done

gamayun-prepare:
  extends: .test
  when: manual
  rules:
    - <<: *if-build-base-changes-on-master-branch
      variables:
        BASE_IMAGE_TAG: ${BASE_IMAGE_LATEST}
    - <<: *if-build-base-changes-on-dev-branch
      variables:
        BASE_IMAGE_TAG: ${CI_COMMIT_SHA}
    - <<: *else
      variables:
        BASE_IMAGE_TAG: ${BASE_IMAGE_LATEST}
  image:
    name: ${BASE_IMAGE}:${BASE_IMAGE_TAG}
    pull_policy: if-not-present
  tags:
    - picodata-docker
  script:
    - export CARGO_HOME=$HOME/.cargo
    - cargo -V
    - cargo clippy --locked --message-format=json > clippy.json
    - |
      # Save cache
      CACHE_ARCHIVE="${CACHE_ARCHIVE}_clippy"
      ci-log-section start "save-cache" Saving cache to ${CACHE_ARCHIVE} ...
      du -sh ${CACHE_PATHS} || true
      TMPEXT=$RANDOM
      tar -cf "${CACHE_ARCHIVE}.${TMPEXT}" clippy.json
      mv -f "${CACHE_ARCHIVE}.${TMPEXT}" "${CACHE_ARCHIVE}"
      echo Ok
      du -sh ${CACHE_ARCHIVE}
      ci-log-section end "save-cache"

gamayun-run:
  extends: .test
  needs: ["gamayun-prepare"]
  tags:
    - picodata-shell
  script:
    - CACHE_ARCHIVE="${CACHE_ARCHIVE}_clippy"
    - ls -la ${CACHE_ARCHIVE} || true
    - |
      # Restore cache
      if [ -f "${CACHE_ARCHIVE}" ]; then
        ci-log-section start "restore-cache" Restoring cache from ${CACHE_ARCHIVE} ...
        tar -xf ${CACHE_ARCHIVE}
        echo "Ok"
        ci-log-section end "restore-cache"
      else
        echo "No cache found"
      fi
    # create an ssh tunnel to gamayun server to allow the report uploading
    - TUNNEL="ssh -4 -L 9000:localhost:9000 sonar-reports -N -f"
    - eval $TUNNEL
    - ls -la
    - |
      # svace patches is more iportant than gamayun and order of applying is important
      # first - svace, second - gamayun
      ./tools/prepare_source_tree_for_stat_analysis.py svace
      ./tools/prepare_source_tree_for_stat_analysis.py gamayun
    - |
      # TODO consider moving this to the script as well, this may delete some html
      # license files which is probably not intended
      find . -type d -name 'test*' -o -name 'doc' -o -name 'docs' | xargs -n1 rm -rvf
      find tarantool-sys/third_party/ -type f -name '*.htm*' | xargs -n 1 rm -rfv
      find tarantool-sys/vendor/ -type f -name '*.htm*' | xargs -n 1 rm -rfv
      find . -type d -name stress-test | xargs -n 1 rm -rvf
      find . -type d -name integration-tests | xargs -n 1 rm -rvf
      find . -type d -name 'example*' | xargs -n 1 rm -rvf
      find . -type d -name 'docsrc' | xargs -n 1 rm -rvf
      find . -name '*.md' | xargs -n 1 rm -rvf
      find http tarantool-sys vshard -type d -name .github | xargs -n 1 rm -rfv
    - |
      docker run --rm -t \
        -v $PWD:/tmp/src:rw \
        -e "SONAR_OPS=-Dsonar.python.version=3 -Dsonar.login=${SONAR} -Dsonar.projectKey=Picodata-CI -Dsonar.exclusions=**/*.mod,osv-sonar.json" \
        -e "SONAR_SCANNER_OPTS="-Xmx4096m"" \
        -e "CARGO_CLIPPY_FILE=clippy.json" \
        -u $(id -u):$(id -g) --ulimit nofile=100000:100000 --network=host \
        docker.binary.picodata.io/gamayun

build-vm-image:
  stage: test
  when: manual
  inherit:
    variables: false
  variables:
    BRANCH: $CI_COMMIT_BRANCH
  trigger:
    project: picodata/picodata/picodata-fstek-vmbuilder
    branch: main
    strategy: depend

pack-on-tag:
  stage: pack
  rules:
    - if: $CI_PIPELINE_SOURCE == "web"
    - if: $CI_COMMIT_TAG
  variables:
    PROJECT_TARGET: "picodata"
    TYPE: "RELEASE"
    BRANCH_TARGET: $CI_COMMIT_TAG
  inherit:
    variables:
      - TYPE
      - PROJECT_TARGET
      - BRANCH_TARGET
  trigger:
    project: "picodata/devops/builder"
    strategy: depend

deploy-docker:
  stage: docker
  tags:
    - shell
  only:
    - web
    - tags
  variables:
    GIT_DEPTH: 100
    GIT_STRATEGY: fetch
    GIT_SUBMODULE_STRATEGY: recursive
  before_script:
    - export PATH=docker-build-base:$PATH
    - *fetch-tags
    - mkdir -p $CI_PROJECT_DIR/.docker
    - echo $DOCKER_AUTH_RW > $CI_PROJECT_DIR/.docker/config.json
  script:
    - |
      # Rebuild and push docker images
      for image in picodata picodata-diag; do
        ci-log-section start "deploy-docker-${image}" Building and pushing docker image ${image}
        docker build \
          --label GIT_COMMIT=${CI_COMMIT_SHA} \
          -t ${REGISTRY}/${image}:${BASE_IMAGE_LATEST} \
          -f helm/${image}.Dockerfile .
        docker --config $CI_PROJECT_DIR/.docker push ${REGISTRY}/${image}:${BASE_IMAGE_LATEST}
        ci-log-section end "deploy-docker-${image}"
      done

# Stages of independent stress testing in downstream pipeline

# We cannot move artefacts to the downstream pipeline, so we need to build and upload them to our repo
upload-picodata-to-binary:
  stage: stress-test
  tags:
    - picodata-docker
  image:
    name: ${BASE_IMAGE}:${BASE_IMAGE_LATEST}
  variables:
    VER: $CI_COMMIT_SHORT_SHA
    GIT_DEPTH: 100
    GIT_SUBMODULE_STRATEGY: recursive
  before_script:
    # To conduct stress tests, we require the most recent picodata tag. However,
    # creating a shallow copy with $GIT_DEPTH commits might not include this tag.
    # Fetching all commits takes too much time, so we incrementally download more
    # chunks of commits until we find the required tag.
    - until git describe; do git fetch --deepen 100; done
    - *fetch-tags
  script:
    - cargo build --locked --release --features webui
    - mv target/release/picodata target/release/picodata-$VER
    - curl -v --upload-file target/release/picodata-$VER $RAW_NT_REGISTRY

downstream-stress-test:
# See https://docs.gitlab.com/ee/ci/pipelines/downstream_pipelines.html
  stage: stress-test
  trigger:
    project: picodata/devops/proxmox/sbroad-nt
    branch: main
    strategy: depend
  variables:
    VER: $CI_COMMIT_SHORT_SHA
  needs:
    - job: upload-picodata-to-binary