stages:
  - test
  - build-image

sast:
  stage: test
include:
- template: Security/SAST.gitlab-ci.yml
- template: Security/SAST-IaC.latest.gitlab-ci.yml
- template: Security/Secret-Detection.gitlab-ci.yml
- template: Security/Container-Scanning.gitlab-ci.yml

container_scanning:
  variables:
    CS_DISABLE_DEPENDENCY_LIST: "true"
    CS_DEFAULT_BRANCH_IMAGE: $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
    CS_DISABLE_LANGUAGE_VULNERABILITY_SCAN: "false"
    CS_ANALYZER_IMAGE: "registry.gitlab.com/security-products/container-scanning/grype:5"

docker-image-build:
  stage: build-image
  image: docker:20-git
  script:
    - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest .
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:latest
  rules:
  - if: $CI_COMMIT_BRANCH == "master"
    exists:
    - Dockerfile
    changes:
    - "*.py"
    - Dockerfile
    - requirements.txt
    - .gitlab-ci.yml

docker-image-nightly-build:
  stage: build-image
  image: docker:20-git
  script:
    - docker build -t $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly .
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker image push $CI_REGISTRY_IMAGE/hatkidchan-mastoposter:nightly
  rules:
  - if: $CI_COMMIT_BRANCH == "unsafe"
    exists:
    - Dockerfile