include:
  - template: Security/DAST.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/DAST.gitlab-ci.yml
  - template: Security/Container-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Container-Scanning.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/License-Scanning.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml  # https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/gitlab/ci/templates/Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml # https://gitlab.com/gitlab-org/gitlab-foss/-/blob/master/lib/gitlab/ci/templates/Security/Secret-Detection.gitlab-ci.yml

variables:
  RUBY_VERSION: "3.2"

stages:
  - test
  - dast
  - publish

default:
  image: ruby:${RUBY_VERSION}
  cache:
    paths:
      - vendor
  tags:
    - gitlab-org

.before_scripts: &before_scripts
  - git config --global user.email "bot@gitlab.com"
  - git config --global user.name "Bot User"
  - bundle config set --local deployment true
  - bundle install -j $(nproc)

workflow:
  rules: &workflow_rules
    # For merge requests, create a pipeline.
    - if: '$CI_MERGE_REQUEST_IID'
    # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
    # For tags, create a pipeline.
    - if: '$CI_COMMIT_TAG'

rspec:
  script:
    - bundle exec rspec spec -f d -c
  before_script: *before_scripts
  parallel:
    matrix:
      - RUBY_VERSION: ["3.0", "3.1", "3.2"]

rspec_integration:
  script:
    - bundle exec rspec spec -t integration -f d -c
  before_script: *before_scripts
  services:
    - redis:latest
  variables:
    REDIS_URL: "redis://redis"
  parallel:
    matrix:
      - RUBY_VERSION: ["3.0", "3.1", "3.2"]

rubocop:
  script:
    - bundle exec rubocop
  before_script: *before_scripts

license_scanning:
  rules: *workflow_rules

gemnasium-dependency_scanning:
  rules: *workflow_rules

secret_detection:
  rules: *workflow_rules

publish_to_rubygems:
  stage: publish
  script:
    - mkdir -p ~/.gem
    - 'echo ":rubygems_api_key: ${RUBYGEMS_API_KEY}" > ~/.gem/credentials'
    - chmod 0600 ~/.gem/credentials
    - gem build gitlab-exporter.gemspec --output=gitlab-exporter.gem
    - gem push gitlab-exporter.gem
  before_script: *before_scripts
  rules:
    # Only push to RubyGems.org when we tag a new version
    - if: '$CI_COMMIT_TAG'