stages:
  - test
  - deploy

workflow:
  rules:
    # For merge requests, create a pipeline.
    - if: '$CI_MERGE_REQUEST_IID'
    # For `master` branch, create a pipeline (this includes on schedules, pushes, merges, etc.).
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
    # For tags, create a pipeline.
    - if: '$CI_COMMIT_TAG'

.default:
  image: "ruby:${RUBY_VERSION}"
  tags:
    - gitlab-org
  before_script:
    - gem install bundler
    - bundle install -j $(nproc) --path vendor
  cache:
    key:
      files:
        - Gemfile
        - gitlab-dangerfiles.gemspec
    paths:
      - vendor/ruby
      - Gemfile.lock
    policy: pull

test:rspec:
  extends: .default
  stage: test
  script:
    - bundle exec rspec
  parallel:
    matrix:
      - RUBY_VERSION: ['3.0', '3.1', '3.2']

test:rubocop:
  extends: .default
  stage: test
  script:
    - bundle exec rubocop -P -E .
  parallel:
    matrix:
      - RUBY_VERSION: ['3.0', '3.1', '3.2']

test:rufo:
  extends: .default
  stage: test
  script:
    - bundle exec rufo --check .
  parallel:
    matrix:
      - RUBY_VERSION: ['3.0', '3.1', '3.2']

include:
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - project: 'gitlab-org/quality/pipeline-common'
    file:
      - '/ci/danger-review.yml'
      - '/ci/gem-release.yml'

# run security jobs on MRs
# see: https://gitlab.com/gitlab-org/gitlab/-/issues/218444#note_478761991

brakeman-sast:
  rules:
    - if: '$CI_MERGE_REQUEST_IID'
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'

gemnasium-dependency_scanning:
  rules:
    - if: '$CI_MERGE_REQUEST_IID'
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'

secret_detection:
  rules:
    - if: '$CI_MERGE_REQUEST_IID'
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'