version: 2

defaults: &defaults
  working_directory: ~/wealthsimple
  docker:
    - image: circleci/ruby:2.5.7

references:
  attach_code_workspace: &attach_code_workspace
    attach_workspace:
      at: ~/wealthsimple

  restore_bundle_dependencies: &restore_bundle_dependencies
    run:
      name: Restore bundle dependencies from workspace
      command: bundle --path vendor/bundle

jobs:
  checkout_and_bundle:
    <<: *defaults
    steps:
      - checkout
      - run: bundle install --jobs=4 --retry=3 --path vendor/bundle
      - persist_to_workspace:
          root: .
          paths: .

  rspec:
    <<: *defaults
    steps:
      - *attach_code_workspace
      - *restore_bundle_dependencies
      - run: bundle exec rspec

  lint_check:
    <<: *defaults
    steps:
      - *attach_code_workspace
      - *restore_bundle_dependencies
      - run: bundle exec rubocop --config=default.yml
      - run:
          name: Check default.yml for warnings
          command: "! bundle exec rubocop --config=default.yml 2>&1 | grep 'Warning:'"

  vulnerability_check:
    <<: *defaults
    steps:
      - *attach_code_workspace
      - *restore_bundle_dependencies
      - run: bundle exec bundle-audit update && bundle exec bundle-audit check

  release:
    <<: *defaults
    steps:
      - add_ssh_keys:
          fingerprints:
            - "46:b5:cb:ee:57:dc:14:95:31:be:12:13:4f:11:94:a4"
      - *attach_code_workspace
      - *restore_bundle_dependencies
      - run:
          name: Release to rubygems.org
          command: |
            echo "github.com,192.30.253.112 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==" >> ~/.ssh/known_hosts
            mkdir ~/.gem
            echo ":rubygems_api_key: ${RUBYGEMS_API_KEY}" >> ~/.gem/credentials
            chmod 600 ~/.gem/credentials
            bundle exec rake release

workflows:
  version: 2
  build:
    jobs:
      - checkout_and_bundle:
          context: wealthsimple
      - rspec:
          requires:
            - checkout_and_bundle
      - lint_check:
          requires:
            - checkout_and_bundle
      - vulnerability_check:
          requires:
            - checkout_and_bundle
      - release:
          context: wealthsimple
          filters:
            branches:
              only: master
          requires:
          - rspec
          - lint_check
          - vulnerability_check

  security-audit:
    triggers:
      - schedule:
          # 11:05 am UTC: 6:05 am EST / 7:05 am EDT
          cron: "5 11 * * *"
          filters:
            branches:
              only: master
    jobs:
      - checkout_and_bundle:
          context: wealthsimple
      - vulnerability_check:
          requires:
            - checkout_and_bundle