.gitlab-ci.yml

---
include:
  - project: 'rahome/gitlab-ci-templates'
    ref: main
    file:
      - '/templates/Checkov.gitlab-ci.yml'
      - '/templates/Docker.gitlab-ci.yml'
      - '/templates/Yaml.gitlab-ci.yml'
  - project: 'rahome/trivy-cache'
    ref: main
    file:
      - '/Trivy.gitlab-ci.yml'

pre-sdk-artifacts:
  stage: .pre
  image: alpine:3.17.3
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: never
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
  needs: []
  before_script:
    - apk -qU --no-cache add curl unzip ca-certificates
  script: |
    curl -O -Ls "https://dl.google.com/android/repository/${ANDROID_CMDLINE_TOOLS_ZIP}"
    unzip -qq "${ANDROID_CMDLINE_TOOLS_ZIP}"
  artifacts:
    paths:
      - cmdline-tools
  variables:
    ANDROID_CMDLINE_TOOLS_ZIP: commandlinetools-linux-8092744_latest.zip

build:docker:
  stage: build
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: never
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
  extends:
    - .docker-registry
  needs:
    - job: pre-sdk-artifacts
  parallel:
    matrix:
      - JDK_VERSION: "jdk-8"
        DOCKER_FILE: "${JDK_VERSION}/Dockerfile"
      - JDK_VERSION: ["jdk-17", "jdk-11", "jdk-8"]
        DOCKER_TAG_PREFIX: "${JDK_VERSION}-"
        DOCKER_FILE: "${JDK_VERSION}/Dockerfile"
      - JDK_VERSION: ["jdk-17", "jdk-11", "jdk-8"]
        ANDROID_API_VERSION: [31, 32, 33, 34, 35]
        DOCKER_TAG_PREFIX: "${JDK_VERSION}-android-${ANDROID_API_VERSION}-"
        DOCKER_FILE: "${JDK_VERSION}/${ANDROID_API_VERSION}/Dockerfile"
  variables:
    DOCKER_REGISTRY: "${DOCKER_HUB_REGISTRY}"
    DOCKER_REGISTRY_USER: "${DOCKER_HUB_REGISTRY_USER}"
    DOCKER_REGISTRY_PASSWORD: "${DOCKER_HUB_REGISTRY_PASSWORD}"
    DOCKER_REGISTRY_IMAGE: index.docker.io/raatiniemi/android-environment

test:checkov:
  stage: test
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: never
    - if: '$CI_COMMIT_BRANCH'
  extends:
    - .checkov-junit
  needs: []
  parallel:
    matrix:
      - JDK_VERSION: ["jdk-17", "jdk-11", "jdk-8"]
        DOCKER_FILE: "${JDK_VERSION}/Dockerfile"
      - JDK_VERSION: ["jdk-17", "jdk-11", "jdk-8"]
        ANDROID_API_VERSION: [31, 32, 33, 34, 35]
        DOCKER_FILE: "${JDK_VERSION}/${ANDROID_API_VERSION}/Dockerfile"
  variables:
    CHECKOV_COMMAND: "-f ${DOCKER_FILE}"

test:docker:
  stage: test
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: never
    - if: '$CI_COMMIT_BRANCH'
  extends:
    - .docker-lint
  needs: []

test:trivy:
  stage: test
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: always
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
  extends:
    - .trivy
  needs:
    - job: build:docker
      optional: true
      artifacts: false
  allow_failure: true
  parallel:
    matrix:
      - JDK_VERSION: "jdk-8"
      - JDK_VERSION: ["jdk-17", "jdk-11", "jdk-8"]
        DOCKER_TAG_PREFIX: "${JDK_VERSION}-"
      - JDK_VERSION: ["jdk-17", "jdk-11", "jdk-8"]
        ANDROID_API_VERSION: [31, 32, 33, 34, 35]
        DOCKER_TAG_PREFIX: "${JDK_VERSION}-android-${ANDROID_API_VERSION}-"
  variables:
    TRIVY_AUTH_URL: "${DOCKER_HUB_REGISTRY}"
    TRIVY_USERNAME: "${DOCKER_HUB_REGISTRY_USER}"
    TRIVY_PASSWORD: "${DOCKER_HUB_REGISTRY_PASSWORD}"
    CI_REGISTRY_IMAGE: index.docker.io/raatiniemi/android-environment

test:yaml:
  stage: test
  rules:
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
      when: never
    - if: '$CI_COMMIT_BRANCH'
  extends:
    - .yaml-lint
  needs: []