.gitlab-ci.yml

default:
  image: '${DOCKER_CICD_REPO}/ci-container/debian-buster:1.8.0'

stages:
  - update-deps
  - sast-oss-scan
  - build
  - sign-binaries
  - package
  - cve-scan
  - sign-packages
  - release
  - sign-metadata
  - github-release

include:
  - project: 'prodsec/scp-scanning/gitlab-checkmarx'
    ref: latest
    file: '/templates/.sast_scan.yml'
  - project: 'ci-cd/templates'
    ref: master
    file: '/prodsec/.oss-scan.yml'
  - project: 'core-ee/signing/api-integration'
    ref: develop
    file: '/templates/.sign-client.yml'

semgrep:
  stage: sast-oss-scan
  extends: .sast_scan
  retry: 2
  variables:
    SAST_SCANNER: "Semgrep"
    SEMGREP_EXCLUDE: "examples,internal/buildscripts,tests,*_test.go,cmd/otelcol/Dockerfile.windows,deployments/ansible/molecule"
    alert_mode: "policy"
  after_script:
    - echo "Check results at $CI_PIPELINE_URL/security"
  only:
    - main
    - schedules
  needs: []
  dependencies: []

fossa:
  extends: .oss-scan
  stage: sast-oss-scan
  only:
    - main
    - schedules
  needs: []
  dependencies: []
  variables:
    jira_automation: "true"
  # allow_failure: false

.get-artifactory-stage: &get-artifactory-stage
  - |
    set -ex
    export STAGE="test"
    if [[ "${CI_COMMIT_TAG:-}" =~ beta ]]; then
      export STAGE="beta"
    elif [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      export STAGE="release"
    fi

.aws-releaser-role: &aws-releaser-role |
  creds-helper init
  eval $(creds-helper aws --eval "aws:v1/o11y-infra/role/o11y_gdi_otel_releaser_role")

.trigger-filter:
  only:
    variables:
      - $CI_COMMIT_BRANCH == "main"
      - $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules

.deploy-release:
  image: '${DOCKER_CICD_REPO}/ci-container/python-3.9:1.8.0'
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  cache:
    key:
      files:
        - internal/buildscripts/packaging/release/requirements.txt
    paths:
      - .cache/pip
  retry: 2
  script:
    - *get-artifactory-stage
    - *aws-releaser-role
    - pip3 install -r internal/buildscripts/packaging/release/requirements.txt
    - |
      if [ -n "${PATHS:-}" ]; then
        for path in $PATHS; do
          if [ ! -f "$path" ]; then
            echo "$path not found!"
            exit 1
          fi
          python3 internal/buildscripts/packaging/release/release.py --force --stage=${STAGE} --path=$path ${OPTIONS:-}
        done
      elif [ -n "${INSTALLERS:-}" ]; then
        python3 internal/buildscripts/packaging/release/release.py --force --installers ${OPTIONS:-}
      else
        echo "Either the PATHS or INSTALLERS env var must be defined!" >&2
        exit 1
      fi

.go-cache:
  image: '${DOCKER_HUB_REPO}/golang:1.20.10'
  variables:
    GOPATH: "$CI_PROJECT_DIR/.go"
  before_script:
    - mkdir -p $GOPATH
    - make install-tools
    - export PATH=$GOPATH/bin:$PATH
  cache:
    key:
      files:
        - go.mod
        - go.sum
    paths:
      - .go/pkg/mod
      - .go/bin

.docker-reader-role: &docker-reader-role |
  creds-helper init
  eval $(creds-helper docker --eval "artifactory:v2/cloud/role/docker-reader-role")

update-otel-deps:
  only:
    - schedules
  extends: .go-cache
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-otel-deps.sh

update-openjdk:
  only:
    - schedules
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-openjdk.sh

update-javaagent:
  only:
    - schedules
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-javaagent.sh

update-nodejs-agent:
  only:
    - schedules
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-nodejs-agent.sh

tidy-dependabot-pr:
  rules:
    - if: $CI_COMMIT_BRANCH =~ /^dependabot\/go_modules\/.*/ && $CI_COMMIT_AUTHOR =~ /^dependabot.*/
  extends: .go-cache
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/tidy-dependabot-pr.sh

compile:
  extends:
    - .trigger-filter
    - .go-cache
  stage: build
  parallel:
    matrix:
      - TARGET: [binaries-darwin_amd64, binaries-darwin_arm64, binaries-linux_amd64, binaries-linux_arm64, binaries-windows_amd64, binaries-linux_ppc64le]
  script: make $TARGET
  after_script:
    - if [ -e bin/otelcol ]; then rm -f bin/otelcol; fi  # remove the symlink
    - if [ -e bin/translatesfx ]; then rm -f bin/translatesfx; fi  # remove the symlink
    - if [ -e bin/migratecheckpoint ]; then rm -f bin/migratecheckpoint; fi  # remove the symlink
  artifacts:
    paths:
      - bin/otelcol_*
      - bin/translatesfx_*
      - bin/migratecheckpoint_*

libsplunk:
  extends: .trigger-filter
  stage: build
  retry: 2
  parallel:
    matrix:
      - ARCH: ["amd64", "arm64"]
  script:
    - *docker-reader-role
    - make -C instrumentation dist ARCH=${ARCH} DOCKER_REPO=${DOCKER_HUB_REPO}
  artifacts:
    paths:
      - instrumentation/dist/libsplunk_*.so

agent-bundle-linux:
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
    - if: $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
    - if: $CI_PIPELINE_SOURCE == "schedule"
  stage: build
  resource_group: agent-bundle-linux-${ARCH}
  parallel:
    matrix:
      - ARCH: amd64
        TAG: main
      - ARCH: arm64
        TAG: arm
  tags:
    - $TAG
  script:
    - *docker-reader-role
    - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io
    - PUSH_CACHE=yes make -C internal/signalfx-agent/bundle agent-bundle-linux ARCH=${ARCH} DOCKER_REPO=${DOCKER_HUB_REPO}
  artifacts:
    paths:
      - dist/agent-bundle_linux_${ARCH}.tar.gz

agent-bundle-windows:
  extends: .trigger-filter
  stage: build
  tags:
    - windows
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  cache:
    key:
      files:
        - internal/signalfx-agent/bundle/collectd-plugins.yaml
        - internal/signalfx-agent/bundle/scripts/requirements.txt
    paths:
      - .cache/pip
  script:
    - ./internal/signalfx-agent/bundle/scripts/windows/make.ps1 bundle
  artifacts:
    paths:
      - dist/agent-bundle_windows_amd64.zip

.instrumentation-deb-rpm:
  extends: .trigger-filter
  stage: package
  needs:
    - libsplunk
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  before_script:
    - ./instrumentation/packaging/fpm/install-deps.sh
  script:
    - ./instrumentation/packaging/fpm/${PKG_TYPE}/build.sh "${CI_COMMIT_TAG:-}" "$ARCH" "./dist"

instrumentation-deb:
  extends: .instrumentation-deb-rpm
  variables:
    PKG_TYPE: deb
  artifacts:
    paths:
      - dist/*.deb

instrumentation-rpm:
  extends: .instrumentation-deb-rpm
  variables:
    PKG_TYPE: rpm
  artifacts:
    paths:
      - dist/*.rpm

sign-exe:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-binaries
  retry: 2
  needs:
    - compile
  parallel:
    matrix:
      - TARGET: [otelcol, translatesfx]
  variables:
    ARTIFACT: bin/${TARGET}_windows_amd64.exe
    SIGN_TYPE: WIN
    DOWNLOAD_DIR: dist/signed
  artifacts:
    paths:
      - dist/signed/${TARGET}_windows_amd64.exe

sign-osx:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-binaries
  retry: 2
  needs:
    - compile
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  variables:
    ARTIFACT: bin/packages.tar.gz
    SIGN_TYPE: OSX
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - mkdir -p dist
    - pushd bin && tar -czvf packages.tar.gz otelcol_darwin_${ARCH} translatesfx_darwin_${ARCH} && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/otelcol_darwin_${ARCH}
      - dist/signed/translatesfx_darwin_${ARCH}

build-linux-image:
  extends: .trigger-filter
  stage: package
  needs:
    - compile
    - agent-bundle-linux
  parallel:
    matrix:
      - ARCH: [amd64, arm64, ppc64le]
  retry: 2
  script:
    - *docker-reader-role
    - make docker-otelcol ARCH=${ARCH} DOCKER_REPO=${DOCKER_HUB_REPO} SKIP_COMPILE=true SKIP_BUNDLE=true
    - arch=$( docker inspect --format='{{.Architecture}}' otelcol:${ARCH} )
    - if [[ "$arch" != "$ARCH" ]]; then exit 1; fi
  after_script:
    - mkdir -p dist
    - docker save -o dist/otelcol-${ARCH}.tar otelcol:${ARCH}
  artifacts:
    paths:
      - dist/otelcol-*.tar

.build-tar-deb-rpm:
  stage: package
  needs:
    - compile
    - agent-bundle-linux
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  before_script:
    - ./internal/buildscripts/packaging/fpm/install-deps.sh
  script:
    - ./internal/buildscripts/packaging/fpm/${PKG_TYPE}/build.sh "${CI_COMMIT_TAG:-}" "$ARCH" "./dist"

build-deb:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: deb
  artifacts:
    paths:
      - dist/*.deb

build-rpm:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: rpm
  artifacts:
    paths:
      - dist/*.rpm

build-tar:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: tar
  artifacts:
    paths:
      - dist/splunk-otel-collector*.tar.gz

build-msi:
  extends: .trigger-filter
  stage: package
  needs:
    - sign-exe
    - agent-bundle-windows
  before_script:
    # build the MSI with the signed exe
    - mkdir -p bin
    - cp -f dist/signed/otelcol_windows_amd64.exe bin/otelcol_windows_amd64.exe
    - cp -f dist/signed/translatesfx_windows_amd64.exe bin/translatesfx_windows_amd64.exe
  script:
    - *docker-reader-role
    - make msi SKIP_COMPILE=true VERSION=${CI_COMMIT_TAG:-} DOCKER_REPO=${DOCKER_HUB_REPO}
  artifacts:
    paths:
      - dist/*.msi

sign-debs:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - build-deb
    - instrumentation-deb
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: DEB
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.deb && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.deb

sign-rpms:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - build-rpm
    - instrumentation-rpm
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: RPM
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.rpm && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.rpm

sign-tar:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - build-tar
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: GPG
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz splunk-otel-collector*.tar.gz && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - mv dist/splunk-otel-collector*.tar.gz dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.tar.gz
      - dist/signed/*.tar.gz.asc

sign-msi:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - build-msi
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: WIN
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.msi && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.msi

sign-agent-bundles:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - agent-bundle-linux
    - agent-bundle-windows
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: GPG
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.tar.gz *.zip && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - mv dist/*.tar.gz dist/signed/
    - mv dist/*.zip dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.tar.gz
      - dist/signed/*.tar.gz.asc
      - dist/signed/*.zip
      - dist/signed/*.zip.asc

sign-ps-installer:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  dependencies: []
  variables:
    ARTIFACT: dist/install.ps1
    SIGN_TYPE: WIN
    DOWNLOAD_DIR: dist/signed
  before_script:
    - mkdir -p dist
    - cp internal/buildscripts/packaging/installer/install.ps1 dist/install.ps1
  artifacts:
    paths:
      - dist/install.ps1
      - dist/signed/install.ps1

verify-signed-packages:
  extends: .trigger-filter
  stage: sign-packages
  needs:
    - build-deb
    - build-rpm
    - build-msi
    - build-tar
    - instrumentation-deb
    - instrumentation-rpm
    - sign-debs
    - sign-rpms
    - sign-msi
    - sign-tar
    - agent-bundle-linux
    - agent-bundle-windows
    - sign-agent-bundles
    - sign-ps-installer
  script:
    - |
      set -ex
      for pkg in dist/*.rpm dist/*.deb dist/*.msi dist/*.tar.gz dist/*.zip dist/install.ps1; do
        if [[ ! -f dist/signed/$(basename $pkg) ]]; then
          echo "$pkg was not signed!" >&2
          exit 1
        fi
        if [[ "${pkg##*.}" =~ gz|zip ]] && [[ ! -f dist/signed/$(basename $pkg).asc ]]; then
          echo "$pkg was not signed!" >&2
          exit 1
        fi
      done

push-linux-image:
  extends: .trigger-filter
  stage: release
  dependencies:
    - build-linux-image
  retry: 2
  before_script:
    - docker load -i dist/otelcol-amd64.tar
    - docker load -i dist/otelcol-arm64.tar
    - docker load -i dist/otelcol-ppc64le.tar
  script:
    - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io
    - |
      # Set env vars
      set -e
      if [[ -n "${CI_COMMIT_TAG:-}" ]]; then
        IMAGE_NAME="quay.io/signalfx/splunk-otel-collector"
        MANIFEST_TAG=${CI_COMMIT_TAG#v}
      else
        IMAGE_NAME="quay.io/signalfx/splunk-otel-collector-dev"
        MANIFEST_TAG=$CI_COMMIT_SHA
      fi
    - |
      # Tag and push images
      set -e
      for arch in "amd64" "arm64" "ppc64le"; do
        ARCH_TAG="${MANIFEST_TAG}-${arch}"
        echo "Tagging and pushing ${IMAGE_NAME}:${ARCH_TAG}"
        docker tag otelcol:${arch} ${IMAGE_NAME}:${ARCH_TAG}
        docker push ${IMAGE_NAME}:${ARCH_TAG}
        if [[ "${CI_COMMIT_BRANCH:-}" = "main" ]] || [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
          # only push latest tag for main and stable releases
          LATEST_TAG="latest-${arch}"
          echo "Tagging and pushing ${IMAGE_NAME}:${LATEST_TAG}"
          docker tag ${IMAGE_NAME}:${ARCH_TAG} ${IMAGE_NAME}:${LATEST_TAG}
          docker push ${IMAGE_NAME}:${LATEST_TAG}
        fi
      done
    - |
      # Create and push image manifests
      set -e
      echo "Creating and pushing ${IMAGE_NAME}:${MANIFEST_TAG} manifest"
      docker manifest create ${IMAGE_NAME}:${MANIFEST_TAG} --amend ${IMAGE_NAME}:${MANIFEST_TAG}-amd64 --amend ${IMAGE_NAME}:${MANIFEST_TAG}-arm64 --amend ${IMAGE_NAME}:${MANIFEST_TAG}-ppc64le
      docker manifest push ${IMAGE_NAME}:${MANIFEST_TAG}
      if [[ "${CI_COMMIT_BRANCH:-}" = "main" ]] || [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        # only push latest manifest tag for main and stable releases
        echo "Creating and pushing ${IMAGE_NAME}:latest manifest"
        docker manifest create ${IMAGE_NAME}:latest --amend ${IMAGE_NAME}:latest-amd64 --amend ${IMAGE_NAME}:latest-arm64 --amend ${IMAGE_NAME}:latest-ppc64le
        docker manifest push ${IMAGE_NAME}:latest
      fi
    - docker pull ${IMAGE_NAME}:${MANIFEST_TAG}
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${MANIFEST_TAG}-amd64 | tee dist/linux_amd64_digest.txt
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${MANIFEST_TAG}-arm64 | tee dist/linux_arm64_digest.txt
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${MANIFEST_TAG}-ppc64le | tee dist/linux_ppc64le_digest.txt
    - docker manifest inspect ${IMAGE_NAME}:${MANIFEST_TAG} | tee dist/manifest_digest.txt
  artifacts:
    paths:
      - dist/linux_amd64_digest.txt
      - dist/linux_arm64_digest.txt
      - dist/linux_ppc64le_digest.txt
      - dist/manifest_digest.txt

build-push-windows-image:
  extends: .trigger-filter
  stage: release
  dependencies:
    - sign-exe
    - agent-bundle-windows
  tags:
    - windows
  retry: 2
  before_script:
    - Copy-Item .\dist\signed\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe
    - Copy-Item .\dist\signed\translatesfx_windows_amd64.exe .\cmd\otelcol\translatesfx.exe
    - Copy-Item .\dist\agent-bundle_windows_amd64.zip .\cmd\otelcol\agent-bundle_windows_amd64.zip
  script:
    - docker login -u $env:CIRCLECI_QUAY_USERNAME -p $env:CIRCLECI_QUAY_PASSWORD quay.io
    - |
      $ErrorActionPreference = 'Stop'
      if ($env:CI_COMMIT_TAG) {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows"
        $IMAGE_TAG = $env:CI_COMMIT_TAG.TrimStart("v")
      } else {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows-dev"
        $IMAGE_TAG = $env:CI_COMMIT_SHA
      }
      $JMX_METRIC_GATHERER_RELEASE = $(Get-Content internal\buildscripts\packaging\jmx-metric-gatherer-release.txt)
      echo "Building ${IMAGE_NAME}:${IMAGE_TAG}"
      docker build -t ${IMAGE_NAME}:${IMAGE_TAG} --build-arg BASE_IMAGE=mcr.microsoft.com/windows/servercore:1809 --build-arg JMX_METRIC_GATHERER_RELEASE=${JMX_METRIC_GATHERER_RELEASE} -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\
      echo "Pushing ${IMAGE_NAME}:${IMAGE_TAG}"
      docker push ${IMAGE_NAME}:${IMAGE_TAG}
      if ($env:CI_COMMIT_BRANCH -eq "main" -or $env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        # only push latest tag for main and stable releases
        echo "Tagging and pushing ${IMAGE_NAME}:latest"
        docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest
        docker push ${IMAGE_NAME}:latest
      }
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${IMAGE_TAG} | Tee-Object -FilePath dist/windows_digest.txt
  after_script:
    - docker image prune --all --force
  artifacts:
    paths:
      - dist/windows_digest.txt

build-push-windows2022-image:
  extends: .trigger-filter
  stage: release
  dependencies:
    - sign-exe
    - agent-bundle-windows
  tags:
    - windows2022
  retry: 2
  before_script:
    - Copy-Item .\dist\signed\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe
    - Copy-Item .\dist\signed\translatesfx_windows_amd64.exe .\cmd\otelcol\translatesfx.exe
    - Copy-Item .\dist\agent-bundle_windows_amd64.zip .\cmd\otelcol\agent-bundle_windows_amd64.zip
  script:
    - docker login -u $env:CIRCLECI_QUAY_USERNAME -p $env:CIRCLECI_QUAY_PASSWORD quay.io
    - |
      $ErrorActionPreference = 'Stop'
      if ($env:CI_COMMIT_TAG) {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows"
        $tagNumber = $env:CI_COMMIT_TAG.TrimStart("v")
        $IMAGE_TAG = "${tagNumber}-2022"
      } else {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows-dev"
        $IMAGE_TAG = "${env:CI_COMMIT_SHA}-2022"
      }
      $JMX_METRIC_GATHERER_RELEASE = $(Get-Content internal\buildscripts\packaging\jmx-metric-gatherer-release.txt)
      echo "Building ${IMAGE_NAME}:${IMAGE_TAG}"
      docker build -t ${IMAGE_NAME}:${IMAGE_TAG} --build-arg BASE_IMAGE=mcr.microsoft.com/windows/servercore:ltsc2022 --build-arg JMX_METRIC_GATHERER_RELEASE=${JMX_METRIC_GATHERER_RELEASE} -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\
      echo "Pushing ${IMAGE_NAME}:${IMAGE_TAG}"
      docker push ${IMAGE_NAME}:${IMAGE_TAG}
      if ($env:CI_COMMIT_BRANCH -eq "main" -or $env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        # only push latest tag for main and stable releases
        echo "Tagging and pushing ${IMAGE_NAME}:latest-2022"
        docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:latest-2022
        docker push ${IMAGE_NAME}:latest-2022
      }
    - docker inspect --format='{{.RepoDigests}}' ${IMAGE_NAME}:${IMAGE_TAG} | Tee-Object -FilePath dist/windows_2022_digest.txt
  after_script:
    - docker image prune --all --force
    - C:\Users\Administrator\Desktop\ops-scripts\docker-leak-check.exe -remove
  artifacts:
    paths:
      - dist/windows_2022_digest.txt

release-debs:
  extends:
    - .trigger-filter
    - .deploy-release
  stage: release
  resource_group: artifactory-deb
  dependencies:
    - sign-debs
  variables:
    PATHS: dist/signed/*.deb
  artifacts:
    paths:
      - dist/signed/*.deb
      - Release

release-rpms:
  extends:
    - .trigger-filter
    - .deploy-release
  stage: release
  parallel:
    matrix:
      - ARCH: ['x86_64', 'aarch64']
  resource_group: artifactory-rpm
  dependencies:
    - sign-rpms
  variables:
    PATHS: dist/signed/*${ARCH}.rpm
  after_script:
    - mkdir ${ARCH}
    - mv repomd.xml ${ARCH}/repomd.xml
  artifacts:
    paths:
      - dist/signed/*${ARCH}.rpm
      - ${ARCH}/repomd.xml

# only upload the msi to S3 for stable release tags
release-msi:
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  extends:
    - .deploy-release
  stage: release
  dependencies:
    - sign-msi
  variables:
    PATHS: dist/signed/*.msi

# only upload the installer scripts to S3 for stable release tags
release-installers:
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  extends:
    - .deploy-release
  stage: release
  dependencies:
    - sign-ps-installer
  variables:
    INSTALLERS: "true"
  before_script:
    - cp -f dist/signed/install.ps1 internal/buildscripts/packaging/installer/install.ps1

choco-release:
  extends: .trigger-filter
  stage: release
  dependencies:
    - sign-msi
  tags:
    - windows
  script:
    - |
      $ErrorActionPreference = 'Stop'
      Set-PSDebug -Trace 1
      $msi_file_name = Resolve-Path .\dist\signed\splunk-otel-collector*.msi | Split-Path -leaf
      if ($msi_file_name -match '(\d+\.\d+\.\d+)(\.\d+)?') {
        $version = $matches[0]
      } else {
        throw "Failed to get version from $msi_file_name"
      }
      .\internal\buildscripts\packaging\choco\make.ps1 build_choco -Version $version -BuildDir .\dist\signed
    - Test-Path .\dist\signed\splunk-otel-collector.${version}.nupkg
    - |
      # Only push the choco package for stable release tags
      if ($env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        choco push -k $env:CHOCO_TOKEN .\dist\signed\splunk-otel-collector.${version}.nupkg
      }
  artifacts:
    paths:
      - dist/signed/*.nupkg

sign-apt-metadata:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-metadata
  retry: 2
  resource_group: artifactory-deb
  needs:
    - release-debs
  variables:
    ARTIFACT: Release
    SIGN_TYPE: GPG
  after_script:
    - mv Release signed/Release
  artifacts:
    paths:
      - signed/Release
      - signed/Release.asc

sign-yum-metadata:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-metadata
  retry: 2
  parallel:
    matrix:
      - ARCH: ['x86_64', 'aarch64']
  resource_group: artifactory-rpm
  needs:
    - release-rpms
  variables:
    ARTIFACT: ${ARCH}/repomd.xml
    SIGN_TYPE: GPG
    DOWNLOAD_DIR: signed/${ARCH}
  after_script:
    - mv ${ARCH}/repomd.xml signed/${ARCH}/repomd.xml
  artifacts:
    paths:
      - signed/${ARCH}/repomd.xml
      - signed/${ARCH}/repomd.xml.asc

upload-apt-signature:
  extends: .trigger-filter
  stage: sign-metadata
  resource_group: artifactory-deb
  needs:
    - sign-apt-metadata
  before_script:
    - *get-artifactory-stage
  script:
    - curl -u ${ARTIFACTORY_USERNAME}:${ARTIFACTORY_TOKEN} -X PUT "https://splunk.jfrog.io/artifactory/otel-collector-deb/dists/${STAGE}/Release.gpg" -T signed/Release.asc

upload-yum-signature:
  extends: .trigger-filter
  stage: sign-metadata
  resource_group: artifactory-rpm
  parallel:
    matrix:
      - ARCH: ['x86_64', 'aarch64']
  needs:
    - sign-yum-metadata
  before_script:
    - *get-artifactory-stage
  script:
    - curl -u ${ARTIFACTORY_USERNAME}:${ARTIFACTORY_TOKEN} -X PUT "https://splunk.jfrog.io/artifactory/otel-collector-rpm/${STAGE}/${ARCH}/repodata/repomd.xml.asc" -T signed/${ARCH}/repomd.xml.asc

github-release:
  extends:
    - .trigger-filter
    - .go-cache
  stage: github-release
  dependencies:
    - compile
    - libsplunk
    - sign-exe
    - sign-osx
    - release-debs
    - release-rpms
    - sign-msi
    - sign-tar
    - push-linux-image
    - build-push-windows-image
    - build-push-windows2022-image
    - choco-release
    - sign-agent-bundles
  script:
    - mkdir -p dist/assets
    - cp bin/otelcol_linux_* dist/assets/
    - cp bin/translatesfx_linux_* dist/assets/
    - cp instrumentation/dist/libsplunk_*.so dist/assets/
    - cp dist/signed/* dist/assets/
    - |
      # rename agent bundles to include the version for stable releases
      set -e
      if [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        mv dist/assets/agent-bundle_linux_amd64.tar.gz dist/assets/agent-bundle_${CI_COMMIT_TAG#v}_linux_amd64.tar.gz
        mv dist/assets/agent-bundle_linux_amd64.tar.gz.asc dist/assets/agent-bundle_${CI_COMMIT_TAG#v}_linux_amd64.tar.gz.asc
        mv dist/assets/agent-bundle_windows_amd64.zip dist/assets/agent-bundle_${CI_COMMIT_TAG#v}_windows_amd64.zip
        mv dist/assets/agent-bundle_windows_amd64.zip.asc dist/assets/agent-bundle_${CI_COMMIT_TAG#v}_windows_amd64.zip.asc
        # exclude the arm64 bundle from release assets
        rm -f dist/assets/agent-bundle_linux_arm64.tar.gz
        rm -f dist/assets/agent-bundle_linux_arm64.tar.gz.asc
      fi
    - pushd dist/assets && shasum -a 256 * > checksums.txt && popd
    - |
      # only create github release for stable release tags
      set -e
      if [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        release_notes="$( ./internal/buildscripts/packaging/release/gh-release-notes.sh "$CI_COMMIT_TAG" )"
        ghr -t "$GITHUB_TOKEN" -u signalfx -r splunk-otel-collector -n "$CI_COMMIT_TAG" -b "$release_notes" --replace "$CI_COMMIT_TAG" dist/assets/
      fi
  artifacts:
    when: always
    paths:
      - dist/assets

.ansible:
  image: 'cimg/python:3.9'
  only:
    - /^ansible-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - branches
    - schedules
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  cache:
    key: "ansible-pip-cache"
    paths:
      - .cache/pip

ansible-build:
  extends: .ansible
  stage: build
  artifacts:
    paths:
      - dist/
  before_script:
    - pip3 install ansible==3.4.0
  script:
    - ansible-galaxy collection build ./deployments/ansible --output-path ./dist

ansible-release:
  extends: .ansible
  stage: release
  before_script:
    - pip3 install ansible==3.4.0 yq==2.12.0
  script:
    - export COLLECTION_VERSION=$(cat ./deployments/ansible/galaxy.yml | yq .version -r)
    - ansible-galaxy collection publish ./dist/signalfx-splunk_otel_collector-${COLLECTION_VERSION}.tar.gz --token=${ANSIBLE_GALAXY_TOKEN} 

puppet-release:
  image: '${DOCKER_HUB_REPO}/ruby:2.6-buster'
  stage: release
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^puppet-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  before_script:
    - gem install bundler
    - cd deployments/puppet
    - bundle install
    - bundle exec rake module:clean
  script:
    - bundle exec rake module:push
  artifacts:
    paths:
      - deployments/puppet/pkg/*.tar.gz

cve-scan:
  extends: .go-cache
  stage: cve-scan
  retry: 2
  only:
    - main
    - schedules
  before_script:
    - apt-get update
    - apt-get install -y ca-certificates curl gnupg lsb-release
    - curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
    - echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
    - apt-get update
    - apt-get install -y docker-ce-cli docker-scan-plugin
  script:
    - *docker-reader-role
    - |
      if [ -f dist/otelcol-amd64.tar ]; then
        docker load -i dist/otelcol-amd64.tar
        docker tag otelcol:amd64 otelcol:latest
      else
        make docker-otelcol DOCKER_REPO=${DOCKER_HUB_REPO}
      fi
    - docker scan --accept-license --login --token ${SNYK_AUTH_TOKEN}
    - docker scan --severity high otelcol
  after_script:
    - |
      if [ "$CI_JOB_STATUS" != "success" ]; then
        curl -X POST ${SLACK_WEBHOOK_URL} -H 'Content-Type: application/json' \
          --data "{\"blocks\": [{\"type\": \"section\",\"text\": {\"type\": \"mrkdwn\",\"text\": \"*@here Gitlab Job #${CI_JOB_ID}*\"}},{\"type\": \"section\",\"text\": {\"type\": \"mrkdwn\",\"text\": \"*:ghost: Vulnerability scan failed on splunk-otel-collector*\"},\"accessory\": {\"type\": \"button\",\"text\": {\"type\": \"plain_text\",\"text\": \"More Info\",\"emoji\": true},\"style\": \"danger\",\"url\": \"${CI_JOB_URL}\",\"action_id\": \"button-action\"}}]}"
      fi

chef-release:
  image: '${DOCKER_HUB_REPO}/ruby:2.7-buster'
  stage: release
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^chef-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  before_script:
    - mkdir -p ~/.chef
    - cat "$CHEF_PEM" > ~/.chef/signalfx.pem
    - cat "$CHEF_KNIFE_RB" > ~/.chef/knife.rb
    - gem install knife -v 17.10.0
    - mkdir -p /tmp/cookbooks
    - cp -r deployments/chef /tmp/cookbooks/splunk_otel_collector
  script:
    - knife supermarket share -o /tmp/cookbooks splunk_otel_collector