stages:
  - compiling
  - assembling
  - testing
  - signing
  - packaging
  - publishing

image: ubuntu:20.04

Compile:
  stage: compiling
  script:
    - apt update
    - DEBIAN_FRONTEND="noninteractive" apt install -y npm
    - npm install
    - if [ "${CI_COMMIT_REF_NAME}" == "stable" ] ; then npm run build:prod ; fi
    - if [ "${CI_COMMIT_REF_NAME}" != "stable" ] ; then npm run build:nightly ; fi
  artifacts:
    paths:
      - ./src/js/Static/*
      - ./src/l10n/*
      - ./src/css/*

Assemble:
  stage: assembling
  script:
    - mkdir passwords
    - if [ "${CI_COMMIT_REF_NAME}" == "stable" ] ; then sed -i -e "s/-BUILD//g" ./src/appinfo/info.xml ; fi
    - if [ "${CI_COMMIT_REF_NAME}" != "stable" ] ; then sed -i -e "s/-BUILD/-build${CI_PIPELINE_ID}/g" ./src/appinfo/info.xml ; fi
    - rsync -r --exclude="vue" --exclude="js" --exclude="scss" src/* passwords
    - rsync -r src/js/Static passwords/js/
    - cp CHANGELOG.md passwords/
  artifacts:
    paths:
      - ./passwords

PHPUnit:
  stage: testing
  script:
    - npm run phpunit
  artifacts:
    paths:
      - ./passwords

Sign:
  stage: signing
  script:
    - echo "-----BEGIN PRIVATE KEY-----" > sign.key
    - echo $SIGN_KEY | tr " " "\n" >> sign.key
    - echo "-----END PRIVATE KEY-----" >> sign.key
    - echo "-----BEGIN CERTIFICATE-----" > sign.crt
    - echo $SIGN_CRT | tr " " "\n" >> sign.crt
    - echo "-----END CERTIFICATE-----" >> sign.crt
    - /usr/src/nextcloud/occ integrity:sign-app --path=$(pwd)/passwords --privateKey=$(pwd)/sign.key --certificate=$(pwd)/sign.crt
    - rm sign.key sign.crt
  artifacts:
    paths:
      - ./passwords
  only:
    - testing
    - stable

Pack:
  stage: packaging
  script:
    - tar -zcf passwords.tar.gz passwords
    - echo "export JOB_ID=\"${CI_JOB_ID}\"" > job.id
  artifacts:
    paths:
      - ./passwords.tar.gz
      - job.id
  only:
  - testing
  - stable

Publish Nightly:
  stage: publishing
  script:
    - source job.id
    - echo "-----BEGIN PRIVATE KEY-----" > sign.key
    - echo $SIGN_KEY | tr " " "\n" >> sign.key
    - echo "-----END PRIVATE KEY-----" >> sign.key
    - SIGNATURE=$(openssl dgst -sha512 -sign ./sign.key ./passwords.tar.gz | openssl base64 | tr -d "\n")
    - rm sign.key
    - 'curl -f -X POST ${API_URL} -H "Authorization: Token ${API_TOKEN}" -H "Content-Type: application/json" -d "{\"download\":\"${CI_PROJECT_URL}/-/jobs/${JOB_ID}/artifacts/raw/passwords.tar.gz\",\"signature\":\"${SIGNATURE}\",\"nightly\":true}"'
  environment:
    name: Testing
  only:
  - testing

Publish Stable:
  stage: publishing
  script:
    - source job.id
    - echo "-----BEGIN PRIVATE KEY-----" > sign.key
    - echo $SIGN_KEY | tr " " "\n" >> sign.key
    - echo "-----END PRIVATE KEY-----" >> sign.key
    - SIGNATURE=$(openssl dgst -sha512 -sign ./sign.key ./passwords.tar.gz | openssl base64 | tr -d "\n")
    - rm sign.key
    - 'curl -f -X POST ${API_URL} -H "Authorization: Token ${API_TOKEN}" -H "Content-Type: application/json" -d "{\"download\":\"${CI_PROJECT_URL}/-/jobs/${JOB_ID}/artifacts/raw/passwords.tar.gz\",\"signature\":\"${SIGNATURE}\",\"nightly\":false}"'
  environment:
    name: Stable
  only:
  - stable