GlitchTip/.gitlab-ci.yml

variables:
  PROJECT_NAME: glitchtip
  PIP_DISABLE_PIP_VERSION_CHECK: "on"
  POSTGRES_HOST_AUTH_METHOD: "trust"
  UV_VERSION: 0.4
  BASE_LAYER: bookworm
  UV_SYSTEM_PYTHON: "true"
  UV_PYTHON_DOWNLOADS: "never"
  UV_PROJECT_ENVIRONMENT: "/usr/local"
  UV_CACHE_DIR: ".uv-cache"
  DEBUG: "true"

include:
  - template: SAST.gitlab-ci.yml
  - template: Dependency-Scanning.gitlab-ci.yml
  - template: Secret-Detection.gitlab-ci.yml

workflow:
  rules:
    - when: always

test:
  image: ghcr.io/astral-sh/uv:$UV_VERSION-python$PYTHON_VERSION-$BASE_LAYER
  variables:
    SECRET_KEY: testing
    ENABLE_TEST_API: "true"
    ENABLE_OPEN_USER_REGISTRATION: "true"
  services:
    - postgres:$POSTGRES_VERSION
  cache:
    - key: ${CI_COMMIT_REF_SLUG}${VERSION}
      files:
        - uv.lock
      paths:
        - $UV_CACHE_DIR
  cache:
    paths:
      - .cache/pip
  script:
    - uv sync --frozen --no-install-project
    - uv run ./manage.py test
    - uv cache prune --ci
  rules:
    - if: $CI_PIPELINE_SOURCE != "schedule"
  parallel:
    matrix:
      - PYTHON_VERSION: '3.11'
        POSTGRES_VERSION: '13'
      - PYTHON_VERSION: '3.12'
        POSTGRES_VERSION: '16'

lint:
  image: python:3.13-slim
  script:
    - pip install ruff
    - ruff check glitchtip/ apps/
  rules:
    - if: $CI_PIPELINE_SOURCE != "schedule"

build:
  image: docker:27
  rules:
    # Run only on protected branches that are not tagged and not merge requests
    - if: '$CI_PIPELINE_SOURCE != "merge_request_event" && $CI_COMMIT_REF_PROTECTED == "true" && $CI_COMMIT_TAG =~ "/^$/"'
  services:
    - docker:27-dind
  script:
    - docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.gitlab.com
    - docker build -t ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME//\//-} --build-arg IS_CI="True" .
    - docker push ${CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME//\//-}
  rules:
    - if: $CI_PIPELINE_SOURCE != "schedule"

buildx:
  image: docker:25-git
  variables:
    GIT_STRATEGY: none
  artifacts:
    paths:
      - buildx
    expire_in: 1 hour
  services:
    - docker:27-dind
  script:
    - export DOCKER_BUILDKIT=1
    - git clone https://github.com/docker/buildx.git ./docker-buildx
    - docker build --platform=local -o . ./docker-buildx
  rules:
    - if: $CI_PIPELINE_SOURCE =~ "schedule"
      when: never
    - if: $CI_COMMIT_TAG =~ /^v\d+.\d+.\d+/

build_arm_x86:
  image: docker:27
  needs:
    - buildx
  services:
    - docker:27-dind
  before_script:
    - mkdir -p ~/.docker/cli-plugins
    - mv buildx ~/.docker/cli-plugins/docker-buildx
    - docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
  script:
    - wget https://gitlab.com/api/v4/projects/15449363/jobs/artifacts/$CI_COMMIT_TAG/download?job=build-assets -O assets.zip
    - unzip assets.zip
    - rm assets.zip
    - mv dist/glitchtip-frontend/* dist/
    - rmdir dist/glitchtip-frontend/
    - VERSION=${CI_COMMIT_REF_NAME#*v}
    - MINOR_VERSION=$(echo "$CI_COMMIT_REF_NAME" | sed 's/\.[^.]*$//')
    - echo "Build version $VERSION ci registry image $CI_REGISTRY_IMAGE commit ref $CI_COMMIT_REF_NAME"
    - docker login -u ${DOCKER_CI_REGISTRY_USER} -p ${DOCKER_CI_REGISTRY_PASSWORD}
    - docker buildx create --use
    - docker buildx build --platform linux/arm64/v8,linux/amd64 --push -t ${DOCKER_CI_REGISTRY_IMAGE}:${CI_COMMIT_REF_NAME} -t ${DOCKER_CI_REGISTRY_IMAGE}:${MINOR_VERSION} -t ${DOCKER_CI_REGISTRY_IMAGE}:latest --build-arg IS_CI="True" --build-arg GLITCHTIP_VERSION=$VERSION --build-arg COLLECT_STATIC="True" .
  rules:
    - if: $CI_PIPELINE_SOURCE =~ "schedule"
      when: never
    - if: '$CI_COMMIT_TAG =~ /^v\d+.\d+.\d+/ && $CI_COMMIT_REF_PROTECTED == "true"'


update_deps:
  image: renovate/renovate:39
  variables:
    RENOVATE_PLATFORM: gitlab
    RENOVATE_ENDPOINT: https://gitlab.com/api/v4
    RENOVATE_TOKEN: $GITLAB_ACCESS_TOKEN
    RENOVATE_REPOSITORIES: glitchtip/glitchtip-backend
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
  script: renovate