.gitlab-ci.yml

include:
  - template: 'Workflows/Branch-Pipelines.gitlab-ci.yml'
  - project: 'security/container-scanning'
    file: '.ESnet-container-scan.yml'
  - component: $CI_SERVER_FQDN/ht/cicd-common/harbor-cve@main
    inputs:
      harbor_host:    $HSITE
      harbor_user:    $HUSER_CVE
      harbor_token:   $HTOKEN_CVE
      harbor_project: $CI_PROJECT_NAMESPACE

build:
  stage: build
  image: docker:26.1
  services:
    - docker:26.1-dind
  tags:
    - ht-docker
  variables:
    PUBLISH_TAG: $CI_REGISTRY_IMAGE:$CI_PIPELINE_ID-g$CI_COMMIT_SHORT_SHA
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    - docker build --pull -t $PUBLISH_TAG$TAG_SUFFIX .
    # push using a more user friendly name for other repo users of this image
    - docker push $PUBLISH_TAG$TAG_SUFFIX
    # Capture the published tag for downstream CI jobs
    - |
      cat <<EOF >> build.env
      CS_IMAGE=$PUBLISH_TAG$TAG_SUFFIX
      EOF
    - cat build.env
    - |
      echo Image published as: $PUBLISH_TAG$TAG_SUFFIX
  timeout: 3h
  artifacts:
    reports:
      dotenv:
        build.env
  rules:
    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
    - if: '$CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
      variables:
        TAG_SUFFIX: -dev

pull_cve_allowlist:
  extends: .harbor_cve_allowlist

container_scanning:
  variables:
    TRIVY_TIMEOUT: "1h"
  # use 'dependencies' here rather than 'needs' since the gitlab container scanning
  # include sets 'dependencies: []' which takes precedence over 'needs'
  dependencies:
    - pull_cve_allowlist
    - build