# Documentation on available configurations
# https://cloud.ibm.com/docs/devsecops?topic=devsecops-cd-devsecops-apps-byoa
# https://cloud.ibm.com/docs/devsecops?topic=devsecops-custom-scripts

version: "1"
setup:
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.53
  script: |
    #!/usr/bin/env bash
    if [[ "$PIPELINE_DEBUG" == 1 ]]; then
      trap env EXIT
      env
      set -x
    fi

    if [[ "$(get_env trigger)" == *"verfication"* ]]; then
      echo "API CLI here: Only PR"
      
      cd "$WORKSPACE/$(load_repo app-repo path)"
      ls
      
      source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/code_setup.sh
      
      # ensure we're located in the source app repo
      cd "$WORKSPACE/$(load_repo app-repo path)"

      # update the dependency in the source app
      npm ci

      # automatic watsox pr code-review
      #source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/astah_pr_review.sh
    fi

    if [[ "$(get_env trigger)" == *"merge"* ]]; then
      echo "Ninox : Only in Merge hander"
      source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/merge_check.sh
      source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/approval_checker.sh "merge"
      source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/check_label.sh
      echo "Approval"
      source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/code_setup.sh
      
      # ensure we're located in the source app repo
      cd "$WORKSPACE/$(load_repo app-repo path)"

      # update the dependency in the source app
      npm ci
    fi

    if [[ "$(get_env pipeline_namespace)" == *"ci"* ]]; then
      echo "Skipping the setup"
      exit
    fi

    if [[ "$(get_env trigger)" == *"bvt"* ]]; then
      echo "Triggering BVT..."
      exit
    fi

compliance-checks:
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.53
  dind: true
  abort_on_failure: true
  image_pull_policy: IfNotPresent
  skip: false
  runAfter: test
  script: |
    #!/usr/bin/env bash

     export JFROG_BEARER_TOKEN=$(get_env jfrog_bearer_token)  # account
     export AUTH_TOKEN_PRIVATE_REGISTRY=$(get_env jfrog_token)  #npm

     if [[ "$(get_env trigger)" == *"verfication"* ]]; then
       echo "Running Code Complaince Checks..."
       /opt/commons/compliance-checks/run.sh 'branch-protection' 'cra-bom-generate' 'cra-vulnerability-scan' 'cra-deploy-analysis' 'checkov' || exit_code=$?
       if [ "$exit_code" != "0" ]; then
         echo "Compliance check failed (excluding mend-scan)"
         exit 1
       fi
       echo "Running mend-scan separately..."
       /opt/commons/compliance-checks/run.sh 'mend-scan' || echo "Warning: mend-scan failed, but continuing..."
       source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/add_label.sh
     fi
     
     if [[ "$(get_env trigger)" == *"merge"* ]]; then
        echo "Skipping Code Complaince In Merge..."
     fi

test:
  abort_on_failure: true
  dind: true
  skip: false
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.53
  script: |
    #!/usr/bin/env bash

    if [[ "$(get_env trigger)" == *"bvt"* ]]; then
      cd "$WORKSPACE/$(load_repo app-repo path)"
      reg_token=$(get_env npmrc-token "")
      echo "@webMethods:registry=https://ico.jfrog.io/artifactory/api/npm/npm-snapshot-local/" > .npmrc
      echo "$reg_token" >> .npmrc
      
      npm i
      npm run test-coverage
      sed -i "/sonar.pullrequest.base=main/d" sonar-project.properties
      sed -i "/sonar.pullrequest.branch=BRANCHNAME/d" sonar-project.properties
      sed -i "/sonar.pullrequest.key=BRANCHKEY/d" sonar-project.properties
      token=$(get_env sonar-token "")
      docker run \
       --rm \
       -e SONAR_HOST_URL="https://sonarqube-prod.apps.wdc-sonarqube-prod.core.cirrus.ibm.com"  \
       -e SONAR_TOKEN=$token \
       -v "$(pwd):/usr/src" \
      icr.io/continuous-delivery/toolchains/devsecops/sonar-scanner-cli
    fi

    if [[ "$(get_env trigger)" == *"merge"* ]]; then
      echo "Skipping the unit test"
      exit
    fi

    if [[ "$(get_env trigger)" == *"verfication"* ]]; then
      # ensure we're located in the source app repo
      cd "$WORKSPACE/$(load_repo app-repo path)"
      #Since we are not having lfs removing as of now
      # yum install -y tar && yum install -y unzip

      # unzip $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/lfs/11.1.0/node_modules.zip -d .

      npm run build
      source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/run_test.sh
      run_unit_test
      PR_URL=$(get_env PR_URL "")
      PR_NUMBER=$(echo "$PR_URL" | grep -oP '(?<=pulls/)[0-9]+')
      BRANCH=$(cat /config/git-branch | tr -c '[:alnum:]_.-' '_')
      sed -i "s|BRANCHNAME|$BRANCH|g" sonar-project.properties
      sed -i "s|BRANCHKEY|$PR_NUMBER|g" sonar-project.properties
      token=$(get_env sonar-token "")
      docker run \
        --rm \
        -e SONAR_HOST_URL="https://sonarqube-prod.apps.wdc-sonarqube-prod.core.cirrus.ibm.com"  \
        -e SONAR_TOKEN=$token \
        -v "$(pwd):/usr/src" \
      icr.io/continuous-delivery/toolchains/devsecops/sonar-scanner-cli
      # save_deployment_artifact deployment_iks.yml IKS
      # save_deployment_artifact deployment_os.yml OPENSHIFT
      # run_unit_test
    fi

    if [[ "$PIPELINE_DEBUG" == 1 ]]; then
      trap env EXIT
      env
      set -x
    fi

peer-review:
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.53
  dind: true
  peer-review-compliance: 1
  peer-review-collection: 1
  abort_on_failure: true
  image_pull_policy: IfNotPresent
  skip: false
  runAfter: null
  script: |
    #!/bin/sh

    if [[ "$(get_env pipeline_namespace)" == *"ci"* ]]; then
      echo "Skipping the peer-review"
      exit
    fi

    #Git PRV Trigger - CLI
    if [[ "$(get_env trigger_name)" == *"prv"* ]]; then
      echo "Skipping deploy for PRV pipeline"
      exit
    fi

    "/opt/commons/peer-review/peer-review-ci.sh"

containerize:
  script: |
    #!/usr/bin/env bash
    if [[ "$(get_env trigger)" == *"merge"* ]]; then
        git fetch origin main
        git merge origin/main
        git lfs pull
        git lfs status
        git status --porcelain  # Check for untracked or modified files
        if [ $? -ne 0 ]; then
          echo "There are merge conflicts."
          exit 1
        fi
        source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/upload_cli_artifacts.sh "apim-cli"  "$(get_env jfrog_user)"  "$(get_env jfrog_token)" "$(get_env jfrog_bearer_token)" ./version-info.json
        source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/auto_merge.sh
     fi
      if [[ "$(_engetv trigger)" == *"verification"* ]]; then
      echo "Skipping."
    fi

sign-artifact:
  image: icr.io/continuous-delivery/toolchains/devsecops/csso-image-sign@sha256:819df056454ad53c012c4c61ea3b2eed017c0f1f46659ef4db906adc311c2fc5
  abort_on_failure: false
  script: |
    #!/usr/bin/env bash
    echo "Ninox in Sign-artifact"
    echo "Skipping image signing"
    exit

deploy:
  image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.59
  script: |
    #!/usr/bin/env bash
      echo "Skipping deploy for cli."

release:
  abort_on_failure: true
  image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.59
  script: |
    #!/usr/bin/env bash

    echo "Skipping this step for CLI"

dynamic-scan:
  dind: true
  abort_on_failure: false
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.53
  script: |
    #!/usr/bin/env bash
    if [[ "$PIPELINE_DEBUG" == 1 ]]; then
      trap env EXIT
      env
      set -x
    fi
    if [ -z "$(get_env opt-in-dynamic-scan "")" ]; then
      echo "If you want to enable this stage, add 'opt-in-dynamic-scan' parameter to your pipeline with any value. Also, please add 'opt-in-dynamic-api-scan' to your pipeline with any value to have api scans running, and 'opt-in-dynamic-ui-scan' with any value to have ui scans running" >&2
    else
      if [[ "$(get_env pipeline_namespace)" == *"cc"* ]]; then
        app_url=$(get_env app-url "")
        if [[ -z "${app_url}" ]]; then
          echo "Please provide the app-url as the running application url. Recommended to use stage/test environment to run the Dynamic scan." >&2
          exit 1
        fi
        source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/zap/zap-cc-config
      fi
      source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/zap/trigger-async-zap
    fi

owasp-zap:
  dind: true
  abort_on_failure: true
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.53
  script: |
    #!/usr/bin/env bash

    source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/zap/trigger_zap_scans

static-scan:
  image: icr.io/continuous-delivery/pipeline/pipeline-base-image:2.63
  dind: true
  abort_on_failure: false
  image_pull_policy: IfNotPresent
  script: |
    #!/bin/sh

    "/opt/commons/static-scan/run.sh" # https://github.ibm.com/open-toolchain/compliance-commons/blob/master/static-scan/run.sh

scan-artifact:
  dind: true
  abort_on_failure: false
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.25
  script: |
    #!/bin/sh

    # if [[ "$(get_env pipeline_namespace)" == *"pr"* ]]; then
    #   echo "Skipping twistlock scan for PR pipeline"
    #   exit
    # fi

    if [[ "$(get_env trigger_name)" == *"prv"* ]]; then
      echo "Skipping twistlock for PRV pipeline"
      exit
    fi

    /opt/commons/scan-artifact/scan.sh
    #source scripts/remote-scan.sh multiscan ust

finish:
  image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.53
  dind: true
  abort_on_failure: false
  image_pull_policy: IfNotPresent
  skip: false
  runAfter: null
  script: |
    #!/usr/bin/env bash

    if [[ "$(get_env trigger)" == *"verfication"* ]]; then
      echo "Adding comments"
      
      # source $WORKSPACE/$PIPELINE_CONFIG_REPO_PATH/scripts/approval_checker.sh
      # echo "API CLI : Approval Checker done."

      
    fi


    "/opt/commons/custom-finish/finish.sh"