---
when:
  - event: [pull_request, tag]
  - event: [push, manual]
    branch:
      - ${CI_REPO_DEFAULT_BRANCH}

steps:
  binary:
    image: docker.io/clux/muslrust:stable
    commands:
      - apt-get -qq update && apt-get install -yqq --no-install-recommends libpq-dev
      - make build

  executable:
    image: docker.io/alpine
    commands:
      - src/target/x86_64-unknown-linux-musl/release/vaultwarden --help
      - src/target/x86_64-unknown-linux-musl/release/vaultwarden --version

  security-build:
    image: quay.io/thegeeklab/wp-docker-buildx:1
    settings:
      containerfile: Containerfile
      output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
      repo: thegeeklab/${CI_REPO_NAME}

  security-scan:
    image: ghcr.io/aquasecurity/trivy
    commands:
      - trivy -v
      - trivy image --input oci/${CI_REPO_NAME}
    environment:
      TRIVY_EXIT_CODE: "1"
      TRIVY_IGNORE_UNFIXED: "true"
      TRIVY_NO_PROGRESS: "true"
      TRIVY_SEVERITY: HIGH,CRITICAL
      TRIVY_TIMEOUT: 1m
      TRIVY_SKIP_FILES: /usr/local/bin/gomplate

  publish-dockerhub:
    group: container
    image: quay.io/thegeeklab/wp-docker-buildx:1
    settings:
      auto_tag: true
      containerfile: Containerfile
      password:
        from_secret: docker_password
      provenance: false
      repo: thegeeklab/${CI_REPO_NAME}
      username:
        from_secret: docker_username
    when:
      - event: [tag]
      - event: [push, manual]
        branch:
          - ${CI_REPO_DEFAULT_BRANCH}

  publish-quay:
    group: container
    image: quay.io/thegeeklab/wp-docker-buildx:1
    settings:
      auto_tag: true
      containerfile: Containerfile
      password:
        from_secret: quay_password
      provenance: false
      registry: quay.io
      repo: quay.io/thegeeklab/${CI_REPO_NAME}
      username:
        from_secret: quay_username
    when:
      - event: [tag]
      - event: [push, manual]
        branch:
          - ${CI_REPO_DEFAULT_BRANCH}