.gitlab-ci.yml

default:
  image: '${DOCKER_CICD_REPO}/ci-container/debian-bookworm:3.5.0'

variables:
  WIN_2019_BASE_IMAGE: mcr.microsoft.com/windows/servercore:ltsc2019
  WIN_2022_BASE_IMAGE: mcr.microsoft.com/windows/servercore:ltsc2022

stages:
  - update-deps
  - sast-oss-scan
  - build
  - sign-binaries
  - package
  - sign-packages
  - release
  - docker-manifest-release
  - xray-scan
  - github-release

include:
  - project: 'prodsec/scp-scanning/gitlab-checkmarx'
    ref: latest
    file: '/templates/.sast_scan.yml'
  - project: 'ci-cd/templates'
    ref: master
    file:
      - '/prodsec/.oss-scan.yml'
      - '/prodsec/.binary-scan.yml'
      - '/prodsec/.container-scan.yml'
  - project: 'core-ee/signing/api-integration'
    ref: develop
    file: '/templates/.sign-client.yml'

semgrep:
  stage: sast-oss-scan
  extends: .sast_scan
  retry: 2
  variables:
    SAST_SCANNER: "Semgrep"
    SEMGREP_EXCLUDE: "examples,tests,*_test.go,cmd/otelcol/Dockerfile.windows,deployments/ansible/molecule"
    alert_mode: "policy"
  after_script:
    - echo "Check results at $CI_PIPELINE_URL/security"
  only:
    - main
    - schedules
  needs: []
  dependencies: []

fossa:
  extends: .oss-scan
  stage: sast-oss-scan
  only:
    - main
    - schedules
  needs: []
  dependencies: []
  variables:
    jira_automation: "true"
  # allow_failure: false

.docker-reader-role: &docker-reader-role |
  creds-helper init
  eval $(creds-helper docker --eval "artifactory:v2/cloud/role/docker-reader-role")

.docker-releaser-role: &docker-releaser-role |
  creds-helper init
  eval $(creds-helper docker --eval "artifactory:v2/cloud/role/docker-releaser-role")

.docker-test-releaser-role: &docker-test-releaser-role |
  creds-helper init
  eval $(creds-helper docker --eval "artifactory:v2/cloud/role/docker-test-releaser-role")

.generic-releaser-role: &generic-releaser-role |
  creds-helper init
  eval $(creds-helper artifactory --eval "artifactory:v2/cloud/role/generic-releaser-role")

.generic-test-releaser-role: &generic-test-releaser-role |
  creds-helper init
  eval $(creds-helper artifactory --eval "artifactory:v2/cloud/role/generic-test-releaser-role")

.sign-docker:
  extends: .trigger-filter
  retry: 2
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud:
        - $CICD_VAULT_ADDR
        - $SIGNING_PRD_URL
  script:
    - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io
    - echo "listing images to be signed"
    - cat tags_to_sign
    - cat tags_to_sign | xargs -L1 artifact-ci sign docker

.get-artifactory-stage: &get-artifactory-stage
  - |
    set -ex
    export STAGE="test"
    if [[ "${CI_COMMIT_TAG:-}" =~ beta ]]; then
      export STAGE="beta"
    elif [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      export STAGE="release"
    fi

.aws-releaser-role: &aws-releaser-role |
  creds-helper init
  eval $(creds-helper aws --eval "aws:v1/o11y-infra/role/o11y_gdi_otel_releaser_role")

.trigger-filter:
  only:
    variables:
      - $CI_COMMIT_BRANCH == "main"
      - $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules

.deploy-release:
  image: '${DOCKER_CICD_REPO}/ci-container/python-3.12-bookworm:3.5.0'
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  cache:
    key:
      files:
        - packaging/release/requirements.txt
    paths:
      - .cache/pip
  retry: 2
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  script:
    - *get-artifactory-stage
    - *aws-releaser-role
    - pip3 install -r packaging/release/requirements.txt
    - |
      if [ -n "${PATHS:-}" ]; then
        for path in $PATHS; do
          if [ ! -f "$path" ]; then
            echo "$path not found!"
            exit 1
          fi
          python3 packaging/release/release.py --force --stage=${STAGE} --path=$path ${OPTIONS:-}
        done
      elif [ -n "${INSTALLERS:-}" ]; then
        python3 packaging/release/release.py --force --installers ${OPTIONS:-}
      else
        echo "Either the PATHS or INSTALLERS env var must be defined!" >&2
        exit 1
      fi

.go-cache:
  image: '${DOCKER_HUB_REPO}/golang:1.22.7'
  variables:
    GOPATH: "$CI_PROJECT_DIR/.go"
  before_script:
    - mkdir -p $GOPATH
    - make install-tools
    - export PATH=$GOPATH/bin:$PATH
  cache:
    key:
      files:
        - go.mod
        - go.sum
    paths:
      - .go/pkg/mod
      - .go/bin

# Upload deb/rpm package for the main branch to the generic-test artifactory repo for xray scanning
.xray-publish-package: &xray-publish-package
  - if [[ ! "${PKG_TYPE:-}" =~ ^deb|rpm$ ]]; then exit 0; fi
  - if [ "$CI_COMMIT_BRANCH" != "main" ]; then touch xray_artifact_path; exit 0; fi
  - *generic-test-releaser-role
  - package=$(find ./dist -name "*.${PKG_TYPE}")
  - if [[ -z "$package" || ! -f "$package" ]]; then echo "Failed to find $PKG_TYPE package"; exit 1; fi
  - target="splunk-otel-collector/${CI_COMMIT_SHA}/$(basename $package)"
  - artifact-ci publish generic -o $package generic-test/${target}
  - |
    # Xray needs the local repo path to the artifact.
    # Determine the local repo after uploading to the virtual repo.
    local_repo=""
    for repo in "generic-test-east-local" "generic-test-west-local"; do
      if curl -LIf -u $ARTIFACTORY_AUTHORIZATION ${ARTIFACTORY_BASE_URL}/${repo}/${target}; then
        local_repo=$repo
        break
      fi
    done
    if [ -z "$local_repo" ]; then
      echo "Failed to determine local repo for $target"
      exit 1
    fi
  - echo "${ARTIFACTORY_BASE_URL}/${local_repo}/${target}" | tee xray_artifact_path

.xray-scan-package:
  rules:
    - if: $CI_PIPELINE_SOURCE == "schedule"
      when: never
    - if: $CI_COMMIT_BRANCH == "main"
  extends: .binary-scan
  stage: xray-scan
  variables:
    create_jira: "true"
  before_script:
    - export ARTIFACT_PATH=$(cat xray_artifact_path)
    - echo $ARTIFACT_PATH

update-otel-deps:
  only:
    - schedules
  extends: .go-cache
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-otel-deps.sh latest create-pull-request/update-deps

update-otel-deps-nightly:
  only:
    - schedules
  extends: .go-cache
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-otel-deps.sh main create-pull-request/update-deps-nightly

update-openjdk:
  only:
    - schedules
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-openjdk.sh

update-javaagent:
  only:
    - schedules
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-javaagent.sh

update-jmx-metrics-gatherer:
  only:
    - schedules
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-jmx-metrics-gatherer.sh

update-nodejs-agent:
  only:
    - schedules
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-nodejs-agent.sh

update-dotnet-agent:
  only:
    - schedules
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/update-dotnet-agent.sh

tidy-dependabot-pr:
  rules:
    - if: $CI_COMMIT_BRANCH =~ /^dependabot\/go_modules\/.*/ && $CI_COMMIT_AUTHOR =~ /^dependabot.*/
  extends: .go-cache
  stage: update-deps
  needs: []
  dependencies: []
  script:
    - .gitlab/install-gh-cli.sh
    - .gitlab/tidy-dependabot-pr.sh

compile:
  extends:
    - .trigger-filter
    - .go-cache
  stage: build
  needs: []
  parallel:
    matrix:
      - TARGET: [binaries-darwin_amd64, binaries-darwin_arm64, binaries-linux_amd64, binaries-linux_arm64, binaries-windows_amd64, binaries-linux_ppc64le]
  script:
    - |
      if [[ -n "${CI_COMMIT_TAG:-}" ]]; then
        make $TARGET VERSION=${CI_COMMIT_TAG}
      else
        make $TARGET
      fi
  after_script:
    - if [ -e bin/otelcol ]; then rm -f bin/otelcol; fi  # remove the symlink
    - if [ -e bin/migratecheckpoint ]; then rm -f bin/migratecheckpoint; fi  # remove the symlink
  artifacts:
    paths:
      - bin/otelcol_*
      - bin/migratecheckpoint_*

otelcol-fips:
  image: '${DOCKER_CICD_REPO}/ci-container/golang-1.22:3.5.0'
  extends:
    - .trigger-filter
  stage: build
  needs: []
  parallel:
    matrix:
      - GOOS: linux
        GOARCH: amd64
        TAG: main
      - GOOS: linux
        GOARCH: arm64
        TAG: arm
      - GOOS: windows
        GOARCH: amd64
        TAG: main
  tags:
    - $TAG
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  script:
    - *docker-reader-role
    - |
      if [[ -n "${CI_COMMIT_TAG:-}" ]]; then
        make otelcol-fips VERSION=${CI_COMMIT_TAG} DOCKER_REPO=${DOCKER_HUB_REPO}
      else
        make otelcol-fips DOCKER_REPO=${DOCKER_HUB_REPO}
      fi
  artifacts:
    paths:
      - bin/otelcol-fips_*

libsplunk:
  extends: .trigger-filter
  stage: build
  needs: []
  retry: 2
  parallel:
    matrix:
      - ARCH: ["amd64", "arm64"]
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  script:
    - *docker-reader-role
    - make -C instrumentation dist ARCH=${ARCH} DOCKER_REPO=${DOCKER_HUB_REPO}
  artifacts:
    paths:
      - instrumentation/dist/libsplunk_*.so

agent-bundle-linux:
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
    - if: $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
    - if: $CI_PIPELINE_SOURCE == "schedule"
  stage: build
  needs: []
  retry: 2
  resource_group: agent-bundle-linux-${ARCH}
  parallel:
    matrix:
      - ARCH: amd64
        TAG: main
      - ARCH: arm64
        TAG: arm
  tags:
    - $TAG
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  script:
    - *docker-reader-role
    - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io
    - PUSH_CACHE=yes make -C packaging/bundle agent-bundle-linux ARCH=${ARCH} DOCKER_REPO=${DOCKER_HUB_REPO}
  artifacts:
    paths:
      - dist/agent-bundle_linux_${ARCH}.tar.gz

agent-bundle-windows:
  extends: .trigger-filter
  stage: build
  needs: []
  tags:
    - splunk-otel-collector-windows
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  cache:
    key:
      files:
        - packaging/bundle/collectd-plugins.yaml
        - packaging/bundle/scripts/requirements.txt
    paths:
      - .cache/pip
  script:
    - ./packaging/bundle/scripts/windows/make.ps1 bundle
  artifacts:
    paths:
      - dist/agent-bundle_windows_amd64.zip

.instrumentation-deb-rpm:
  extends: .trigger-filter
  stage: package
  needs:
    - libsplunk
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  before_script:
    - ./instrumentation/packaging/fpm/install-deps.sh
  script:
    - ./instrumentation/packaging/fpm/${PKG_TYPE}/build.sh "${CI_COMMIT_TAG:-}" "$ARCH" "./dist"
    - *xray-publish-package

instrumentation-deb:
  extends: .instrumentation-deb-rpm
  variables:
    PKG_TYPE: deb
  artifacts:
    paths:
      - dist/*.deb
      - xray_artifact_path

xray-instrumentation-deb:
  extends: .xray-scan-package
  needs:
    - instrumentation-deb
  parallel:
    matrix:
      - ARCH: [amd64, arm64]

instrumentation-rpm:
  extends: .instrumentation-deb-rpm
  variables:
    PKG_TYPE: rpm
  artifacts:
    paths:
      - dist/*.rpm
      - xray_artifact_path

xray-instrumentation-rpm:
  extends: .xray-scan-package
  needs:
    - instrumentation-rpm
  parallel:
    matrix:
      - ARCH: [amd64, arm64]

sign-exe:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-binaries
  retry: 2
  needs:
    - compile
    - otelcol-fips
  parallel:
    matrix:
      - TARGET: [otelcol, otelcol-fips]
  variables:
    ARTIFACT: bin/${TARGET}_windows_amd64.exe
    SIGN_TYPE: WIN
    DOWNLOAD_DIR: dist/signed
  artifacts:
    paths:
      - dist/signed/${TARGET}_windows_amd64.exe

sign-osx:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-binaries
  retry: 2
  needs:
    - compile
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  variables:
    ARTIFACT: bin/packages.tar.gz
    SIGN_TYPE: OSX
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - mkdir -p dist
    - pushd bin && tar -czvf packages.tar.gz otelcol_darwin_${ARCH} && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/otelcol_darwin_${ARCH}

.build-tar-deb-rpm:
  stage: package
  needs:
    - compile
    - agent-bundle-linux
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  before_script:
    - ./packaging/fpm/install-deps.sh
  script:
    - ./packaging/fpm/${PKG_TYPE}/build.sh "${CI_COMMIT_TAG:-}" "$ARCH" "./dist"
    - *xray-publish-package

build-deb:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: deb
  artifacts:
    paths:
      - dist/*.deb
      - xray_artifact_path

xray-collector-deb:
  extends: .xray-scan-package
  needs:
    - build-deb
  parallel:
    matrix:
      - ARCH: [amd64, arm64]

build-rpm:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: rpm
  artifacts:
    paths:
      - dist/*.rpm
      - xray_artifact_path

xray-collector-rpm:
  extends: .xray-scan-package
  needs:
    - build-rpm
  parallel:
    matrix:
      - ARCH: [amd64, arm64]

build-tar:
  extends:
    - .trigger-filter
    - .build-tar-deb-rpm
  variables:
    PKG_TYPE: tar
  artifacts:
    paths:
      - dist/splunk-otel-collector*.tar.gz

build-msi:
  extends: .trigger-filter
  stage: package
  needs:
    - sign-exe
    - agent-bundle-windows
    - msi-custom-actions-package
  before_script:
    # build the MSI with the signed exe
    - mkdir -p bin
    - cp -f dist/signed/otelcol_windows_amd64.exe bin/otelcol_windows_amd64.exe
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  script:
    - *docker-reader-role
    - make msi SKIP_COMPILE=true VERSION=${CI_COMMIT_TAG:-} DOCKER_REPO=${DOCKER_HUB_REPO}
  artifacts:
    paths:
      - dist/*.msi

msi-custom-actions-package:
  extends: .trigger-filter
  stage: package
  needs:
    - job: msi-custom-actions-assemblies
      artifacts: true
  tags:
    - splunk-otel-collector-windows
  script:
    - $WixPath = "${Env:ProgramFiles(x86)}\WiX Toolset v3.14"
    - $sfxcaDll = "${WixPath}\SDK\x64\sfxca.dll"
    - $Env:PATH = "${WixPath}\SDK;" + $Env:PATH
    - $customActionDir = "${PWD}\packaging\msi\SplunkCustomActions"
    - $customActionBinDir = "${customActionDir}\bin\Release"
    - MakeSfxCA.exe "${customActionBinDir}\SplunkCustomActions.CA.dll" `
      "${sfxcaDll}" `
      "${customActionBinDir}\SplunkCustomActions.dll" `
      "${customActionBinDir}\Microsoft.Deployment.WindowsInstaller.dll" `
      "${customActionDir}\src\CustomAction.config"
  artifacts:
    paths:
      - packaging/msi/SplunkCustomActions/bin/Release/SplunkCustomActions.CA.dll

msi-custom-actions-assemblies:
  extends: .trigger-filter
  image: 'mcr.microsoft.com/dotnet/sdk:8.0'
  stage: package
  needs: []
  dependencies: []
  script:
    - pushd ./packaging/msi/SplunkCustomActions/
    - dotnet publish ./src/SplunkCustomActions.csproj -c Release -o ./bin/Release
    - popd
  artifacts:
    name: msi-custom-actions-assemblies
    paths:
      - packaging/msi/SplunkCustomActions/bin/Release/*

sign-debs:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - build-deb
    - instrumentation-deb
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: DEB
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.deb && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.deb

sign-rpms:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - build-rpm
    - instrumentation-rpm
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: RPM
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.rpm && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.rpm

sign-tar:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - build-tar
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: GPG
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz splunk-otel-collector*.tar.gz && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - mv dist/splunk-otel-collector*.tar.gz dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.tar.gz
      - dist/signed/*.tar.gz.asc

sign-msi:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - build-msi
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: WIN
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.msi && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.msi

sign-agent-bundles:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  needs:
    - agent-bundle-linux
    - agent-bundle-windows
  variables:
    ARTIFACT: dist/packages.tar.gz
    SIGN_TYPE: GPG
    OPTIONS: archive
    DOWNLOAD_DIR: dist/signed
  before_script:
    - pushd dist && tar -czvf packages.tar.gz *.tar.gz *.zip && popd
  after_script:
    - tar -xzvf dist/signed/packages.tar.gz -C dist/signed/
    - mv dist/*.tar.gz dist/signed/
    - mv dist/*.zip dist/signed/
    - rm dist/signed/packages.tar.gz
  artifacts:
    paths:
      - dist/signed/*.tar.gz
      - dist/signed/*.tar.gz.asc
      - dist/signed/*.zip
      - dist/signed/*.zip.asc

sign-ps-installer:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: sign-packages
  retry: 2
  dependencies: []
  variables:
    ARTIFACT: dist/install.ps1
    SIGN_TYPE: WIN
    DOWNLOAD_DIR: dist/signed
  before_script:
    - mkdir -p dist
    - cp packaging/installer/install.ps1 dist/install.ps1
  artifacts:
    paths:
      - dist/install.ps1
      - dist/signed/install.ps1

verify-signed-packages:
  extends: .trigger-filter
  stage: sign-packages
  needs:
    - build-deb
    - build-rpm
    - build-msi
    - build-tar
    - instrumentation-deb
    - instrumentation-rpm
    - sign-debs
    - sign-rpms
    - sign-msi
    - sign-tar
    - agent-bundle-linux
    - agent-bundle-windows
    - sign-agent-bundles
    - sign-ps-installer
  script:
    - |
      set -ex
      for pkg in dist/*.rpm dist/*.deb dist/*.msi dist/*.tar.gz dist/*.zip dist/install.ps1; do
        if [[ ! -f dist/signed/$(basename $pkg) ]]; then
          echo "$pkg was not signed!" >&2
          exit 1
        fi
        if [[ "${pkg##*.}" =~ gz|zip ]] && [[ ! -f dist/signed/$(basename $pkg).asc ]]; then
          echo "$pkg was not signed!" >&2
          exit 1
        fi
      done

build-push-linux-image:
  extends: .trigger-filter
  stage: release
  dependencies:
    - compile
    - agent-bundle-linux
  retry: 2
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  script:
    - *docker-reader-role
    - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io
    - |
      # Set env vars
      set -e
      if [[ -n "${CI_COMMIT_TAG:-}" ]]; then
        IMAGE_NAME="quay.io/signalfx/splunk-otel-collector"
        IMAGE_TAG=${CI_COMMIT_TAG#v}
      else
        IMAGE_NAME="quay.io/signalfx/splunk-otel-collector-dev"
        IMAGE_TAG=${CI_COMMIT_SHA}
      fi
      LATEST_TAG=""
      if [[ "${CI_COMMIT_BRANCH:-}" = "main" ]] || [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        # Only push latest tag for main and stable releases
        LATEST_TAG="latest"
      fi
    - echo "Building and pushing ${IMAGE_NAME}:${IMAGE_TAG}"
    - make docker-otelcol ARCH=amd64,arm64,ppc64le DOCKER_REPO=${DOCKER_HUB_REPO} IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} SKIP_COMPILE=true SKIP_BUNDLE=true PUSH=true
    - |
      # DEPRECATED: Push manifests for each arch
      set -eo pipefail
      json=$( docker buildx imagetools inspect --raw ${IMAGE_NAME}:${IMAGE_TAG} )
      for arch in "amd64" "arm64" "ppc64le"; do
        arch_tag="${IMAGE_TAG}-${arch}"
        echo "Creating and pushing ${IMAGE_NAME}:${arch_tag} manifest"
        echo "$json" | jq -r ".manifests[] | select(.platform.architecture == \"${arch}\" and .platform.os == \"linux\")" | tee ${arch}.json
        docker buildx imagetools create --tag ${IMAGE_NAME}:${arch_tag} --file ${arch}.json
        if [[ -n "$LATEST_TAG" ]]; then
          latest_tag="${LATEST_TAG}-${arch}"
          echo "Creating and pushing ${IMAGE_NAME}:${latest_tag} manifest"
          docker buildx imagetools create --tag ${IMAGE_NAME}:${latest_tag} ${IMAGE_NAME}:${arch_tag}
        fi
        echo "${IMAGE_NAME}:${arch_tag}" > tags_to_sign_${arch}
      done
  artifacts:
    paths:
      - tags_to_sign_*

build-push-linux-fips-image:
  extends: .trigger-filter
  stage: release
  dependencies:
    - otelcol-fips
  retry: 2
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  script:
    - *docker-reader-role
    - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io
    - |
      # Set env vars
      set -e
      if [[ -n "${CI_COMMIT_TAG:-}" ]]; then
        IMAGE_NAME="quay.io/signalfx/splunk-otel-collector-fips"
        IMAGE_TAG=${CI_COMMIT_TAG#v}
      else
        IMAGE_NAME="quay.io/signalfx/splunk-otel-collector-fips-dev"
        IMAGE_TAG=${CI_COMMIT_SHA}
      fi
      LATEST_TAG=""
      if [[ "${CI_COMMIT_BRANCH:-}" = "main" ]] || [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        # Only push latest tag for main and stable releases
        LATEST_TAG="latest"
      fi
    - echo "Building and pushing ${IMAGE_NAME}:${IMAGE_TAG}"
    - make docker-otelcol FIPS=true ARCH=amd64,arm64 DOCKER_REPO=${DOCKER_HUB_REPO} IMAGE_NAME=${IMAGE_NAME} IMAGE_TAG=${IMAGE_TAG} SKIP_COMPILE=true SKIP_BUNDLE=true PUSH=true
    - |
      # DEPRECATED: Push manifests for each arch
      set -eo pipefail
      json=$( docker buildx imagetools inspect --raw ${IMAGE_NAME}:${IMAGE_TAG} )
      for arch in "amd64" "arm64"; do
        arch_tag="${IMAGE_TAG}-${arch}"
        echo "Creating and pushing ${IMAGE_NAME}:${arch_tag} manifest"
        echo "$json" | jq -r ".manifests[] | select(.platform.architecture == \"${arch}\" and .platform.os == \"linux\")" | tee ${arch}.json
        docker buildx imagetools create --tag ${IMAGE_NAME}:${arch_tag} --file ${arch}.json
        if [[ -n "$LATEST_TAG" ]]; then
          latest_tag="${LATEST_TAG}-${arch}"
          echo "Creating and pushing ${IMAGE_NAME}:${latest_tag} manifest"
          docker buildx imagetools create --tag ${IMAGE_NAME}:${latest_tag} ${IMAGE_NAME}:${arch_tag}
        fi
        echo "${IMAGE_NAME}:${arch_tag}" > tags_to_sign_${arch}
      done
  artifacts:
    paths:
      - tags_to_sign_*

sign-linux-image-fips:
  extends: .sign-docker
  stage: release
  parallel:
    matrix:
      - ARCH: [amd64, arm64]
  needs:
    - build-push-linux-fips-image
  before_script:
    - mv tags_to_sign_${ARCH} tags_to_sign

sign-linux-image:
  extends: .sign-docker
  stage: release
  parallel:
    matrix:
      - ARCH: [amd64, arm64, ppc64le]
  needs:
    - build-push-linux-image
  before_script:
    - mv tags_to_sign_${ARCH} tags_to_sign

build-push-windows-image:
  extends: .trigger-filter
  stage: release
  parallel:
    matrix:
      - WIN_VERSION: ["2019", "2022"]
  dependencies:
    - sign-exe
    - agent-bundle-windows
  tags:
    - splunk-otel-collector-windows${WIN_VERSION}
  retry: 2
  variables:
    ErrorActionPreference: stop
  before_script:
    - Copy-Item .\dist\signed\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe
    - Copy-Item .\dist\agent-bundle_windows_amd64.zip .\cmd\otelcol\agent-bundle_windows_amd64.zip
    - &get-base-image |
      if ($env:WIN_VERSION -eq "2019") {
        $BASE_IMAGE = $env:WIN_2019_BASE_IMAGE
      } else {
        $BASE_IMAGE = $env:WIN_2022_BASE_IMAGE
      }
    - |
      docker pull $BASE_IMAGE
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - &delete-all-images-except-base |
      # Delete all images except the base image
      $base_id = $(docker images -q $BASE_IMAGE)
      foreach ($id in $(docker images -a -q | Get-Unique)) {
        if ($id -ne $base_id) {
          docker rmi -f $id
        }
      }
    - docker system prune --force
  script:
    - |
      docker login -u $env:CIRCLECI_QUAY_USERNAME -p $env:CIRCLECI_QUAY_PASSWORD quay.io
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      # Set env vars
      if ($env:CI_COMMIT_TAG) {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector"
        $OLD_IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows"
        $tagNumber = $env:CI_COMMIT_TAG.TrimStart("v")
        $IMAGE_TAG = "${tagNumber}-${env:WIN_VERSION}"
      } else {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-dev"
        $OLD_IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-windows-dev"
        $IMAGE_TAG = "${env:CI_COMMIT_SHA}-${env:WIN_VERSION}"
      }
      $LATEST_TAG = ""
      if ($env:CI_COMMIT_BRANCH -eq "main" -or $env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        # Only push latest tag for main and stable releases
        $LATEST_TAG = "latest-${env:WIN_VERSION}"
      }
    - $JMX_METRIC_GATHERER_RELEASE = $(Get-Content packaging\jmx-metric-gatherer-release.txt)
    - |
      echo "Building ${IMAGE_NAME}:${IMAGE_TAG}"
      docker build -t ${IMAGE_NAME}:${IMAGE_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} --build-arg JMX_METRIC_GATHERER_RELEASE=${JMX_METRIC_GATHERER_RELEASE} -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      echo "Pushing ${IMAGE_NAME}:${IMAGE_TAG}"
      docker push ${IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      # DEPRECATED: Push image to the windows repo
      echo "Tagging and pushing ${OLD_IMAGE_NAME}:${IMAGE_TAG}"
      docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker push ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      echo "Getting os.version from ${BASE_IMAGE}"
      $os_version = (docker manifest inspect $BASE_IMAGE | ConvertFrom-Json).manifests[0].platform."os.version"
      if ($LASTEXITCODE -ne 0) { exit 1 }
      echo "$os_version"
    - |
      echo "Creating and pushing ${IMAGE_NAME}:${IMAGE_TAG} manifest"
      docker manifest rm ${IMAGE_NAME}:${IMAGE_TAG}
      docker manifest create ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker manifest push ${IMAGE_NAME}:${IMAGE_TAG} --purge
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      # DEPRECATED: Push manifest to the windows repo
      echo "Creating and pushing ${OLD_IMAGE_NAME}:${IMAGE_TAG} manifest"
      docker manifest rm ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      docker manifest create ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker manifest push ${OLD_IMAGE_NAME}:${IMAGE_TAG} --purge
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      if ($LATEST_TAG) {
        echo "Tagging and pushing ${IMAGE_NAME}:${LATEST_TAG}"
        docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker push ${IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        echo "Creating and pushing ${IMAGE_NAME}:${LATEST_TAG} manifest"
        docker manifest rm ${IMAGE_NAME}:${LATEST_TAG}
        docker manifest create ${IMAGE_NAME}:${LATEST_TAG} ${IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${IMAGE_NAME}:${LATEST_TAG} ${IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker manifest push ${IMAGE_NAME}:${LATEST_TAG} --purge
        if ($LASTEXITCODE -ne 0) { exit 1 }
      }
    - |
      # DEPRECATED: Push latest tag to the windows repo
      if ($LATEST_TAG) {
        echo "Tagging and pushing ${OLD_IMAGE_NAME}:${LATEST_TAG}"
        docker tag ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker push ${OLD_IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        echo "Creating and pushing ${OLD_IMAGE_NAME}:${LATEST_TAG} manifest"
        docker manifest rm ${OLD_IMAGE_NAME}:${LATEST_TAG}
        docker manifest create ${OLD_IMAGE_NAME}:${LATEST_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${OLD_IMAGE_NAME}:${LATEST_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker manifest push ${OLD_IMAGE_NAME}:${LATEST_TAG} --purge
        if ($LASTEXITCODE -ne 0) { exit 1 }
      }
    - echo "${IMAGE_NAME}:${IMAGE_TAG}" > tags
    - echo "${OLD_IMAGE_NAME}:${IMAGE_TAG}" >> tags
    - (Get-Content -Raw -Path tags) -replace "`r`n", "`n"| Set-Content -NoNewline tags_to_sign_${env:WIN_VERSION}
  after_script:
    - *get-base-image
    - *delete-all-images-except-base
    - docker system prune --force
    - |
      if (Test-Path -Path C:\Users\Administrator\Desktop\ops-scripts\docker-leak-check.exe) {
        C:\Users\Administrator\Desktop\ops-scripts\docker-leak-check.exe -remove
      }
  artifacts:
    paths:
      - tags_to_sign_${WIN_VERSION}

build-push-windows-fips-image:
  extends: .trigger-filter
  stage: release
  parallel:
    matrix:
      - WIN_VERSION: ["2019", "2022"]
  dependencies:
    - sign-exe
  tags:
    - splunk-otel-collector-windows${WIN_VERSION}
  retry: 2
  variables:
    ErrorActionPreference: stop
  before_script:
    - New-Item -Type dir .\cmd\otelcol\fips\dist
    - Copy-Item .\dist\signed\otelcol-fips_windows_amd64.exe .\cmd\otelcol\fips\dist\otelcol-fips_windows_amd64.exe
    - &get-base-image |
      if ($env:WIN_VERSION -eq "2019") {
        $BASE_IMAGE = $env:WIN_2019_BASE_IMAGE
      } else {
        $BASE_IMAGE = $env:WIN_2022_BASE_IMAGE
      }
    - |
      docker pull $BASE_IMAGE
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - &delete-all-images-except-base |
      # Delete all images except the base image
      $base_id = $(docker images -q $BASE_IMAGE)
      foreach ($id in $(docker images -a -q | Get-Unique)) {
        if ($id -ne $base_id) {
          docker rmi -f $id
        }
      }
    - docker system prune --force
  script:
    - |
      docker login -u $env:CIRCLECI_QUAY_USERNAME -p $env:CIRCLECI_QUAY_PASSWORD quay.io
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      # Set env vars
      if ($env:CI_COMMIT_TAG) {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-fips"
        $OLD_IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-fips-windows"
        $tagNumber = $env:CI_COMMIT_TAG.TrimStart("v")
        $IMAGE_TAG = "${tagNumber}-${env:WIN_VERSION}"
      } else {
        $IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-fips-dev"
        $OLD_IMAGE_NAME = "quay.io/signalfx/splunk-otel-collector-fips-windows-dev"
        $IMAGE_TAG = "${env:CI_COMMIT_SHA}-${env:WIN_VERSION}"
      }
      $LATEST_TAG = ""
      if ($env:CI_COMMIT_BRANCH -eq "main" -or $env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        # Only push latest tag for main and stable releases
        $LATEST_TAG = "latest-${env:WIN_VERSION}"
      }
    - $JMX_METRIC_GATHERER_RELEASE = $(Get-Content packaging\jmx-metric-gatherer-release.txt)
    - |
      echo "Building ${IMAGE_NAME}:${IMAGE_TAG}"
      docker build -t ${IMAGE_NAME}:${IMAGE_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} --build-arg JMX_METRIC_GATHERER_RELEASE=${JMX_METRIC_GATHERER_RELEASE} -f .\cmd\otelcol\fips\Dockerfile.windows .\cmd\otelcol\fips
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      echo "Pushing ${IMAGE_NAME}:${IMAGE_TAG}"
      docker push ${IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      # DEPRECATED: Push image to the windows repo
      echo "Tagging and pushing ${OLD_IMAGE_NAME}:${IMAGE_TAG}"
      docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker push ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      echo "Getting os.version from ${BASE_IMAGE}"
      $os_version = (docker manifest inspect $BASE_IMAGE | ConvertFrom-Json).manifests[0].platform."os.version"
      if ($LASTEXITCODE -ne 0) { exit 1 }
      echo "$os_version"
    - |
      echo "Creating and pushing ${IMAGE_NAME}:${IMAGE_TAG} manifest"
      docker manifest rm ${IMAGE_NAME}:${IMAGE_TAG}
      docker manifest create ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker manifest push ${IMAGE_NAME}:${IMAGE_TAG} --purge
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      # DEPRECATED: Push manifest to the windows repo
      echo "Creating and pushing ${OLD_IMAGE_NAME}:${IMAGE_TAG} manifest"
      docker manifest rm ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      docker manifest create ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${IMAGE_TAG}
      if ($LASTEXITCODE -ne 0) { exit 1 }
      docker manifest push ${OLD_IMAGE_NAME}:${IMAGE_TAG} --purge
      if ($LASTEXITCODE -ne 0) { exit 1 }
    - |
      if ($LATEST_TAG) {
        echo "Tagging and pushing ${IMAGE_NAME}:${LATEST_TAG}"
        docker tag ${IMAGE_NAME}:${IMAGE_TAG} ${IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker push ${IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        echo "Creating and pushing ${IMAGE_NAME}:${LATEST_TAG} manifest"
        docker manifest rm ${IMAGE_NAME}:${LATEST_TAG}
        docker manifest create ${IMAGE_NAME}:${LATEST_TAG} ${IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${IMAGE_NAME}:${LATEST_TAG} ${IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker manifest push ${IMAGE_NAME}:${LATEST_TAG} --purge
        if ($LASTEXITCODE -ne 0) { exit 1 }
      }
    - |
      # DEPRECATED: Push latest tag to the windows repo
      if ($LATEST_TAG) {
        echo "Tagging and pushing ${OLD_IMAGE_NAME}:${LATEST_TAG}"
        docker tag ${OLD_IMAGE_NAME}:${IMAGE_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker push ${OLD_IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        echo "Creating and pushing ${OLD_IMAGE_NAME}:${LATEST_TAG} manifest"
        docker manifest rm ${OLD_IMAGE_NAME}:${LATEST_TAG}
        docker manifest create ${OLD_IMAGE_NAME}:${LATEST_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker manifest annotate --os "windows" --arch "amd64" --os-version ${os_version} ${OLD_IMAGE_NAME}:${LATEST_TAG} ${OLD_IMAGE_NAME}:${LATEST_TAG}
        if ($LASTEXITCODE -ne 0) { exit 1 }
        docker manifest push ${OLD_IMAGE_NAME}:${LATEST_TAG} --purge
        if ($LASTEXITCODE -ne 0) { exit 1 }
      }
    - echo "${IMAGE_NAME}:${IMAGE_TAG}" > tags
    - echo "${OLD_IMAGE_NAME}:${IMAGE_TAG}" >> tags
    - (Get-Content -Raw -Path tags) -replace "`r`n", "`n"| Set-Content -NoNewline tags_to_sign_${env:WIN_VERSION}-fips
  after_script:
    - *get-base-image
    - *delete-all-images-except-base
    - docker system prune --force
    - |
      if (Test-Path -Path C:\Users\Administrator\Desktop\ops-scripts\docker-leak-check.exe) {
        C:\Users\Administrator\Desktop\ops-scripts\docker-leak-check.exe -remove
      }
  artifacts:
    paths:
      - tags_to_sign_${WIN_VERSION}-fips

sign-windows-image:
  extends: .sign-docker
  stage: release
  parallel:
    matrix:
      - WIN_VERSION: ["2019", "2022"]
        FIPS: ["-fips", ""]
  needs:
    - build-push-windows-image
    - build-push-windows-fips-image
  before_script:
    - mv tags_to_sign_${WIN_VERSION}${FIPS} tags_to_sign

release-debs:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: release
  resource_group: artifactory-deb
  dependencies:
    - sign-debs
  retry: 2
  before_script:
    - *get-artifactory-stage
    - pip3 install -r packaging/release/requirements.txt
    - apt update && apt install -y curl
    - |
      set -ex
      for path in dist/signed/*.deb; do
        if [ ! -f "$path" ]; then
          echo "$path not found!"
          exit 1
        fi
        python3 packaging/release/release.py --force --stage=${STAGE} --path=$path
      done
    - test -f Release
  variables:
    ARTIFACT: Release
    SIGN_TYPE: GPG
  after_script:
    - *get-artifactory-stage
    - |
      set -ex
      if [[ "$CI_JOB_STATUS" = "success" ]] && [[ -f signed/Release.asc ]]; then
        curl -fu ${ARTIFACTORY_USERNAME}:${ARTIFACTORY_TOKEN} -X PUT "https://splunk.jfrog.io/artifactory/otel-collector-deb/dists/${STAGE}/Release.gpg" -T signed/Release.asc
      fi
  artifacts:
    paths:
      - dist/signed/*.deb
      - signed/Release.asc

release-rpms:
  extends:
    - .trigger-filter
    - .submit-signing-request
  stage: release
  parallel:
    matrix:
      - ARCH: ['x86_64', 'aarch64']
  resource_group: artifactory-rpm
  dependencies:
    - sign-rpms
  retry: 2
  before_script:
    - *get-artifactory-stage
    - pip3 install -r packaging/release/requirements.txt
    - apt update && apt install -y curl
    - |
      set -ex
      for path in dist/signed/*${ARCH}.rpm; do
        if [ ! -f "$path" ]; then
          echo "$path not found!"
          exit 1
        fi
        python3 packaging/release/release.py --force --stage=${STAGE} --path=$path
      done
    - test -f repomd.xml
  variables:
    ARTIFACT: repomd.xml
    SIGN_TYPE: GPG
    DOWNLOAD_DIR: signed/${ARCH}
  after_script:
    - *get-artifactory-stage
    - |
      set -ex
      if [[ "$CI_JOB_STATUS" = "success" ]] && [[ -f signed/${ARCH}/repomd.xml.asc ]]; then
        curl -fu ${ARTIFACTORY_USERNAME}:${ARTIFACTORY_TOKEN} -X PUT "https://splunk.jfrog.io/artifactory/otel-collector-rpm/${STAGE}/${ARCH}/repodata/repomd.xml.asc" -T signed/${ARCH}/repomd.xml.asc
      fi
  artifacts:
    paths:
      - dist/signed/*${ARCH}.rpm
      - signed/${ARCH}/repomd.xml.asc

# since "after_script" failures or missing artifacts will not fail the job, use this job to verify that the signatures were uploaded successfully
verify-signed-metadata:
  extends: .trigger-filter
  stage: release
  needs:
    - release-debs
    - release-rpms
  retry: 2
  before_script:
    - apt update && apt install -y curl
  script:
    - *get-artifactory-stage
    - |
      set -exo pipefail
      curl -fq https://splunk.jfrog.io/artifactory/otel-collector-deb/dists/${STAGE}/Release.gpg | diff - signed/Release.asc
      curl -fq https://splunk.jfrog.io/artifactory/otel-collector-rpm/${STAGE}/x86_64/repodata/repomd.xml.asc | diff - signed/x86_64/repomd.xml.asc
      curl -fq https://splunk.jfrog.io/artifactory/otel-collector-rpm/${STAGE}/aarch64/repodata/repomd.xml.asc | diff - signed/aarch64/repomd.xml.asc

# only upload the msi to S3 for stable release tags
release-msi:
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  extends:
    - .deploy-release
  stage: release
  dependencies:
    - sign-msi
  variables:
    PATHS: dist/signed/*.msi

# only upload the installer scripts to S3 for stable release tags
release-installers:
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  extends:
    - .deploy-release
  stage: release
  dependencies:
    - sign-ps-installer
  variables:
    INSTALLERS: "true"
  before_script:
    - cp -f dist/signed/install.ps1 packaging/installer/install.ps1

choco-release:
  extends: .trigger-filter
  stage: release
  dependencies:
    - sign-msi
  tags:
    - splunk-otel-collector-windows
  script:
    - |
      $ErrorActionPreference = 'Stop'
      Set-PSDebug -Trace 1
      $msi_file_name = Resolve-Path .\dist\signed\splunk-otel-collector*.msi | Split-Path -leaf
      if ($msi_file_name -match '(\d+\.\d+\.\d+)(\.\d+)?') {
        $version = $matches[0]
      } else {
        throw "Failed to get version from $msi_file_name"
      }
      .\packaging\choco\make.ps1 build_choco -Version $version -BuildDir .\dist\signed
    - Test-Path .\dist\signed\splunk-otel-collector.${version}.nupkg
    - |
      # Only push the choco package for stable release tags
      if ($env:CI_COMMIT_TAG -match '^v\d+\.\d+\.\d+$') {
        choco push -k $env:CHOCO_TOKEN .\dist\signed\splunk-otel-collector.${version}.nupkg
      }
  artifacts:
    paths:
      - dist/signed/*.nupkg

push-multiarch-manifest:
  extends: .trigger-filter
  stage: docker-manifest-release
  parallel:
    matrix:
      - MANIFEST: [multiarch, windows_multiarch]
        FIPS: ["-fips",""]
  needs:
    - sign-linux-image
    - sign-windows-image
  retry: 2
  id_tokens:  # http://go/gitlab-17
    CI_JOB_JWT:
      aud: $CICD_VAULT_ADDR
  script:
    - docker login -u $CIRCLECI_QUAY_USERNAME -p $CIRCLECI_QUAY_PASSWORD quay.io
    - |
      # Set env vars
      if [[ -n "${CI_COMMIT_TAG:-}" ]]; then
        MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector${FIPS}"
        WIN_MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector${FIPS}-windows"
        MANIFEST_TAG=${CI_COMMIT_TAG#v}
      else
        MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector${FIPS}-dev"
        WIN_MANIFEST_NAME="quay.io/signalfx/splunk-otel-collector${FIPS}-windows-dev"
        MANIFEST_TAG=${CI_COMMIT_SHA}
      fi
      LATEST_TAG=""
      if [[ "${CI_COMMIT_BRANCH:-}" = "main" ]] || [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        # Only push latest manifest tag for main and stable releases
        LATEST_TAG="latest"
      fi
      if [[ "$MANIFEST" = "windows_multiarch" ]]; then
        MANIFEST_NAME=$WIN_MANIFEST_NAME
      fi
    - |
      set -e
      if [[ "$MANIFEST" = "multiarch" ]]; then
        # Update the linux multiarch manifest to include the windows images
        echo "Updating and pushing ${MANIFEST_NAME}:${MANIFEST_TAG} manifest"
        docker buildx imagetools create --tag ${MANIFEST_NAME}:${MANIFEST_TAG} \
          ${MANIFEST_NAME}:${MANIFEST_TAG} \
          ${MANIFEST_NAME}:${MANIFEST_TAG}-2019 \
          ${MANIFEST_NAME}:${MANIFEST_TAG}-2022
      else
        # DEPRECATED: Create the windows multiarch manifest for the windows images
        echo "Creating and pushing ${MANIFEST_NAME}:${MANIFEST_TAG} manifest"
        docker buildx imagetools create --tag ${MANIFEST_NAME}:${MANIFEST_TAG} \
          ${MANIFEST_NAME}:${MANIFEST_TAG}-2019 \
          ${MANIFEST_NAME}:${MANIFEST_TAG}-2022
      fi
    - |
      set -e
      if [[ -n "$LATEST_TAG" ]]; then
        echo "Creating and pushing ${MANIFEST_NAME}:${LATEST_TAG} manifest"
        docker buildx imagetools create --tag ${MANIFEST_NAME}:${LATEST_TAG} ${MANIFEST_NAME}:${MANIFEST_TAG}
      fi
    - |
      # Check the manifests
      set -eo pipefail
      for tag in $MANIFEST_TAG $LATEST_TAG; do
        json=$( docker buildx imagetools inspect --raw ${MANIFEST_NAME}:${tag} )
        echo "${MANIFEST_NAME}:${tag} manifest:"
        echo "$json"
        # Check number of images in the manifest
        count=$( echo "$json" | jq -r ".manifests | length" )
        if [[ "$MANIFEST" = "multiarch" && "$FIPS" == "" && $count -ne 5 ]]; then
          exit 1
        elif [[ "$MANIFEST" = "multiarch" && "$FIPS" == "-fips" && $count -ne 4 ]]; then
          exit 1
        elif [[ "$MANIFEST" = "windows_multiarch" && $count -ne 2 ]]; then
          exit 1
        fi
        # Check the manifest for the linux images
        if [[ "$MANIFEST" != "windows_multiarch" ]]; then
          for arch in "amd64" "arm64" "ppc64le"; do
            if [[ "$FIPS" != "" && "$arch" == "ppc64le" ]]; then
              continue
            fi
            found=$( echo "$json" | jq -r ".manifests[] | select(.platform.architecture == \"${arch}\" and .platform.os == \"linux\")" )
            if [[ -z "$found" ]]; then
              echo "linux/${arch} not found in ${MANIFEST_NAME}:${tag}"
              exit 1
            fi
          done
        fi
        # Check the manifest for the windows images
        for base_image in "$WIN_2019_BASE_IMAGE" "$WIN_2022_BASE_IMAGE"; do
          os_version=$( docker buildx imagetools inspect --raw $base_image | jq -r '.manifests[0] | .platform."os.version"' )
          if [[ -z "$os_version" ]]; then
            echo "Failed to get os.version from $base_image"
            exit 1
          fi
          found=$( echo "$json" | jq -r ".manifests[] | select(.platform.architecture == \"amd64\" and .platform.os == \"windows\" and .platform.\"os.version\" == \"${os_version}\")" )
          if [[ -z "$found" ]]; then
            echo "windows/amd64/${os_version} not found in ${MANIFEST_NAME}:${tag}"
            exit 1
          fi
        done
      done
    - |
      # Get the manifest digest
      set -eo pipefail
      digest=$( docker buildx imagetools inspect --format '{{json .Manifest}}' ${MANIFEST_NAME}:${MANIFEST_TAG} | jq -r '.digest' )
      if [[ ! "$digest" =~ ^sha256:[A-Fa-f0-9]{64}$ ]]; then
        echo "Invalid digest for ${MANIFEST_NAME}:${MANIFEST_TAG}: $digest"
        exit 1
      fi
    - mkdir -p dist
    - echo "[${MANIFEST_NAME}@${digest}]" | tee dist/${MANIFEST}_digest.txt
    - echo "${MANIFEST_NAME}:${MANIFEST_TAG}" > tags_to_sign_${MANIFEST}${FIPS}
    - if [[ "$CI_COMMIT_BRANCH" != "main" || "$MANIFEST" != "multiarch" ]]; then exit 0; fi
    # Push the multiarch manifest for the main branch to the docker-test artifactory repo for xray scanning
    # TODO: Add new job to trigger xray scanning for the manifest whenever it is supported
    - *docker-test-releaser-role
    - manifest="${MANIFEST_NAME}:${MANIFEST_TAG}"
    - target="${DOCKER_TEST_XRAY_REPO}/splunk-otel-collector/$(basename $manifest)"
    - docker buildx imagetools create --tag $target $manifest
    - docker buildx imagetools inspect $target
  artifacts:
    paths:
      - dist/${MANIFEST}_digest.txt
      - tags_to_sign_${MANIFEST}${FIPS}

sign-multiarch-manifest:
  extends: .sign-docker
  stage: docker-manifest-release
  parallel:
    matrix:
      - MANIFEST: [multiarch, windows_multiarch]
        FIPS: ["-fips",""]
  needs:
    - push-multiarch-manifest
  before_script:
    - mv tags_to_sign_${MANIFEST}${FIPS} tags_to_sign

xray-scan-docker:
  only:
    - main
  except:
    - schedules
  extends: .container-scan
  stage: xray-scan
  parallel:
    matrix:
      # - CHILD: ["amd64", "arm64", "ppc64le", "2019", "2022"]
      - CHILD: ["amd64"]  # the .container-scan template currently only supports linux/amd64 images
  needs:
    - push-multiarch-manifest
    - sign-multiarch-manifest
  variables:
    create_jira: "true"
  before_script:
    - export CONTAINER_IMAGE="$(cat tags_to_sign_multiarch)-${CHILD}"
    - echo $CONTAINER_IMAGE

github-release:
  extends:
    - .trigger-filter
    - .go-cache
  stage: github-release
  dependencies:
    - compile
    - otelcol-fips
    - libsplunk
    - sign-exe
    - sign-osx
    - release-debs
    - release-rpms
    - sign-msi
    - sign-tar
    - push-multiarch-manifest
    - choco-release
    - sign-agent-bundles
  script:
    - mkdir -p dist/assets
    - cp bin/otelcol_linux_* dist/assets/
    - cp bin/otelcol-fips_linux_* dist/assets/
    - cp instrumentation/dist/libsplunk_*.so dist/assets/
    - cp dist/signed/* dist/assets/
    - |
      # rename agent bundles to include the version for stable releases
      set -e
      if [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        mv dist/assets/agent-bundle_linux_amd64.tar.gz dist/assets/agent-bundle_${CI_COMMIT_TAG#v}_linux_amd64.tar.gz
        mv dist/assets/agent-bundle_linux_amd64.tar.gz.asc dist/assets/agent-bundle_${CI_COMMIT_TAG#v}_linux_amd64.tar.gz.asc
        mv dist/assets/agent-bundle_windows_amd64.zip dist/assets/agent-bundle_${CI_COMMIT_TAG#v}_windows_amd64.zip
        mv dist/assets/agent-bundle_windows_amd64.zip.asc dist/assets/agent-bundle_${CI_COMMIT_TAG#v}_windows_amd64.zip.asc
        # exclude the arm64 bundle from release assets
        rm -f dist/assets/agent-bundle_linux_arm64.tar.gz
        rm -f dist/assets/agent-bundle_linux_arm64.tar.gz.asc
      fi
    - pushd dist/assets && shasum -a 256 * > checksums.txt && popd
    - |
      # only create github release for stable release tags
      set -e
      if [[ "${CI_COMMIT_TAG:-}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
        release_notes="$( ./packaging/release/gh-release-notes.sh "$CI_COMMIT_TAG" )"
        ghr -t "$GITHUB_TOKEN" -u signalfx -r splunk-otel-collector -n "$CI_COMMIT_TAG" -b "$release_notes" --replace "$CI_COMMIT_TAG" dist/assets/
      fi
  artifacts:
    when: always
    paths:
      - dist/assets

.ansible:
  image: 'cimg/python:3.9'
  only:
    - /^ansible-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - branches
    - schedules
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
  cache:
    key: "ansible-pip-cache"
    paths:
      - .cache/pip

ansible-build:
  extends: .ansible
  stage: build
  artifacts:
    paths:
      - dist/
  before_script:
    - pip3 install ansible==3.4.0
  script:
    - ansible-galaxy collection build ./deployments/ansible --output-path ./dist

ansible-release:
  extends: .ansible
  stage: release
  before_script:
    - pip3 install ansible==3.4.0 yq==2.12.0
  script:
    - export COLLECTION_VERSION=$(cat ./deployments/ansible/galaxy.yml | yq .version -r)
    - ansible-galaxy collection publish ./dist/signalfx-splunk_otel_collector-${COLLECTION_VERSION}.tar.gz --token=${ANSIBLE_GALAXY_TOKEN}

puppet-release:
  image: '${DOCKER_HUB_REPO}/ruby:2.6-buster'
  stage: release
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^puppet-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  before_script:
    - gem install bundler -v 2.4.22
    - cd deployments/puppet
    - bundle install
    - bundle exec rake module:clean
  script:
    - bundle exec rake module:push
  artifacts:
    paths:
      - deployments/puppet/pkg/*.tar.gz

chef-release:
  image: 'chef/chefworkstation:stable'
  stage: release
  only:
    variables:
      - $CI_COMMIT_TAG =~ /^chef-v[0-9]+\.[0-9]+\.[0-9]+.*/
  except:
    - schedules
  before_script:
    - mkdir -p ~/.chef
    - cat "$CHEF_PEM" > ~/.chef/signalfx.pem
    - cat "$CHEF_KNIFE_RB" > ~/.chef/knife.rb
    - mkdir -p /tmp/cookbooks
    - cp -r deployments/chef /tmp/cookbooks/splunk_otel_collector
  script:
    - knife supermarket share -o /tmp/cookbooks splunk_otel_collector