---
kind: pipeline
name: generate-blog

clone:
  depth: 1

steps:
- name: update-submodules
  image: alpine/git
  commands:
   - git submodule update --init --recursive

- name: generate-blog
  image: plugins/hugo
  settings:
    hugo_version: 0.84.4
    validate: true
    pull: always
  depends_on:
    - update-submodules

- name: clean-up-images
  image: alpine
  commands:
    - rm -rf public/images/*
  depends_on:
    - generate-blog

- name: test-build-container
  image: plugins/docker
  settings:
    registry: scm.project42.io
    username:
      from_secret: registry_username
    password:
      from_secret: registry_password
    repo: scm.project42.io/elia/blog
    dry_run: true
    squash: true
    purge: false
    tags:
    - "${DRONE_COMMIT_SHA:0:8}"
  depends_on:
    - clean-up-images

- name: trivy-scan
  image: docker.io/aquasec/trivy:latest
  volumes:
    - name: dockersock
      path: /var/run/docker.sock
  commands:
    - trivy image --exit-code 0 "scm.project42.io/elia/blog:${DRONE_COMMIT_SHA:0:8}"
    - trivy image --exit-code 1 --severity CRITICAL "scm.project42.io/elia/blog:${DRONE_COMMIT_SHA:0:8}"
  depends_on:
    - test-build-container

volumes:
- name: dockersock
  host:
    path: /var/run/docker.sock

- name: build-container
  image: plugins/docker
  settings:
    registry: scm.project42.io
    username:
      from_secret: registry_username
    password:
      from_secret: registry_password
    repo: scm.project42.io/elia/blog
    dry_run: false
    squash: true
    tags:
    - latest
    - "${DRONE_COMMIT_SHA:0:8}"
  when:
    event:
    - promote
    target:
    - production

---
kind: pipeline
name: deploy-blog

clone:
  depth: 1

steps:
  - name: syntax-check
    image: plugins/ansible:latest
    settings:
      playbook: ansible/site.yml
      inventory: ansible/inventory/hcloud.yml
      requirements: ansible/requirements.txt
      tags: blog
      check: true
      diff: true
      syntax_check: true
      extra_vars: "blog_container_tag=${DRONE_COMMIT_SHA:0:8}"
    environment:
      HCLOUD_TOKEN:
        from_secret: hcloud_token

  - name: dry-run
    image: plugins/ansible:latest
    settings:
      playbook: ansible/site.yml
      inventory: ansible/inventory/hcloud.yml
      requirements: ansible/requirements.txt
      tags: blog
      check: true
      diff: true
      syntax_check: false
      extra_vars: "blog_container_tag=${DRONE_COMMIT_SHA:0:8},check_mode=true"
      private_key:
        from_secret: ansible_private_key
      user:
        from_secret: ansible_user
    environment:
      HCLOUD_TOKEN:
        from_secret: hcloud_token

  - name: deploy
    image: plugins/ansible:latest
    settings:
      playbook: ansible/site.yml
      inventory: ansible/inventory/hcloud.yml
      requirements: ansible/requirements.txt
      tags: blog
      check: false
      diff: true
      syntax_check: false
      extra_vars: "blog_container_tag=${DRONE_COMMIT_SHA:0:8}"
      private_key:
        from_secret: ansible_private_key
      user:
        from_secret: ansible_user
    environment:
      HCLOUD_TOKEN:
        from_secret: hcloud_token
    when:
      event:
      - promote
      target:
      - production

depends_on:
  - generate-blog