cloudflared-mirror/.gitlab-ci.yml

stages: [check, build, release]

default:
  id_tokens:
    VAULT_ID_TOKEN:
      aud: https://vault.cfdata.org

# -----------------------------------------------
# Stage 1: Check for a Git tag on the current commit
# -----------------------------------------------
check_tag:
  stage: check
  rules:
      - when: always
  script:
    - |
      # Check if there is a Git tag pointing to HEAD
      if git tag --points-at HEAD | grep .; then
        echo "TAG_EXISTS=true" >> tag_check.env
        echo "VERSION=$(git tag --points-at HEAD | grep .)" >> tag_check.env
      else
        echo "TAG_EXISTS=false" >> tag_check.env
      fi      
  artifacts:
    reports:
      dotenv: tag_check.env  # Pass the TAG_EXISTS variable to the next stage

# -----------------------------------------------
# Stage 2: Build on every PR
# -----------------------------------------------
build_cloudflared_macos: &build
  stage: build
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: always
    - when: never
  dependencies:
    - check_tag
  tags:
    - "macstadium-${RUNNER_ARCH}"
  parallel:
    matrix:
      - RUNNER_ARCH: [arm, intel]
  artifacts:
    paths:
      - artifacts/*
  script:
    - '[ "${RUNNER_ARCH}" = "arm" ] && export TARGET_ARCH=arm64'
    - '[ "${RUNNER_ARCH}" = "intel" ] && export TARGET_ARCH=amd64'
    - ARCH=$(uname -m)
    - echo ARCH=$ARCH - TARGET_ARCH=$TARGET_ARCH
    - ./.teamcity/mac/install-cloudflare-go.sh
    - export PATH="/tmp/go/bin:$PATH"
    - BUILD_SCRIPT=.teamcity/mac/build.sh
    - if [[ ! -x ${BUILD_SCRIPT} ]] ; then exit ; fi
    - set -euo pipefail
    - echo "Executing ${BUILD_SCRIPT}"
    - exec ${BUILD_SCRIPT}

# -----------------------------------------------
# Stage 2: Build and sign only on releases
# -----------------------------------------------
build_and_sign_cloudflared_macos:
  <<: *build
  rules:
    - if: '$CI_COMMIT_BRANCH == "master" && $TAG_EXISTS == "true"'
      when: always
    - when: never
  dependencies:
    - check_tag
  secrets:
    APPLE_DEV_CA_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/apple_dev_ca_cert/data
      file: false
    CFD_CODE_SIGN_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_cert_v2/data
      file: false
    CFD_CODE_SIGN_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_key_v2/data
      file: false
    CFD_CODE_SIGN_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_code_sign_pass_v2/data
      file: false
    CFD_INSTALLER_CERT:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_cert_v2/data
      file: false
    CFD_INSTALLER_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_key_v2/data
      file: false
    CFD_INSTALLER_PASS:
      vault: gitlab/cloudflare/tun/cloudflared/_branch/master/cfd_installer_pass_v2/data
      file: false

# -----------------------------------------------
# Stage 3: Release to Github after building and signing
# -----------------------------------------------
release_cloudflared_macos_to_github:
  stage: release
  image: docker-registry.cfdata.org/stash/tun/docker-images/cloudflared-ci/main:6-8616fe631b76-amd64@sha256:96f4fd05e66cec03e0864c1bcf09324c130d4728eef45ee994716da499183614
  dependencies:
    - check_tag
    - build_and_sign_cloudflared_macos
  rules:
    - if: '$CI_COMMIT_BRANCH == "master" && $TAG_EXISTS == "true"'
      when: always
    - when: never
  cache:
    paths:
      - .cache/pip
  variables:
    PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
    KV_NAMESPACE: 380e19aa04314648949b6ad841417ebe
    KV_ACCOUNT: 5ab4e9dfbd435d24068829fda0077963
  secrets:
    KV_API_TOKEN:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_kv_api_token/data@kv
      file: false
    API_KEY:
      vault: gitlab/cloudflare/tun/cloudflared/_dev/cfd_github_api_key/data@kv
      file: false
  before_script:
    - python3 --version ; pip --version  # For debugging
    - python3 -m venv venv
    - source venv/bin/activate
    - pip install pynacl==1.4.0 pygithub==1.55
  script:
    - echo $VERSION
    - echo $TAG_EXISTS
    - echo "Running release because tag exists."
    - make macos-release