.gitlab-ci.yml

# Continuous Integration configuration with gitlab.com
# See https://gitlab.com/help/ci/yaml/README.md


#########################################################
# Default CI pipeline configuration:
# - preset variables: 'S2OPC_NODE_MANAGEMENT = 1' set
# - jobs run in stages:
#   - gen: generation job
#   - build: build-linux64-ASan
#   - tests:
#     - test-check
#     - test-unit
#     - test-uactt
#
# CI pipeline manual run with 'ALL_TESTS = 1':
# - jobs run in stages:
#   - build: build-linux64-pys2opc # 'WITH_ASAN = 0' and 'WITH_PYS2OPC = 1'
#   - tests: # TEST_SERVER_XML_ADDRESS_SPACE, TEST_SERVER_XML_CONFIG and TEST_USERS_XML_CONFIG are NOT set to use static config
#     - test-unit-all-tests
#     - test-uactt-all-tests
#
# CI pipeline manual run with 'ALL_BUILDS = 1':
# - jobs run in stages:
#   - gen: generation job
#   - build: # 'WITH_STATIC_SECURITY_DATA: 1', 'WITH_CONST_ADDSPACE: 1' and 'PUBSUB_STATIC_CONFIG: 1'
#     - build-linux64-static-conf
#   - tests:
#     - test-unit
#   - build-others:
#     - build-win32
#     - build-win64
#     - windows-appveyor
#     - build-zephyr
#   - test-others:
#     - test-zephyr
# CI pipeline manual run with 'WINDOWS_TEST = 1':
# - jobs run in stages:
#   - build-others:
#     - windows-appveyor
#
# CI pipeline manual run with 'CROSS_COMPILE = 1':
# - jobs run in stages:
#   - build-others:
#     - build-win32
#     - build-win64
#     - build-rpi
#     - build-zephyr
#     - build-freertos
#   - test-others:
#     - test-zephyr
#########################################################

# Ensures job failure when intermediate script line fails
# (see gitlab issues #25394 and #383355)
variables:
  FF_ENABLE_BASH_EXIT_CODE_CHECK: "true"

.nominal_build_variables: &nominal_build_variables
  S2OPC_NODE_MANAGEMENT: 1
  S2OPC_EVENT_MANAGEMENT: 1

.nominal_test_variables: &nominal_test_variables
  S2OPC_NODE_MANAGEMENT: 1
  S2OPC_EVENT_MANAGEMENT: 1
  TEST_SERVER_XML_ADDRESS_SPACE: S2OPC_Test_NodeSet.xml
  TEST_SERVER_XML_CONFIG: S2OPC_Server_UACTT_Config.xml
  TEST_USERS_XML_CONFIG: S2OPC_UACTT_Users.xml
  TEST_CLIENT_XML_CONFIG: S2OPC_Client_Test_Config.xml
  TEST_PASSWORD_PRIVATE_KEY : password
  TEST_PASSWORD_CACERT : S2OPC
  TEST_PASSWORD_USER_ME : 1234
  TEST_USERNAME : user1
  TEST_PASSWORD_USER : password

# Variables for ALL_BUILDS and ALL_TESTS manual pipelines

.all-tests_build_variables: &all-tests_build_variables
  WITH_PYS2OPC: 1

.all-builds_build_variables: &all-builds_build_variables
  S2OPC_EVENT_MANAGEMENT: 1
  WITH_STATIC_SECURITY_DATA: 1
  WITH_CONST_ADDSPACE: 1
  PUBSUB_STATIC_CONFIG: 1

stages:
  - gen
  - build
  - test
  - build-others
  - test-others
  - analyses
  - doc

# Avoid to run 2 pipelines in case of MR
# (1 for branch and 1 for MR)
workflow:
  rules:
    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
    - if: '$CI_PIPELINE_SOURCE == "schedule"'
    - if: '$CI_PIPELINE_SOURCE == "web"'
    - if: '$CI_COMMIT_TAG'
    - if: '$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS'
      when: never
    - if: '$CI_COMMIT_BRANCH'

.zephyr-job: &zephyr_job
  tags:
    - zephyr

###
# Generation jobs
###

generation: &gen
  stage: gen
  image: com.systerel.fr:5000/c838/gen-ext@sha256:66cadeb219f3904e78ade14ef85e57aa0309eff4416e9625b0fd4bea8e976cd7 # digest of gen-ext:1.4
  script:
    - ./clean.sh gen
    - ./.validates_xml_schemas.sh
    - ./.pre-build-ext.sh
    - rm ./src/ClientServer/services/bgenc/constants_bs.h_
    - ./.check_generated_code.sh
  artifacts:
    name: 'bgenc-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - 'pre-build.log'
    when: always
    expire_in: '1 week'
  rules:
    - if: "$NO_GEN == null && \
           $WINDOWS_TEST == null && \
           $CROSS_COMPILE == null && \
           $GEN_PROOF_OBLIGATIONS == null && \
           $TEST_NETWORK_FUZZ == null && \
           $WITH_COVERITY == null && \
           $S2OPC_PUBSUB_ONLY == null &&\
           $ALL_BUILDS == null && \
           $ALL_TESTS == null && \
           $WITH_DOC == null"
      when: on_success

proof_obligations:
  <<: *gen
  script:
    - ./.pre-build-ext.sh POs
    - cat po_status.log
  artifacts:
    name: 'bpos-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - 'pre-build.log'
      - 'po_status.log'
    when: always
    expire_in: "30 days"
  rules:
    - if: "$GEN_PROOF_OBLIGATIONS != null"
      when: always

check_commit_signature:
  stage: gen
  image: registry.gitlab.com/systerel/s2opc/build@sha256:db0b531386fc402e54756d7b4dec3e584f9219f656fa8fe34d125865698bb06b # digest of build:1.46
  needs: []
  script:
    - ./.check_signed_commit.sh
  rules:
   - if: "$CI_PIPELINE_SOURCE == 'merge_request_event'"
     when: always

check_commit_validity:
  stage: doc
  image: cicirello/pyaction@sha256:1e61034d26988094c92b629bf1d5f2027bc0659a347f31653ae405a7b05f97ae # digest of cicirello/pyaction:v4.25.0
  needs: []
  script:
    # Unnecessary for R-O access on public project: ${CI_JOB_TOKEN}
    - './.check_ref_commit.sh -v "${SOPC_CURRENT_MILESTONE}" "origin/${CI_MERGE_REQUEST_TARGET_BRANCH_NAME}" "${CI_MERGE_REQUEST_IID}" "${CI_API_V4_URL}/projects/${CI_PROJECT_ID}"'
  rules:
   - if: "$CI_PIPELINE_SOURCE == 'merge_request_event'"
     when: always
###
# Compilation jobs
###

.build-linux: &build_linux
  stage: build
  image: registry.gitlab.com/systerel/s2opc/build@sha256:db0b531386fc402e54756d7b4dec3e584f9219f656fa8fe34d125865698bb06b # digest of build:1.46
  script:
    - &build_command_line './build.sh && cd $BUILD_DIR && cmake --build . --target install || exit $?'
  variables: &build_linux_variables
    CMAKE_INSTALL_PREFIX: '../install_linux64'
    DOCKER_DIGEST: 'sha256:db0b531386fc402e54756d7b4dec3e584f9219f656fa8fe34d125865698bb06b'
    BUILD_DIR: build
  artifacts:
    name: 'bin-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - '*.log'
      - 'install_linux64/'
      - 'build/'  # Required by tests / coverage
    expire_in: '1 week'
    when: always

# Used by "normal" pipeline
build-linux64-ASan:
  <<: *build_linux
  variables:
    <<: [*build_linux_variables,*nominal_build_variables]
    WITH_ASAN: 1
    WITH_UBSAN: 1
  needs: []
  rules: # 1st line repeat .build-linux + added rules to avoid ASAN build
    - if: "$WINDOWS_TEST == null && $CROSS_COMPILE == null && \
           $GEN_PROOF_OBLIGATIONS == null && $TEST_NETWORK_FUZZ == null && \
           $WITH_COVERITY == null && $WITH_COVERAGE == null && $WITH_DOC == null && \
           $NO_ASAN == null && $ALL_TESTS == null && $ALL_BUILDS == null" # avoid ASAN build in most of nightly builds
      when: on_success

build-linux-faulty-packet:
  <<: *build_linux
  stage : build-others
  variables:
    <<: [*build_linux_variables,*nominal_build_variables]
    WITH_ASAN: 1
    WITH_UBSAN: 1
    BUILD_DIR: build_faulty
    CMAKE_C_FLAGS: "-DSOPC_MAX_SESSIONS=50 -DSOPC_MAX_SECURE_CONNECTIONS=51"
  needs : []
  artifacts:
    name: 'bin-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}_faulty'
    paths:
      - '*.log'
      - 'build_faulty/bin'
  rules :
    - if: "$ALL_BUILDS != null"
      when : on_success

# Used by ALL_BUILDS to check we still manage to build with missing libs
# (Paho for PubSub and Expat for ClientServer)
build-with_missing_libs:
  <<: *build_linux
  variables:
    <<: *build_linux_variables
  needs: []
  script:
    - rm -fr /usr/local/lib/cmake/eclipse-paho-mqtt-c || exit $?
    - ./build.sh || exit $?
    - rm -fr /usr/local/lib/cmake/expat-* || exit $?
    - ./clean.sh || exit $?
    - S2OPC_CLIENTSERVER_ONLY=1 ./build.sh || exit $?
  rules:
    - if: "$ALL_BUILDS != null"
      when: on_success
  artifacts:

# Used by ALL_BUILDS to check we manage to build with nocrypto lib
build-with_no_crypto:
  <<: *build_linux
  variables:
    <<: *build_linux_variables
  needs: []
  script:
    - S2OPC_CRYPTO_MBEDTLS=0 ./build.sh || exit $?
  rules:
    - if: "$ALL_BUILDS != null"
      when: on_success
  artifacts:

# Used by all-tests pipeline (add tests which needs NO_ASAN)
build-linux64-pys2opc-all-tests:
  <<: *build_linux
  variables:
    <<: [*build_linux_variables,*all-tests_build_variables] # add pys2opc
  needs: []
  script: # build and install shared libs, then build static libs and binaries
      - 'ENABLE_SAMPLES=0 ENABLE_TESTING=0 BUILD_SHARED_LIBS=1 ./build.sh && cd $BUILD_DIR && cmake --build . --target install || exit $?'
      - 'cd .. && ./clean.sh || exit $?'
      - *build_command_line
  rules: # do not repeat .build-linux: due to disjunction + need only those 2 conditions
    - if: "$ALL_TESTS != null || $WITH_COVERAGE == null && $NO_ASAN != null" # if ASAN is deactivated build PyS2OPC by default (except for coverage)
      when: on_success

# Used when ALL_BUILDS set (tests use static configuration)
build-linux64-static-conf:
  <<: *build_linux
  variables:
    <<: [*build_linux_variables,*all-builds_build_variables] # add static conf
  needs: []
  rules: # single case rule of ALL_BUILDS
    - if: "$ALL_BUILDS != null"
      when: on_success

build-linux64-NoASan-NoPyS2OPC:
  <<: *build_linux
  variables:
    <<: [*build_linux_variables,*nominal_build_variables]
  needs: []
  rules: # In case of coverage analysis or when nano scope is used (TODO: PyS2OPC shall be built but tests will fail: use another server with subscription in tests)
    - if: "$WITH_COVERAGE != null"
      when: on_success

build-win64: &build_win64
  stage: build-others
  image: registry.gitlab.com/systerel/s2opc/mingw_build@sha256:d158e52c51d2f97d4bd13bcc93ebbe5793025c0032dd7e6116bdf9293fc790bf # digest of mingw_build:1.15
  needs: []
  script:
    # Manually disable PyS2OPC for windows cross builds. When set in "variables:", the value is overwritten.
    - 'export WITH_PYS2OPC=OFF'
    - *build_command_line
  variables: &build_win64_variables
    CMAKE_INSTALL_PREFIX: '../install_win64'
    CMAKE_TOOLCHAIN_FILE: 'toolchain-mingw32-w64_x86_64.cmake'
    DOCKER_DIGEST: 'sha256:d158e52c51d2f97d4bd13bcc93ebbe5793025c0032dd7e6116bdf9293fc790bf'
    BUILD_DIR: build_toolchain
    S2OPC_CLIENTSERVER_ONLY: 1 # PubSub is not compatible with windows platform
    WARNINGS_AS_ERRORS: 0 # Some format warnings remain on MinGW
  artifacts:
    name: 'bin-w64-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - '$BUILD_DIR/bin'
      - 'install_win64/'
    expire_in: '1 week'
  rules:
   - if: "$CROSS_COMPILE != null || $ALL_BUILDS != null || $CI_PIPELINE_SOURCE == 'merge_request_event' || $CI_COMMIT_TAG"
     when: always # run even if previous job in pipeline failed

build-win32:
  <<: *build_win64
  variables:
    <<: *build_win64_variables
    CMAKE_INSTALL_PREFIX: '../install_win32'
    CMAKE_TOOLCHAIN_FILE: 'toolchain-mingw32-w64.cmake'
  artifacts:
    name: 'bin-w32-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - '$BUILD_DIR/bin/'
      - 'install_win32/'
    expire_in: '1 week'
  rules:
   - if: "$CROSS_COMPILE != null || $ALL_BUILDS != null || $CI_PIPELINE_SOURCE == 'merge_request_event' || $CI_COMMIT_TAG"
     when: always # run even if previous job in pipeline failed

build-rpi:
  stage: build-others
  image: registry.gitlab.com/systerel/s2opc/rpi-build@sha256:0c5e40993e575bb829cee97e17a4965258fdccd4eef6ee81fca1fc732f417a63 # digest of rpi-build:1.8
  needs: []
  script:
    - '. /usr/local/cross_venv/bin/activate'
    - *build_command_line
  variables:
    CMAKE_INSTALL_PREFIX: '../install_rpi'
    CMAKE_TOOLCHAIN_FILE: '/toolchain-rpi.cmake'
    DOCKER_DIGEST: 'sha256:0c5e40993e575bb829cee97e17a4965258fdccd4eef6ee81fca1fc732f417a63'
    BUILD_SHARED_LIBS: 'true'
    BUILD_DIR: build_toolchain
    # Note: building of PyS2OPC C generated file fails due to "conditional branch out of range" if not compiled with O0.
    # In order to have S2OPC built with optimisations, it is also possible to build PyS2OPC alone in a second step.
    CMAKE_BUILD_TYPE: Debug
    WITH_PYS2OPC: 1
    # Note: it might be renamed to "...-linux_armv7l.whl" if needed for installation
    PYS2OPC_WHEEL_NAME: 'pys2opc-1.6.0-cp39-cp39-linux_arm.whl'
  artifacts:
    name: 'bin-rpi-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - '$BUILD_DIR/bin'
      - '$BUILD_DIR/bin'
      - '$BUILD_DIR/lib'
      - '*.log'
      - 'install_rpi/'
    expire_in: '1 week'
  rules:
   - if: "$CROSS_COMPILE != null || $ALL_BUILDS != null || $CI_PIPELINE_SOURCE == 'merge_request_event' || $CI_COMMIT_TAG"
     when: always # run even if previous job in pipeline failed

# Used by coverity, also starts the analysis
build-linux64-coverity:
  stage: build
  image: registry.gitlab.com/systerel/s2opc/coverity@sha256:8831613acee4b581a879de636a6e089a3b51f5b0dabe83012479f86048a72766 # digest of coverity:1.11
  needs: []
  script: |-
    mkdir build
    cd build
    cmake -DWITH_COVERITY=1 -DCMAKE_BUILD_TYPE=Debug -DS2OPC_NODE_MANAGEMENT=1 -DS2OPC_EVENT_MANAGEMENT=1 ..
    /opt/cov-analysis-linux64-2023.6.2/bin/cov-build --dir cov-int make
    tar czf cov-int.tar.gz cov-int
    curl -k --form token=${COVERITY_TOKEN} --form email=${COVERITY_EMAIL} --form version=${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA} --form description=${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA} --form file=@cov-int.tar.gz https://scan.coverity.com/builds?project=S2OPC
  rules:
    - if: "$WITH_COVERITY != null"

build-zephyr:
  <<: *zephyr_job
  stage: build-others
  image:
    name: registry.gitlab.com/systerel/s2opc/zephyr_build:v3.6.0-b@sha256:13069418dd7b0317f93f02986b01f285f0f66956670f2fecded9850ace85d734 # digest of zephyr_build :v3.6.0-b
    entrypoint: [''] # Needs cause of issue with `sh` https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3622
  needs: []
  script:
    - 'ln -s $(pwd) /zephyrproject/modules/lib/s2opc'
    - 'samples/embedded/platform_dep/zephyr/ci/build-zephyr-samples-docker.sh stm32h735g_disco cli_client'
    - 'samples/embedded/platform_dep/zephyr/ci/build-zephyr-samples-docker.sh nucleo_h745zi_q_m7 cli_client -DCONFIG_NET_GPTP=y'
    - 'samples/embedded/platform_dep/zephyr/ci/build-zephyr-samples-docker.sh mimxrt1064_evk cli_pubsub_server'
    - 'samples/embedded/platform_dep/zephyr/ci/build-zephyr-samples-docker.sh stm32h747i_disco_m7 cli_pubsub_server -DCONFIG_SOPC_CRYPTO_LIB_NAME=\"nocrypto\" -DCONFIG_MBEDTLS=n'
    - 'samples/embedded/platform_dep/zephyr/ci/build-zephyr-samples-docker.sh stm32h747i_disco_m7 cli_pubsub_server'
  artifacts:
    name: 'bin-zephyr-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - 'build_zephyr/'
    expire_in: '1 week'
  rules:
    - if: "$CROSS_COMPILE != null || $ALL_BUILDS != null || $CI_PIPELINE_SOURCE == 'merge_request_event' || $CI_COMMIT_TAG"
      when: always

build-freertos:
  stage: build-others
  image: registry.gitlab.com/systerel/s2opc/freertos_build@sha256:09addc3a3bfcd46ff5581ab21229330fb4cc506c331cf7a31b0a58a0d886de0d # freertos_build:v1.1
  needs: []
  script:
    - 'samples/embedded/platform_dep/freertos/ci/build-freertos-samples-docker.sh'
    - 'test -f build_freertos/freertos-sopc.elf'
    - 'mv build_freertos/freertos-sopc.elf build_freertos/freertos-sopc-stm32h723zg.elf'
    - 'rm -rf /tmp/ws_freertos/build'
    - 'samples/embedded/platform_dep/freertos/ci/build-freertos-samples-docker.sh -- --nocrypto'
    - 'test -f build_freertos/freertos-sopc.elf'
    - 'mv build_freertos/freertos-sopc.elf build_freertos/freertos-sopc-stm32h723zg-nocrypto.elf'
  artifacts:
    name: 'bin-freertos-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - 'build_freertos/'
    when: always
    expire_in: '1 week'
  rules:
    - if: "$CROSS_COMPILE != null || $ALL_BUILDS != null || $CI_PIPELINE_SOURCE == 'merge_request_event' || $CI_COMMIT_TAG"
      when: always

build-fuzz:
  stage: build
  image: com.systerel.fr:5000/c838/opcua-network-fuzzer@sha256:ed423e0733e2a5131dd57f9e8ef2160230e6838ca94308ea2289bb50ce419e28 #3.0 digest
  needs: []
  variables:
    TEST_PASSWORD_PRIVATE_KEY : password
  script:
    - apt-get update -y && apt-get install -y openssl
    - ./.network_fuzzing.sh
  artifacts:
    name: 'fuzzing-results_job${CI_JOB_ID}'
    paths:
      - "./boofuzz-results"
      - "./build/bin/toolkit_demo_server_logs"
    when: on_failure
    expire_in: "30 days"
  timeout: 24 hours
  tags:
    - fuzzing
  rules:
    - if: "$TEST_NETWORK_FUZZ != null"
      when: always

###
# Test jobs
###

test-build-from-export:
  <<: *build_linux
  stage: test
  needs: [build-linux64-ASan]
  script:
    - 'mkdir -p ${CI_PROJECT_DIR}/samples/ClientServer/build_samples'
    - 'cd ${CI_PROJECT_DIR}/samples/ClientServer/build_samples'
    - 's2opc_DIR=${CI_PROJECT_DIR}/build cmake ..'
    - 'cmake --build .'
    - 'mkdir -p ${CI_PROJECT_DIR}/samples/PubSub/build_samples'
    - 'cd ${CI_PROJECT_DIR}/samples/PubSub/build_samples'
    - 's2opc_DIR=${CI_PROJECT_DIR}/build cmake ..'
    - 'cmake --build .'
    - 'mkdir -p ${CI_PROJECT_DIR}/samples/PubSub_ClientServer/build_samples'
    - 'cd ${CI_PROJECT_DIR}/samples/PubSub_ClientServer/build_samples'
    - 's2opc_DIR=${CI_PROJECT_DIR}/build cmake ..'
    - 'cmake --build .'
    - 'mkdir -p ${CI_PROJECT_DIR}/samples/embedded/build_samples'
    - 'cd ${CI_PROJECT_DIR}/samples/embedded/build_samples'
    - 's2opc_DIR=${CI_PROJECT_DIR}/build cmake ..'
    - 'cmake --build .'
  artifacts:
  rules:
    - if: "$NO_TESTS == null && $WINDOWS_TEST == null && \
           $CROSS_COMPILE == null && $GEN_PROOF_OBLIGATIONS == null && \
           $TEST_NETWORK_FUZZ == null && $WITH_COVERITY == null && \
           $WITH_COVERAGE == null && $WITH_DOC == null && \
           $S2OPC_PUBSUB_ONLY == null && $S2OPC_CLIENTSERVER_ONLY == null && \
           $ALL_BUILDS == null && $ALL_TESTS == null"
      when: on_success

.test-linux: &test_linux
  stage: test

# Test check belongs to the test part, however it does not depend on linux build.
test-check:
  <<: *test_linux
  image: registry.gitlab.com/systerel/s2opc/check@sha256:3c2ff85faf45af287da51ccb0a9689329e59b1d100be87d5143a47f97fd65720 # digest of check:1.21
  needs: []
  script:
    - ./.check-code.sh
    # Check generated types are up to date
    - './scripts/gen-sopc-types.py ./schemas/Opc.Ua.Types.bsd'
    - './scripts/generate-embedded-base-type-info.py ./schemas/Opc.Ua.NodeSet2.xml src/Common/opcua_types/sopc_embedded_nodeset2.h'
    # Check test types are up to date
    - './scripts/gen-sopc-types.py --types_prefix Custom --ns_index 1 ./tests/ClientServer/data/types/customTypes.bsd --files_path ./tests/ClientServer/unit_tests/helpers/'
    - './scripts/gen-sopc-types.py --types_prefix Custom2 --ns_index 2 ./tests/ClientServer/data/types/level2Types.bsd --files_path ./tests/ClientServer/unit_tests/helpers/ --imported_ns_prefixes Custom'
    - './.format.sh'
    # Check that generated files are up to date
    - '${CI_PROJECT_DIR}/scripts/generate-s2opc-address-space.py ${CI_PROJECT_DIR}/samples/embedded/cli_pubsub_server/xml/s2opc_pubsub_embedded_nodeset.xml ${CI_PROJECT_DIR}/samples/embedded/cli_pubsub_server/src/test_address_space.c --const_addspace'
    - '${CI_PROJECT_DIR}/scripts/generate-s2opc_pubsub-static-config.py ${CI_PROJECT_DIR}/tests/embedded/validation_test/config_pubsub.xml ${CI_PROJECT_DIR}/tests/embedded/validation_test/pubsub_config_static.c'
    - '${CI_PROJECT_DIR}/scripts/generate-s2opc-address-space.py ${CI_PROJECT_DIR}/tests/embedded/validation_test/xml/s2opc_pubsub_embedded_nodeset.xml ${CI_PROJECT_DIR}/tests/embedded/validation_test/embedded_address_space.c --const_addspace'
    - './.format.sh'
    - './.verify-no-git-changes.sh'
    # Check generated demo nodesets are up to date
    - 'cd samples/ClientServer/data/address_space && ./generate_demo_nodesets.sh && cd -'
    - './.verify-no-git-changes.sh'
    - 'cd samples/PubSub_ClientServer/data/address_space && ./generate_demo_nodesets.sh && cd -'
    - './.format.sh'
    - './.verify-no-git-changes.sh'
  variables:
      DOCKER_DIGEST: 'sha256:3c2ff85faf45af287da51ccb0a9689329e59b1d100be87d5143a47f97fd65720'
  artifacts:
    name: 'test-check-results-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - 'pre-build-check.log'
      - 'clang_tidy.log'
      - 'build-analyzer/analyzer-report'
    when: on_failure
    expire_in: '1 week'
  rules: # repeat .test-linux variables exception since overwritten here
    - if: "$NO_TESTS == null && $WINDOWS_TEST == null && \
           $CROSS_COMPILE == null && $GEN_PROOF_OBLIGATIONS == null && \
           $TEST_NETWORK_FUZZ == null && $WITH_COVERITY == null && \
           $WITH_COVERAGE == null && $WITH_DOC == null && \
           $ALL_TESTS == null && $ALL_BUILDS == null"
      when: on_success

.test-unit: &test_unit
  <<: *test_linux
  image: registry.gitlab.com/systerel/s2opc/test@sha256:8fbec254f6b8c8467b780d407c6f3c2e87d87899e141b8b2c9013ba30b4f0c8d # digest of test:2.16
  script:
    - './.set-bin-root.sh'
    - './test-all.sh'
  artifacts:
    name: 'test-unit-results-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - 'build/bin/**/*.tap'
      - 'build/bin/**/*.log'
      - 'build/tests/**/Testing'
      - 'build/samples/**/Testing'
      - 'build/**/*.*.gcda' # coverage analysis
      - 'build/**/*.*.gcno' # coverage analysis
    when: always
    expire_in: '1 week'
# Common rules defined by test-unit job below

# Test unit for ALL_TESTS variable (add dynamic configuration)
test-unit-all-tests:
  <<: *test_unit
  needs: [build-linux64-pys2opc-all-tests]
  variables:
    TEST_PASSWORD_PRIVATE_KEY : password
    TEST_USERNAME : user1
    TEST_PASSWORD_USER : password
    TEST_PASSWORD_CACERT : S2OPC
    TEST_PASSWORD_USER_ME : 1234
  rules:
    - if: "$ALL_TESTS != null"
      when: on_success

# Test unit for NOT ALL_TESTS variable
test-unit:
  <<: *test_unit
  variables:
    <<: *nominal_test_variables
  rules: # repeat .test-linux variables exception since overwritten here
    - if: "$NO_TESTS == null && $WINDOWS_TEST == null && \
           $CROSS_COMPILE == null && $GEN_PROOF_OBLIGATIONS == null && \
           $TEST_NETWORK_FUZZ == null && $WITH_COVERITY == null && $WITH_DOC == null && \
           $ALL_TESTS == null" # + excludes ALL_TESTS
      when: on_success

.test-uactt: &test_uactt
  <<: *test_linux
  image: com.systerel.fr:5000/c838/uactt-linux@sha256:e63916a03bf824d9d9f1f5b16479605c663507ab829b2fbc131f2b6b4666935f # uactt-linux:1.4
  script:
    - ulimit -n 1024
    - 'cd tests/ClientServer/acceptance_tools/ && ./launch_acceptance_tests.sh'
  artifacts:
    name: 'uactt-logs-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - 'build/bin/**/*.tap'
      - 'build/bin/**/*.log'
      - 'tests/ClientServer/acceptance_tools/*.log'
      - '**/*.*.gcda' # coverage analysis
      - '**/*.*.gcno' # coverage analysis
    when: always
    expire_in: '1 week'

test-faulty-packets :
  stage: test-others
  image: registry.gitlab.com/systerel/s2opc/test@sha256:8fbec254f6b8c8467b780d407c6f3c2e87d87899e141b8b2c9013ba30b4f0c8d # digest of test:2.16
  needs : [build-linux-faulty-packet]
  script:
    - ./tests/ClientServer/scripts/faulty_packet_tester_launcher.sh build_faulty/bin/toolkit_test_server
  artifacts:
    name: 'bug4_packets.txt'
    paths:
      - "/tmp/browse_packets.txt"
      - "tests/ClientServer/scripts/*.tap"
    when: on_failure
    expire_in: "30 days"
  rules :
    - if: "$ALL_BUILDS != null"
      when: on_success

# Test uactt for ALL_TESTS variable (add dynamic configuration)
test-uactt-all-tests:
  <<: *test_uactt
  variables:
    LINUX_UACTT: 1
    TEST_PASSWORD_PRIVATE_KEY : password
  rules:
    - if: "$ALL_TESTS != null && \
           $S2OPC_PUBSUB_ONLY == null && \
           $ALL_BUILDS == null" # + no UACTT tests on PubSub + excludes ALL_BUILDS

# Test uactt for NOT ALL_TESTS variable
test-uactt:
  <<: *test_uactt
  variables:
    <<: *nominal_test_variables
    LINUX_UACTT: 1
  rules:
    - if: "$NO_TESTS != null || $WINDOWS_TEST != null || \
           $CROSS_COMPILE != null || $GEN_PROOF_OBLIGATIONS != null || \
           $TEST_NETWORK_FUZZ != null || $WITH_COVERITY != null || \
           $WITH_COVERAGE != null || $WITH_DOC != null || \
           $S2OPC_PUBSUB_ONLY != null || $ALL_BUILDS != null || $ALL_TESTS != null"
      when: never
    - if: "$CI_PIPELINE_SOURCE == 'merge_request_event' || $CI_COMMIT_BRANCH == 'master' || $CI_COMMIT_TAG"
      when: on_success


# Generate the Software Bill Of Materials according to the conan.lock file.
generate_sbom:
  stage: test
  image: com.systerel.fr:5000/c838/cyberwatch@sha256:5cedde187768011d0bc096116d453415c8b4a9f1079bd99dbc28ae2e16dabe4c #com.systerel.fr:5000/c838/cyberwatch:1.0
  needs: []
  script:
    - python3 -m pip install conan==1.62.0
    - apt install sqlite3 -y
    - conan remote add gitlab ${CI_API_V4_URL}/projects/$CI_PROJECT_ID/packages/conan
    - conan user ci_user -r gitlab -p ${CI_JOB_TOKEN}
    - export LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib:/usr/local/bin
    - conan lock create conanfile.py -s compiler='gcc' -s compiler.version=12 -s compiler.libcxx=libstdc++
    - if [ ! -e sbom.json ]; then touch sbom.json; fi
    - trivy fs --format cyclonedx --output sbom.json --insecure .
  artifacts:
    when: on_success
    expire_in: "1 week"
    paths:
      - "sbom.json"
  rules:
    - changes:
        compare_to: master
        paths:
          - conanfile.py
    - if: "$SCAN_SBOM != null"

# Look for vulnerabilities in the dependencies of the SBOM generated in the generate_sbom job.
scan_sbom:
  stage: test
  image: com.systerel.fr:5000/c838/cyberwatch@sha256:5cedde187768011d0bc096116d453415c8b4a9f1079bd99dbc28ae2e16dabe4c #com.systerel.fr:5000/c838/cyberwatch:1.0
  needs:
    - job: generate_sbom
  script:
    - trivy sbom sbom.json --severity HIGH,CRITICAL  --exit-code 1 --insecure --output vulnerabilities_table.txt
  artifacts:
    when: on_failure
    expire_in: "1 month"
    paths:
      - "vulnerabilities_table.txt"
  rules:
    - changes:
        compare_to: master
        paths:
          - conanfile.py
    - if: "$SCAN_SBOM != null"


#Look for exposed secrets as well as vulnerabilities in the dependencies.
scan_repository:
  stage: test
  image: com.systerel.fr:5000/c838/cyberwatch@sha256:5cedde187768011d0bc096116d453415c8b4a9f1079bd99dbc28ae2e16dabe4c #com.systerel.fr:5000/c838/cyberwatch:1.0
  script:
    - trivy --severity HIGH,CRITICAL  --exit-code 1 --insecure repo . --skip-dirs samples #ignore due to the use of PKCS#8 format for keys
  rules:
    - if: "$SCAN_SBOM != null"


###
# Test others jobs
###
# test-zephyr:
#   <<: *zephyr_job
#   stage: test-others
#   image: registry.gitlab.com/systerel/s2opc/test@sha256:8fbec254f6b8c8467b780d407c6f3c2e87d87899e141b8b2c9013ba30b4f0c8d # digest of test:2.16
#   needs : [build-zephyr]
#   script:
#     - "./samples/embedded/platform_dep/zephyr/ci/test-embedded.sh"
#   variables:
#     <<: *nominal_test_variables
#   rules: # run the task only if Zephyr samples have been compiled
#     - if: "$CROSS_COMPILE != null || $ALL_BUILDS != null || $CI_PIPELINE_SOURCE == 'merge_request_event' || $CI_COMMIT_TAG"
#       when: on_success

##
# Windows native build and tests (done in "build-others" stage)
##

windows-appveyor:
  stage: build-others
  image: cicirello/pyaction@sha256:1e61034d26988094c92b629bf1d5f2027bc0659a347f31653ae405a7b05f97ae # digest of cicirello/pyaction:v4.25.0
  needs: []
  script:
    - 'curl -H "Authorization: Bearer $APPVEYOR_TOKEN" -H "Content-Type: application/json" --request POST -d ''{"accountName" : "Systerel", "projectSlug": "s2opc", "branch": "''$CI_COMMIT_REF_NAME''"}'' https://ci.appveyor.com/api/builds'
  rules:
    - if: "$ALL_BUILDS != null || $WINDOWS_TEST != null && $WINDOWS_ARTIFACTS == null || $CI_COMMIT_TAG || \
           $CI_COMMIT_BRANCH == 'master' && $ALL_TESTS == null && \
           $GEN_PROOF_OBLIGATIONS == null && $TEST_NETWORK_FUZZ == null && \
           $WITH_COVERITY == null && $WITH_COVERAGE == null && \
           $NO_ASAN == null && $NO_GEN == null && \
           $S2OPC_PUBSUB_ONLY == null && $S2OPC_CLIENTSERVER_ONLY == null" # Avoid to run job on master for all nightly build except ALL_BUILDS
      when: always # run even if previous job in pipeline failed

windows-appveyor-artifacts:
  stage: build-others
  image: jgoclawski/wget@sha256:91f5c29895af6d2030280b1423ddf64c40133a7fe24eb9a880c3972fd0a9d803 # digest of jgoclawski/wget:1.0
  script:
    - wget https://ci.appveyor.com/api/projects/Systerel/S2OPC/artifacts/build/Binaries.zip?branch=${CI_COMMIT_BRANCH} -O Binaries.zip
    - wget https://ci.appveyor.com/api/projects/Systerel/S2OPC/artifacts/build/Libraries.zip?branch=${CI_COMMIT_BRANCH} -O Libraries.zip
    - wget https://ci.appveyor.com/api/projects/Systerel/S2OPC/artifacts/DLL_build.zip?branch=${CI_COMMIT_BRANCH} -O DLL_build.zip
  rules:
    - if: "$WINDOWS_TEST != null && $WINDOWS_ARTIFACTS != null"
  artifacts:
    name: 'windows-artifacts-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - '*.zip'
    expire_in: '1 week'

###
# Analysis jobs
###

coverage-analysis:
  stage: analyses
  image: registry.gitlab.com/systerel/s2opc/test@sha256:8fbec254f6b8c8467b780d407c6f3c2e87d87899e141b8b2c9013ba30b4f0c8d  # digest of test:2.16
  script:
    - ./.gen_coverage.sh
  artifacts:
    name: 'coverage-report-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - 'report'
    expire_in: '1 week'
  rules:
    - if: "$WITH_COVERAGE != null"

###
# Documentation generation and publication
###

# The job name must be "pages", and the html must be in "public/" and put in an artifact.
pages:
  <<: *build_linux
  stage: doc
  dependencies: []
  rules:
    - if: "$WITH_DOC != null"
    - if: "$CI_PIPELINE_SOURCE == 'push' && $CI_COMMIT_BRANCH == 'master'"
  variables:
    <<: *build_linux_variables
  script:
    - mkdir $BUILD_DIR
    - cd $BUILD_DIR
    # PyS2OPC relies on subscriptions
    - cmake -DS2OPC_NODE_MANAGEMENT=yes -DS2OPC_EVENT_MANAGEMENT=yes -DWITH_PYS2OPC=yes ..
    - cmake --build . --target doc
    - mv apidoc/html ../public/
  artifacts:
    paths:
    - public
    expire_in: 30 days

check_doc:
  <<: *build_linux
  stage: doc
  script:
    - cd $BUILD_DIR
    - cmake --build . --target doc &> doc.log
    - test $(grep -c 'warning:' doc.log) -eq 0
  variables:
    <<: *build_linux_variables
  artifacts:
    name: 'check_doc-results-${CI_COMMIT_REF_SLUG}_${CI_COMMIT_SHA}_job${CI_JOB_ID}'
    paths:
      - '$BUILD_DIR/doc.log'
    expire_in: '1 week'
    when: on_failure
  rules:
   - if: "$ALL_BUILDS != null || $ALL_TESTS != null || $CI_PIPELINE_SOURCE == 'merge_request_event'"
     when: on_success