workflow:
  rules:
    - if: $CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS && $CI_PIPELINE_SOURCE == "push"
      when: never
    - if: "$CI_COMMIT_TAG"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
    - if: "$CI_COMMIT_BRANCH && $CI_OPEN_MERGE_REQUESTS"
      when: never
    - if: "$CI_COMMIT_BRANCH"

stages:
  - base-images
  - build

variables:
  DOCKER_HOST: tcp://docker:2376
  DOCKER_TLS_CERTDIR: /certs
  DOCKER_TLS_VERIFY: 1
  DOCKER_CERT_PATH: $DOCKER_TLS_CERTDIR/client
  RUST_LOG_STYLE: always
  BB_SIGNING_DRIVER: sigstore
  CLICOLOR_FORCE: 1
  TAG: main

.build:
  services:
    - docker:dind
  interruptible: true
  image: ghcr.io/blue-build/cli:$TAG
  before_script:
    - curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
    - export COSIGN_PRIVATE_KEY=$(cat .secure_files/cosign.key)
    - sleep 5
  script:
    - bluebuild build "./recipes/${RECIPE}"

base-images:
  extends:
    - .build
  stage: base-images
  parallel:
    matrix:
      - RECIPE:
          - base-kinoite.yml
          - base-cosmic.yml
          - base-kinoite-nvidia.yml
          - base-cosmic-nvidia.yml
        # TAG: 519-device-or-resource-busy-when-trying-to-rechunk-the-image-in-gitlab-ci
        BB_BUILD_PUSH: 'true'
        BB_CACHE_LAYERS: 'true'
        # BB_BUILD_RECHUNK: 'true'

build-image:
  extends:
    - .build
  stage: build
  needs:
    - base-images
  parallel:
    matrix:
      - RECIPE:
          - cp-laptop.yml
          - jp-desktop-nvidia.yml
          - wke-server.yml
          - wke-worker.yml
          - jp-laptop.yml
        BB_CACHE_LAYERS: 'true'
        BB_BUILD_PUSH: 'true'