kind: pipeline
type: docker
name: cicd-pipeline

# Let Drone handle the clone automatically; it's faster and cleaner.
clone:
  depth: 1

steps:
  - name: build-test-publish
    image: mcr.microsoft.com/dotnet/sdk:10.0
    commands:
      - dotnet restore --source https://nexus.khongisa.co.za/repository/nuget-group/index.json --no-cache
      - dotnet build --configuration Release --no-restore
      - dotnet test --configuration Release --no-build
      - dotnet publish --configuration Release --no-build

  # --- PACKAGE STAGE ---
  # We build the image locally first so we can scan it BEFORE pushing
  - name: docker-build
    image: plugins/docker
    settings:
      registry: nexus.khongisa.co.za
      repo: nexus.khongisa.co.za/webapitest
      tags: [ "${DRONE_BUILD_NUMBER}", "latest" ]
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password
      # This builds the image and loads it into the local cache for scanning
      dry_run: true 
      # Set to false once you verify the scan passes, or see the step below

  - name: docker-push
    image: plugins/docker
    settings:
      registry: nexus.khongisa.co.za
      repo: nexus.khongisa.co.za/webapitest
      tags: [ "${DRONE_BUILD_NUMBER}", "latest" ]
      username:
        from_secret: docker_username
      password:
        from_secret: docker_password

  - name: vulnerability-scan
    image: aquasec/trivy:0.50.1
    environment:
      # Trivy needs these to pull the image from your Nexus to scan it
      TRIVY_USERNAME:
        from_secret: docker_username
      TRIVY_PASSWORD:
        from_secret: docker_password
    commands:
      - trivy image --exit-code 1 --severity CRITICAL nexus.khongisa.co.za/webapitest:${DRONE_BUILD_NUMBER}

  # --- DEPLOY STAGE ---
  - name: deploy-uat
    image: appleboy/drone-ssh
    settings:
      host: 
        from_secret: ssh_host
      username: 
        from_secret: ssh_user
      password: 
        from_secret: ssh_password
      script:
        # Login to Nexus on the remote server
        - echo $DOCKER_PASSWORD | docker login nexus.khongisa.co.za -u $DOCKER_USERNAME --password-stdin
        - docker pull nexus.khongisa.co.za/webapitest:latest
        # Standard Linux cleanup
        - docker stop webapi 2>/dev/null || true
        - docker rm webapi 2>/dev/null || true
        - docker run -d --name webapi --restart unless-stopped -e ASPNETCORE_ENVIRONMENT=Development -p 4000:8081 nexus.khongisa.co.za/webapitest:latest
    environment:
      DOCKER_USERNAME:
        from_secret: docker_username
      DOCKER_PASSWORD:
        from_secret: docker_password

trigger:
  event:
    exclude:
      - promote