.gitlab-ci.yml

# Note: Base image is built manually using docker/build-base-image.sh
# This avoids complex CI Docker builds and allows local debugging

default:
  image: python:3.13-alpine
  cache:
    paths:
      - .pip-cache/
  before_script:
    - python3 --version
    - pip install --upgrade pip --break-system-packages
    - pip install build twine PyYAML --break-system-packages

stages:
  - sync
  - security
  - test
  - build
  - publish

variables:
  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.pip-cache"
  # Use manually built base image (built with docker/build-base-image.sh)
  DOCKER_IMAGE: registry.rm-rf.ch/world/openssl_encrypt/python-liboqs:3.13-alpine
  DOCS_ONLY: "false"


sync-wiki:
  stage: sync
  image: alpine:latest
  before_script:
    - apk add --no-cache git
  script:
    - git clone https://oauth2:${PROJECT_ACCESS_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.wiki.git wiki
    - cp -r openssl_encrypt/docs/* wiki/
    - cp README.md wiki/home.md
    - cd wiki
    - git config --global user.email "pipeline@rm-rf.ch"
    - git config --global user.name "GitLab Pipeline"
    - git add .
    - git diff-index --quiet HEAD || git commit -m "Update wiki from docs folder"
    - git push
 #   - git remote add github git@github.com:jahlives/openssl_encrypt.wiki.git || true
 #   - git push github master:master --force
  rules:
    - if: $CI_COMMIT_BRANCH == "main"
    - if: $CI_COMMIT_BRANCH == "release"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/
    - if: $CI_COMMIT_TAG
    - if: $CI_COMMIT_BRANCH == "dev"
      when: manual
      allow_failure: true

# Dependency security scanning
dependency-scan:
  stage: security
  image: python:3.13
  script:
    - pip install pip-audit bandit
    # Use custom script that handles dependency scanning and GitLab report generation
    - python scripts/gitlab_dependency_scan.py
    # Display results for visibility in logs
    - echo "=== Production Dependencies Scan ==="
    - cat pip-audit-prod-results.json || echo "No production scan results available"
    - echo "=== Development Dependencies Scan ==="
    - cat pip-audit-dev-results.json || echo "No development scan results available"
    - echo "=== GitLab Dependency Scanning Report ==="
    - cat gl-dependency-scanning-report.json || echo "No report available"
  artifacts:
    reports:
      dependency_scanning: gl-dependency-scanning-report.json
    paths:
      - gl-dependency-scanning-report.json
      - pip-audit-prod-results.json
      - pip-audit-dev-results.json
    expire_in: 1 week
  rules:
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "main" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $DOCS_ONLY != "true"

# Python code security scanning with Bandit
code-security-scan:
  stage: security
  image: python:3.13
  before_script:
    - pip install bandit[toml]
  script:
    # Run bandit with comprehensive security checks
    - bandit -r openssl_encrypt/ -c .bandit.yaml -f json -o gl-sast-report.json || true
    - bandit -r openssl_encrypt/ -c .bandit.yaml -f txt || true  # Display results in terminal
    - echo "=== Bandit Security Scan Results ==="
    - cat gl-sast-report.json | python -m json.tool | head -50 || echo "No issues found"
  artifacts:
    reports:
      sast: gl-sast-report.json
    paths:
      - gl-sast-report.json
    expire_in: 1 week
  allow_failure: true
  rules:
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "main" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "nightly" && $DOCS_ONLY != "true"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $DOCS_ONLY != "true"

# Code quality analysis with Pylint
code-quality-scan:
  stage: security
  image: python:3.13
  before_script:
    - pip install pylint pylint-json2html
    - pip install -r requirements-prod.txt  # Install dependencies for import analysis
  script:
    # Run pylint with detailed analysis
    - pylint openssl_encrypt/ --output-format=json:pylint-report.json,text:pylint-report.txt,colorized || true
    - echo "=== Pylint Code Quality Results ==="
    - cat pylint-report.txt | head -50 || echo "No issues found"
    # Generate HTML report for better visualization
    - pylint-json2html -o pylint-report.html pylint-report.json || true
  artifacts:
    paths:
      - pylint-report.json
      - pylint-report.txt
      - pylint-report.html
    expire_in: 1 week
  allow_failure: true
  rules:
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "main" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "nightly" && $DOCS_ONLY != "true"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $DOCS_ONLY != "true"

# Type checking with MyPy
type-checking:
  stage: security
  image: python:3.13
  before_script:
    - pip install mypy types-PyYAML types-requests
    - pip install -r requirements-prod.txt  # Install dependencies for type checking
  script:
    # Run mypy type checking
    - mypy openssl_encrypt/ --config-file mypy.ini --txt-report mypy-report --html-report mypy-html || true
    - echo "=== MyPy Type Checking Results ==="
    - cat mypy-report/index.txt | head -30 || echo "No type issues found"
  artifacts:
    paths:
      - mypy-report/
      - mypy-html/
    expire_in: 1 week
  allow_failure: true
  rules:
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "main" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "nightly" && $DOCS_ONLY != "true"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $DOCS_ONLY != "true"

# Advanced security scanning with Semgrep
semgrep-security-scan:
  stage: security
  image: python:3.13
  before_script:
    - pip install semgrep
  script:
    # Run Semgrep with security-focused rulesets
    - semgrep --config=auto --json --output=semgrep-report.json openssl_encrypt/ || true
    - semgrep --config=p/security-audit --json --output=semgrep-security.json openssl_encrypt/ || true
    - semgrep --config=p/python --json --output=semgrep-python.json openssl_encrypt/ || true
    - echo "=== Semgrep Security Scan Results ==="
    - cat semgrep-report.json | python -m json.tool | head -50 || echo "No issues found"
  artifacts:
    paths:
      - semgrep-report.json
      - semgrep-security.json
      - semgrep-python.json
    expire_in: 1 week
  allow_failure: true
  rules:
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "main" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "nightly" && $DOCS_ONLY != "true"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $DOCS_ONLY != "true"

# Code complexity and maintainability analysis
code-complexity-scan:
  stage: security
  image: python:3.13
  before_script:
    - pip install radon xenon flake8 mccabe
  script:
    # Cyclomatic complexity analysis
    - radon cc openssl_encrypt/ -j > complexity-report.json || true
    - radon cc openssl_encrypt/ -s > complexity-report.txt || true
    # Maintainability index
    - radon mi openssl_encrypt/ -j > maintainability-report.json || true
    - radon mi openssl_encrypt/ -s > maintainability-report.txt || true
    # Halstead complexity metrics
    - radon hal openssl_encrypt/ -j > halstead-report.json || true
    # Raw metrics (lines of code, etc.)
    - radon raw openssl_encrypt/ -j > raw-metrics.json || true
    - echo "=== Code Complexity Analysis Results ==="
    - cat complexity-report.txt | head -30 || echo "No complexity issues found"
    - echo "=== Maintainability Index Results ==="
    - cat maintainability-report.txt | head -20 || echo "No maintainability issues found"
  artifacts:
    paths:
      - complexity-report.json
      - complexity-report.txt
      - maintainability-report.json
      - maintainability-report.txt
      - halstead-report.json
      - raw-metrics.json
    expire_in: 1 week
  allow_failure: true
  rules:
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "main" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "nightly" && $DOCS_ONLY != "true"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $DOCS_ONLY != "true"

# Software Bill of Materials generation
sbom-generation:
  stage: security
  image: python:3.13
  before_script:
    - pip install cyclonedx-bom
  script:
    # cyclonedx-py command format uses positional arguments for requirements file
    - cyclonedx-py requirements requirements-prod.txt -o bom.json
    - python -c "import json; f = open('bom.json', 'r'); data = json.load(f); f.close(); print(json.dumps(data, indent=2))" | head -n 50  # Display first 50 lines as a preview
  allow_failure: true  # Allow job to succeed even if SBOM generation fails
  artifacts:
    paths:
      - bom.json
    expire_in: 1 week
  rules:
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "main" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
    - if: $CI_PIPELINE_SOURCE == "merge_request_event" && $DOCS_ONLY != "true"

test:
  stage: test
  image: $DOCKER_IMAGE
  tags:
    - high-cpu  # Use the runner with most cores for faster test execution
  variables:
    PQC_QUIET: "true"  # Suppress PQC module initialization messages
  before_script:
    - pip install -r requirements.txt --break-system-packages
    - pip install setuptools pytest-xdist pytest-cov --break-system-packages  # Provides pkg_resources, parallel testing, and coverage
    # Build Threefish Rust extension
    - apk add --no-cache rust cargo patchelf
    - pip install maturin --break-system-packages
    - cd threefish_native && PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 maturin build --release && cd ..
    - pip install threefish_native/target/wheels/*.whl --break-system-packages
  script:
    - python3 -m pytest openssl_encrypt/unittests/ -n auto --dist=worksteal -v --durations=20 --cov=openssl_encrypt --cov-report=term --cov-report=html --cov-report=xml
  artifacts:
    reports:
      coverage_report:
        coverage_format: cobertura
        path: coverage.xml
    paths:
      - htmlcov/
      - coverage.xml
    expire_in: 1 week
  rules:
    # Run tests on dev, testing, and release branches, and for tags
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
      # Must succeed on release branch
      allow_failure: false
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
      # Must succeed on releases branches
      allow_failure: false
    - if: $CI_COMMIT_TAG && $DOCS_ONLY != "true"
  # Fallback configuration if the custom image is not available
  # This ensures the pipeline still works if the image hasn't been built yet
  retry:
    max: 2
    when:
      - runner_system_failure
      - script_failure

# Fallback test job that builds liboqs from scratch
# This runs only if the main test job fails, typically due to missing image
test-fallback:
  stage: test
  image: python:3.13-alpine
  tags:
    - high-cpu  # Use the runner with most cores for faster test execution
  variables:
    PQC_QUIET: "true"  # Suppress PQC module initialization messages
  before_script:
    - pip install -r requirements.txt --break-system-packages
    - pip install pytest pytest-xdist pytest-cov pytest-order setuptools --break-system-packages  # setuptools provides pkg_resources, parallel testing, and coverage
    # Explicitly pin cryptography version to match the tests
    # Install dependencies for building liboqs and Threefish (Alpine Linux packages)
    - apk add git gcc g++ cmake ninja make go python3-dev openssl-dev musl-dev rust cargo patchelf
    # Clone liboqs repository with submodules
    - git clone --recurse-submodules https://github.com/open-quantum-safe/liboqs.git
    # Build and install liboqs
    - cd liboqs
    - mkdir build && cd build
    - cmake -GNinja -DCMAKE_INSTALL_PREFIX=/usr/local ..
    - ninja
    - ninja install
    # Return to project root directory
    - cd $CI_PROJECT_DIR
    # Install liboqs Python bindings
    - pip install --user git+https://github.com/open-quantum-safe/liboqs-python.git
    # Build Threefish Rust extension
    - pip install maturin --break-system-packages
    - cd threefish_native && PYO3_USE_ABI3_FORWARD_COMPATIBILITY=1 maturin build --release && cd ..
    - pip install threefish_native/target/wheels/*.whl --break-system-packages
  script:
    - python3 -m pytest openssl_encrypt/unittests/ -n auto --dist=worksteal -v --durations=20 --cov=openssl_encrypt --cov-report=term --cov-report=html --cov-report=xml
  rules:
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"
      when: on_failure
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
      when: on_failure
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
      when: on_failure
      # Must succeed on release branch
      allow_failure: false
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
      when: on_failure
      # Must succeed on releases branches
      allow_failure: false
    - if: $CI_COMMIT_TAG && $DOCS_ONLY != "true"
      when: on_failure


build:
  stage: build
  needs:
    - job: test
      optional: true
  script:
    - python3 -m build
  artifacts:
    paths:
      - dist/
  rules:
    - if: $CI_COMMIT_TAG && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "main" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "release" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "testing" && $DOCS_ONLY != "true"
    - if: $CI_COMMIT_BRANCH == "dev" && $DOCS_ONLY != "true"


publish:
  stage: publish
  tags:
    - amd64  # Exclude arm64-builder, use amd64 runners
  needs:
    - job: build
      artifacts: true
  script:
    - pip install --upgrade twine --break-system-packages
    - echo "Attempting to publish with CI_JOB_TOKEN..."
    - TWINE_PASSWORD=${PROJECT_ACCESS_TOKEN} TWINE_USERNAME=oauth2 python3 -m twine upload --verbose --repository-url "https://${MY_GITLAB_PYPI}/api/v4/projects/2/packages/pypi" dist/*
  rules:
    - if: $CI_COMMIT_TAG && $DOCS_ONLY != "true"
      when: manual
      allow_failure: true
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
      when: manual
      allow_failure: true

publish-pypi-test:
  stage: publish
  image: python:3.13-alpine
  tags:
    - amd64  # Exclude arm64-builder, use amd64 runners
  needs:
    - job: build
      artifacts: true
  script:
    - pip install build twine --break-system-packages
    - TWINE_PASSWORD=${PYPI_API_TOKEN} TWINE_USERNAME=__token__ python3 -m twine upload --repository-url https://test.pypi.org/legacy/ dist/*
  rules:
    - if: $CI_COMMIT_TAG && $DOCS_ONLY != "true"
      when: manual
      allow_failure: true
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
      when: manual
      allow_failure: true

publish-pypi-prod:
  stage: publish
  image: python:3.13-alpine
  tags:
    - amd64  # Exclude arm64-builder, use amd64 runners
  needs:
    - job: build
      artifacts: true
  script:
    - pip install build twine --break-system-packages
    - TWINE_PASSWORD=${PYPI_API_TOKEN_PROD} TWINE_USERNAME=__token__ python3 -m twine upload dist/*
  rules:
    - if: $CI_COMMIT_TAG && $DOCS_ONLY != "true"
      when: manual
      allow_failure: true
    - if: $CI_COMMIT_BRANCH =~ /^releases\/.*/ && $DOCS_ONLY != "true"
      when: manual
      allow_failure: true

mirror-github:
  stage: publish
  image: alpine:latest
  before_script:
    - apk add --no-cache git
  script:
    - git config --global user.email "jahlives@rm-rf.ch"
    - git config --global user.name "GitLab Pipeline"
    - git remote add github https://x-access-token:${GITHUB_TOKEN}@github.com/jahlives/openssl_encrypt.git || true
    # Release Branch pushen
    - git push github ${CI_COMMIT_BRANCH}:${CI_COMMIT_BRANCH} --force
    # Als main setzen (neuester Release)
    - git push github ${CI_COMMIT_BRANCH}:main --force
    # Tag pushen falls vorhanden
    - if [ -n "$CI_COMMIT_TAG" ]; then git push github ${CI_COMMIT_TAG}; fi
  rules:
    - if: $CI_COMMIT_BRANCH =~ /^releases\/[0-9]+\.[0-9]+\.[0-9]+$/
      when: manual
      allow_failure: true
    - if: $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+$/
      when: manual
      allow_failure: true

# ==================== Flatpak Build Jobs ====================

flatpak-build:
  stage: build
  image: fedora:latest
  tags:
    - flatpak-builder
  variables:
    FLATPAK_BUILDER_CACHE: "$CI_PROJECT_DIR/flatpak/.flatpak-builder"
  cache:
    - key: flatpak-downloads-${CI_COMMIT_REF_SLUG}
      paths:
        - flatpak/.flatpak-builder/
      policy: pull-push
    - key: flatpak-repo-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHA}
      paths:
        - flatpak/repo/
      policy: push
  before_script:
    - dnf install -y flatpak flatpak-builder git xz unzip which
    - dnf install -y clang cmake ninja-build gtk3-devel
    - git clone https://github.com/flutter/flutter.git -b stable --depth 1 /opt/flutter
    - export PATH="$PATH:/opt/flutter/bin"
    - flutter precache --linux
    - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
    - flatpak install -y flathub org.freedesktop.Platform//24.08 org.freedesktop.Sdk//24.08
    - flatpak install -y flathub org.freedesktop.Sdk.Extension.rust-stable//24.08
  script:
    # Extract version from setup.py to use as flatpak branch
    - export FLATPAK_BRANCH=$(grep '^VERSION = ' setup.py | cut -d '"' -f 2)
    - echo "Using version from setup.py as flatpak branch - $FLATPAK_BRANCH"
    - cd desktop_gui
    - flutter pub get
    - flutter build linux --release
    - cd ..
    - cd flatpak
    - ./build-flatpak.sh --build-flutter
  rules:
    - if: $CI_COMMIT_BRANCH =~ /^releases\//
    - if: $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+/

flatpak-build:clean:
  extends: flatpak-build
  cache: {}  # Disable cache
  script:
    # Extract version from setup.py to use as flatpak branch
    - export FLATPAK_BRANCH=$(grep '^VERSION = ' setup.py | cut -d '"' -f 2)
    - echo "Using version from setup.py as flatpak branch - $FLATPAK_BRANCH"
    - cd desktop_gui
    - flutter clean
    - flutter pub get
    - flutter build linux --release
    - cd ..
    - cd flatpak
    - ./build-flatpak.sh --build-flutter --force
  rules:
    - if: $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+/
      when: manual
      allow_failure: true
    - if: $CI_COMMIT_BRANCH =~ /^releases\//
      when: manual
      allow_failure: true

# ==================== Flatpak Publish Jobs ====================

flatpak-publish:
  stage: publish
  image: fedora:latest
  tags:
    - flatpak-builder
  variables:
    FLATPAK_REPO_PATH: /var/www/flatpak-repo
    LOCAL_REPO: /home/work/private/flatpak-shared-repo
  cache:
    - key: flatpak-repo-${CI_COMMIT_REF_SLUG}-${CI_COMMIT_SHA}
      paths:
        - flatpak/repo/
      policy: pull
  before_script:
    - dnf install -y flatpak flatpak-builder ostree gnupg2 rsync git
    - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
    - flatpak install -y flathub org.freedesktop.Platform//24.08 org.freedesktop.Sdk//24.08
    - flatpak install -y flathub org.freedesktop.Sdk.Extension.rust-stable//24.08
    - echo "$FLATPAK_GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import
    - gpg --list-secret-keys
  script:
    # Extract version from setup.py to use as flatpak branch
    - FLATPAK_BRANCH=$(grep '^VERSION = ' setup.py | cut -d '"' -f 2)
    - 'echo "Using version from setup.py as flatpak branch: $FLATPAK_BRANCH"'
    - cd flatpak
    # Use the cached repo from flatpak-build instead of rebuilding
    - |
      if [ -d "repo" ] && [ "$(ls -A repo)" ]; then
        echo "Using cached repo from flatpak-build job"
        rsync -avz repo/ "$LOCAL_REPO/"
      else
        echo "No cached repo found, building from scratch"
        flatpak-builder --disable-rofiles-fuse --repo="$LOCAL_REPO" --gpg-sign="$FLATPAK_GPG_KEY_ID" --default-branch="$FLATPAK_BRANCH" --force-clean build-dir com.opensslencrypt.OpenSSLEncrypt.json
      fi
    - ostree summary -u --repo="$LOCAL_REPO" --gpg-sign="$FLATPAK_GPG_KEY_ID"
    - flatpak build-update-repo --gpg-sign="$FLATPAK_GPG_KEY_ID" "$LOCAL_REPO"
    - echo "Syncing to server repository..."
    - rsync -avz "$LOCAL_REPO/objects/" "$FLATPAK_REPO_PATH/objects/"
    - rsync -avz "$LOCAL_REPO/refs/" "$FLATPAK_REPO_PATH/refs/"
    - rsync -avz "$LOCAL_REPO/summary"* "$FLATPAK_REPO_PATH/"
    - ostree summary -u --repo="$FLATPAK_REPO_PATH" --gpg-sign="$FLATPAK_GPG_KEY_ID"
    - flatpak build-update-repo --gpg-sign="$FLATPAK_GPG_KEY_ID" "$FLATPAK_REPO_PATH"
    - 'chown -R www-data:www-data "$FLATPAK_REPO_PATH" || echo "Warning: Could not set ownership (may require elevated privileges)"'
    - ./generate-flatpakrepo.sh
    - rsync -avz ./flathub/ "$FLATPAK_REPO_PATH/"
    - echo "Flatpak published successfully to $FLATPAK_REPO_PATH"
    - 'echo "Branch: $FLATPAK_BRANCH"'
  needs:
    - job: flatpak-build
      artifacts: false
  rules:
    - if: $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+/
      when: manual
    - if: $CI_COMMIT_BRANCH =~ /^releases\//
      when: manual
      allow_failure: true

flatpak-publish:clean:
  extends: flatpak-publish
  needs: []
  before_script:
    - dnf install -y flatpak flatpak-builder ostree gnupg2 rsync git clang cmake ninja-build gtk3-devel unzip which
    - git clone https://github.com/flutter/flutter.git -b stable --depth 1 /opt/flutter
    - export PATH="$PATH:/opt/flutter/bin"
    - flutter precache --linux
    - flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
    - flatpak install -y flathub org.freedesktop.Platform//24.08 org.freedesktop.Sdk//24.08
    - flatpak install -y flathub org.freedesktop.Sdk.Extension.rust-stable//24.08
    - echo "$FLATPAK_GPG_PRIVATE_KEY" | base64 -d | gpg --batch --import
  script:
    # Extract version from setup.py to use as flatpak branch
    - FLATPAK_BRANCH=$(grep '^VERSION = ' setup.py | cut -d '"' -f 2)
    - 'echo "Using version from setup.py as flatpak branch: $FLATPAK_BRANCH"'
    - cd desktop_gui
    - flutter clean
    - flutter pub get
    - flutter build linux --release
    - cd ../flatpak
    - rm -rf build-dir .flatpak-builder
    - flatpak-builder --disable-rofiles-fuse --repo="$LOCAL_REPO" --gpg-sign="$FLATPAK_GPG_KEY_ID" --default-branch="$FLATPAK_BRANCH" --force-clean build-dir com.opensslencrypt.OpenSSLEncrypt.json
    - ostree summary -u --repo="$LOCAL_REPO" --gpg-sign="$FLATPAK_GPG_KEY_ID"
    - flatpak build-update-repo --gpg-sign="$FLATPAK_GPG_KEY_ID" "$LOCAL_REPO"
    - echo "Syncing to server repository..."
    - rsync -avz "$LOCAL_REPO/objects/" "$FLATPAK_REPO_PATH/objects/"
    - rsync -avz "$LOCAL_REPO/refs/" "$FLATPAK_REPO_PATH/refs/"
    - rsync -avz "$LOCAL_REPO/summary"* "$FLATPAK_REPO_PATH/"
    - ostree summary -u --repo="$FLATPAK_REPO_PATH" --gpg-sign="$FLATPAK_GPG_KEY_ID"
    - flatpak build-update-repo --gpg-sign="$FLATPAK_GPG_KEY_ID" "$FLATPAK_REPO_PATH"
    - 'chown -R www-data:www-data "$FLATPAK_REPO_PATH" || echo "Warning: Could not set ownership (may require elevated privileges)"'
    - ./generate-flatpakrepo.sh
    - rsync -avz ./flathub/ "$FLATPAK_REPO_PATH/"
    - echo "Flatpak published successfully to $FLATPAK_REPO_PATH"
    - 'echo "Branch: $FLATPAK_BRANCH"'
  rules:
    - if: $CI_COMMIT_TAG =~ /^v[0-9]+\.[0-9]+\.[0-9]+/
      when: manual
      allow_failure: true
    - if: $CI_COMMIT_BRANCH =~ /^releases\//
      when: manual
      allow_failure: true